Re: [PATCH net] bonding: switch bond_miimon_inspect to rtnl lock

[Kuniyuki Iwashima <kuni1840@gmail.com>]

From: Stanislav Fomichev <stfomichev@gmail.com>
Date: Mon, 16 Jun 2025 10:22:13 -0700
> Syzkaller reports the following issue:
> 
>  RTNL: assertion failed at ./include/net/netdev_lock.h (72)
>  WARNING: CPU: 0 PID: 1141 at ./include/net/netdev_lock.h:72 netdev_ops_assert_locked include/net/netdev_lock.h:72 [inline]
>  WARNING: CPU: 0 PID: 1141 at ./include/net/netdev_lock.h:72 __linkwatch_sync_dev+0x1ed/0x230 net/core/link_watch.c:279
> 
>  ethtool_op_get_link+0x1d/0x70 net/ethtool/ioctl.c:63
>  bond_check_dev_link+0x3f9/0x710 drivers/net/bonding/bond_main.c:863
>  bond_miimon_inspect drivers/net/bonding/bond_main.c:2745 [inline]
>  bond_mii_monitor+0x3c0/0x2dc0 drivers/net/bonding/bond_main.c:2967
>  process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238
>  process_scheduled_works kernel/workqueue.c:3321 [inline]
>  worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402
>  kthread+0x3c5/0x780 kernel/kthread.c:464
>  ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
>  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> 
> As discussed in [0], the report is a bit bogus, but it exposes
> the fact that bond_miimon_inspect might sleep while its being
> called under RCU read lock. Convert bond_miimon_inspect callers
> (bond_mii_monitor) to rtnl lock.
> 
> Reported-by: syzbot+b8c48ea38ca27d150063@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=b8c48ea38ca27d150063
> Link: http://lore.kernel.org/netdev/aEt6LvBMwUMxmUyx@mini-arch [0]
> Fixes: f7a11cba0ed7 ("bonding: hold ops lock around get_link")
> Signed-off-by: Stanislav Fomichev <stfomichev@gmail.com>
> ---
>  drivers/net/bonding/bond_main.c | 34 +++++++++++++--------------------
>  1 file changed, 13 insertions(+), 21 deletions(-)
> 
> diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
> index c4d53e8e7c15..ab40f0828680 100644
> --- a/drivers/net/bonding/bond_main.c
> +++ b/drivers/net/bonding/bond_main.c
> @@ -2720,7 +2720,6 @@ static int bond_slave_info_query(struct net_device *bond_dev, struct ifslave *in
>  
>  /*-------------------------------- Monitoring -------------------------------*/
>  
> -/* called with rcu_read_lock() */
>  static int bond_miimon_inspect(struct bonding *bond)
>  {
>  	bool ignore_updelay = false;
> @@ -2729,17 +2728,17 @@ static int bond_miimon_inspect(struct bonding *bond)
>  	struct slave *slave;
>  
>  	if (BOND_MODE(bond) == BOND_MODE_ACTIVEBACKUP) {
> -		ignore_updelay = !rcu_dereference(bond->curr_active_slave);
> +		ignore_updelay = !rtnl_dereference(bond->curr_active_slave);
>  	} else {
>  		struct bond_up_slave *usable_slaves;
>  
> -		usable_slaves = rcu_dereference(bond->usable_slaves);
> +		usable_slaves = rtnl_dereference(bond->usable_slaves);
>  
>  		if (usable_slaves && usable_slaves->count == 0)
>  			ignore_updelay = true;
>  	}
>  
> -	bond_for_each_slave_rcu(bond, slave, iter) {
> +	bond_for_each_slave(bond, slave, iter) {
>  		bond_propose_link_state(slave, BOND_LINK_NOCHANGE);
>  
>  		link_state = bond_check_dev_link(bond, slave->dev, 0);
> @@ -2962,35 +2961,28 @@ static void bond_mii_monitor(struct work_struct *work)
>  	if (!bond_has_slaves(bond))
>  		goto re_arm;
>  
> -	rcu_read_lock();
> +	/* Race avoidance with bond_close cancel of workqueue */
> +	if (!rtnl_trylock()) {
> +		delay = 1;
> +		should_notify_peers = false;

nit: we can remove this line.

Also, now call_netdevice_notifiers() can be moved up before rearm:.


> +		goto re_arm;
> +	}
> +
>  	should_notify_peers = bond_should_notify_peers(bond);
>  	commit = !!bond_miimon_inspect(bond);
>  	if (bond->send_peer_notif) {

nit: we don't need {} here.

Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>


> -		rcu_read_unlock();
> -		if (rtnl_trylock()) {
> -			bond->send_peer_notif--;
> -			rtnl_unlock();
> -		}
> -	} else {
> -		rcu_read_unlock();
> +		bond->send_peer_notif--;
>  	}