From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Leon Romanovsky <leonro@nvidia.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 5.4 65/71] net: sched: Fix suspicious RCU usage while accessing tcf_tunnel_info
Date: Mon, 20 Dec 2021 15:34:54 +0100 [thread overview]
Message-ID: <20211220143027.866362426@linuxfoundation.org> (raw)
In-Reply-To: <20211220143025.683747691@linuxfoundation.org>
From: Leon Romanovsky <leonro@nvidia.com>
commit d086a1c65aabb5a4e1edc580ca583e2964c62b44 upstream.
The access of tcf_tunnel_info() produces the following splat, so fix it
by dereferencing the tcf_tunnel_key_params pointer with marker that
internal tcfa_liock is held.
=============================
WARNING: suspicious RCU usage
5.9.0+ #1 Not tainted
-----------------------------
include/net/tc_act/tc_tunnel_key.h:59 suspicious rcu_dereference_protected() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
1 lock held by tc/34839:
#0: ffff88828572c2a0 (&p->tcfa_lock){+...}-{2:2}, at: tc_setup_flow_action+0xb3/0x48b5
stack backtrace:
CPU: 1 PID: 34839 Comm: tc Not tainted 5.9.0+ #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Call Trace:
dump_stack+0x9a/0xd0
tc_setup_flow_action+0x14cb/0x48b5
fl_hw_replace_filter+0x347/0x690 [cls_flower]
fl_change+0x2bad/0x4875 [cls_flower]
tc_new_tfilter+0xf6f/0x1ba0
rtnetlink_rcv_msg+0x5f2/0x870
netlink_rcv_skb+0x124/0x350
netlink_unicast+0x433/0x700
netlink_sendmsg+0x6f1/0xbd0
sock_sendmsg+0xb0/0xe0
____sys_sendmsg+0x4fa/0x6d0
___sys_sendmsg+0x12e/0x1b0
__sys_sendmsg+0xa4/0x120
do_syscall_64+0x2d/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f1f8cd4fe57
Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
RSP: 002b:00007ffdc1e193b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f8cd4fe57
RDX: 0000000000000000 RSI: 00007ffdc1e19420 RDI: 0000000000000003
RBP: 000000005f85aafa R08: 0000000000000001 R09: 00007ffdc1e1936c
R10: 000000000040522d R11: 0000000000000246 R12: 0000000000000001
R13: 0000000000000000 R14: 00007ffdc1e1d6f0 R15: 0000000000482420
Fixes: 3ebaf6da0716 ("net: sched: Do not assume RTNL is held in tunnel key action helpers")
Fixes: 7a47281439ba ("net: sched: lock action when translating it to flow_action infra")
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/tc_act/tc_tunnel_key.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/include/net/tc_act/tc_tunnel_key.h
+++ b/include/net/tc_act/tc_tunnel_key.h
@@ -52,7 +52,10 @@ static inline struct ip_tunnel_info *tcf
{
#ifdef CONFIG_NET_CLS_ACT
struct tcf_tunnel_key *t = to_tunnel_key(a);
- struct tcf_tunnel_key_params *params = rtnl_dereference(t->params);
+ struct tcf_tunnel_key_params *params;
+
+ params = rcu_dereference_protected(t->params,
+ lockdep_is_held(&a->tcfa_lock));
return ¶ms->tcft_enc_metadata->u.tun_info;
#else
next prev parent reply other threads:[~2021-12-20 14:48 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-20 14:33 [PATCH 5.4 00/71] 5.4.168-rc1 review Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.4 01/71] KVM: selftests: Make sure kvm_create_max_vcpus test wont hit RLIMIT_NOFILE Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.4 02/71] mac80211: mark TX-during-stop for TX in in_reconfig Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.4 03/71] mac80211: send ADDBA requests using the tid/queue of the aggregation session Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.4 04/71] firmware: arm_scpi: Fix string overflow in SCPI genpd driver Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.4 05/71] virtio_ring: Fix querying of maximum DMA mapping size for virtio device Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.4 06/71] recordmcount.pl: look for jgnop instruction as well as bcrl on s390 Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.4 07/71] dm btree remove: fix use after free in rebalance_children() Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.4 08/71] audit: improve robustness of the audit queue handling Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.4 09/71] iio: adc: stm32: fix a current leak by resetting pcsel before disabling vdda Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.4 10/71] nfsd: fix use-after-free due to delegation race Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 11/71] arm64: dts: rockchip: remove mmc-hs400-enhanced-strobe from rk3399-khadas-edge Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 12/71] arm64: dts: rockchip: fix rk3399-leez-p710 vcc3v3-lan supply Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 13/71] arm64: dts: rockchip: fix audio-supply for Rock Pi 4 Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 14/71] mac80211: track only QoS data frames for admission control Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 15/71] hv: utils: add PTP_1588_CLOCK to Kconfig to fix build Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 16/71] ARM: socfpga: dts: fix qspi node compatible Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 17/71] clk: Dont parent clks until the parent is fully registered Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 18/71] selftests: net: Correct ping6 expected rc from 2 to 1 Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 19/71] s390/kexec_file: fix error handling when applying relocations Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 20/71] sch_cake: do not call cake_destroy() from cake_init() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 21/71] inet_diag: use jiffies_delta_to_msecs() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 22/71] inet_diag: fix kernel-infoleak for UDP sockets Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 23/71] selftests: Fix raw socket bind tests with VRF Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 24/71] selftests: Fix IPv6 address bind tests Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 25/71] dmaengine: st_fdma: fix MODULE_ALIAS Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 26/71] selftest/net/forwarding: declare NETIFS p9 p10 Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 27/71] mac80211: agg-tx: refactor sending addba Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 28/71] mac80211: agg-tx: dont schedule_and_wake_txq() under sta->lock Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 29/71] mac80211: accept aggregation sessions on 6 GHz Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 30/71] mac80211: fix lookup when adding AddBA extension element Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 31/71] net: sched: lock action when translating it to flow_action infra Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 32/71] flow_offload: return EOPNOTSUPP for the unsupported mpls action type Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 33/71] rds: memory leak in __rds_conn_create() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 34/71] soc/tegra: fuse: Fix bitwise vs. logical OR warning Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 35/71] igb: Fix removal of unicast MAC filters of VFs Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 36/71] igbvf: fix double free in `igbvf_probe` Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 37/71] ixgbe: set X550 MDIO speed before talking to PHY Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 38/71] netdevsim: Zero-initialize memory for new maps value in function nsim_bpf_map_alloc Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 39/71] net/packet: rx_owner_map depends on pg_vec Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 40/71] net: Fix double 0x prefix print in SKB dump Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 41/71] net/smc: Prevent smc_release() from long blocking Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 42/71] net: systemport: Add global locking for descriptor lifecycle Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 43/71] sit: do not call ipip6_dev_free() from sit_init_net() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 44/71] USB: gadget: bRequestType is a bitfield, not a enum Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 45/71] USB: NO_LPM quirk Lenovo USB-C to Ethernet Adapher(RTL8153-04) Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 46/71] PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 47/71] PCI/MSI: Mask MSI-X vectors only on success Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 48/71] usb: xhci: Extend support for runtime power management for AMDs Yellow carp Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 49/71] USB: serial: cp210x: fix CP2105 GPIO registration Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 50/71] USB: serial: option: add Telit FN990 compositions Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 51/71] timekeeping: Really make sure wall_to_monotonic isnt positive Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 52/71] libata: if T_LENGTH is zero, dma direction should be DMA_NONE Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 53/71] drm/amdgpu: correct register access for RLC_JUMP_TABLE_RESTORE Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 54/71] mac80211: validate extended element ID is present Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 55/71] mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 56/71] Input: touchscreen - avoid bitwise vs logical OR warning Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 57/71] ARM: dts: imx6ull-pinfunc: Fix CSI_DATA07__ESAI_TX0 pad name Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 58/71] xsk: Do not sleep in poll() when need_wakeup set Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 59/71] media: mxl111sf: change mutex_init() location Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 60/71] fuse: annotate lock in fuse_reverse_inval_entry() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 61/71] ovl: fix warning in ovl_create_real() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 62/71] scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 63/71] rcu: Mark accesses to rcu_state.n_force_qs Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 64/71] mac80211: fix regression in SSN handling of addba tx Greg Kroah-Hartman
2021-12-20 14:34 ` Greg Kroah-Hartman [this message]
2021-12-20 14:34 ` [PATCH 5.4 66/71] Revert "xsk: Do not sleep in poll() when need_wakeup set" Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 67/71] xen/blkfront: harden blkfront against event channel storms Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 68/71] xen/netfront: harden netfront " Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 69/71] xen/console: harden hvc_xen " Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.4 70/71] xen/netback: fix rx queue stall detection Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.4 71/71] xen/netback: dont queue unlimited number of packages Greg Kroah-Hartman
2021-12-20 18:25 ` [PATCH 5.4 00/71] 5.4.168-rc1 review Jon Hunter
2021-12-20 18:48 ` Florian Fainelli
2021-12-20 23:18 ` Shuah Khan
2021-12-21 1:33 ` Samuel Zou
2021-12-21 11:20 ` Sudip Mukherjee
2021-12-21 11:50 ` Naresh Kamboju
2021-12-21 23:13 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211220143027.866362426@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=kuba@kernel.org \
--cc=leonro@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.