Re: [PATCH net-next v3] net: phy: Fix suspicious rcu_dereference usage

["Russell King (Oracle)" <linux@armlinux.org.uk>]

On Tue, Jan 21, 2025 at 05:11:56PM +0100, Kory Maincent wrote:
> On Tue, 21 Jan 2025 15:44:34 +0000
> Paul Barker <paul.barker.ct@bp.renesas.com> wrote:
> 
> > On 21/01/2025 13:01, Kory Maincent wrote:
> > > On Tue, 21 Jan 2025 11:34:48 +0000
> > > Paul Barker <paul.barker.ct@bp.renesas.com> wrote:
> > >   
> > >> On 21/01/2025 09:38, Kory Maincent wrote:  
> >  [...]  
> >  [...]  
> > >>  [...]    
> >  [...]  
> >  [...]  
> > >>
> > >> (Cc'ing Niklas and Sergey as this relates to the ravb driver)  
> > > 
> > > Yes, thanks.
> > >   
> > >> Why do we need to hold the rtnl mutex across the calls to
> > >> netif_device_detach() and ravb_wol_setup()?
> > >>
> > >> My reading of Documentation/networking/netdevices.rst is that the rtnl
> > >> mutex is held when the net subsystem calls the driver's ndo_stop method,
> > >> which in our case is ravb_close(). So, we should take the rtnl mutex
> > >> when we call ravb_close() directly, in both ravb_suspend() and
> > >> ravb_wol_restore(). That would ensure that we do not call
> > >> phy_disconnect() without holding the rtnl mutex and should fix this
> > >> issue.  
> > > 
> > > Not sure about it. For example ravb_ptp_stop() called in ravb_wol_setup()
> > > won't be protected by the rtnl lock.  
> > 
> > ravb_ptp_stop() modifies a couple of device registers and calls
> > ptp_clock_unregister(). I don't see anything to suggest that this
> > requires the rtnl lock to be held, unless I am missing something.
> 
> What happens if two ptp_clock_unregister() with the same ptp_clock pointer are 
> called simultaneously? From ravb_suspend and ravb_set_ringparam for example. It
> may cause some errors.
> For example the ptp->kworker pointer could be used after a kfree.
> https://elixir.bootlin.com/linux/v6.12.6/source/drivers/ptp/ptp_clock.c#L416

Taking a look at where ravb_ptp_stop() is called from:

1. ravb_set_ringparam(). ethtool operation. RTNL will be held for this.
2. ravb_open() error-cleanup. RTNL will be held for this.
3. ravb_tx_timeout_work(). rtnl_trylock() is called and we will only
   call through to the above function if we grabbed the RTNL.
4. ravb_close(), again RTNL will be held here.
5. ravb_wol_setup(). Another ethtool operation. (1) applies.

Hence, it is not possible for two threads to execute ravb_ptp_stop()
symultaneously. However, if ptp_clock_register() in ravb_ptp_init()
fails, then priv->ptp.clock will be set to an error-pointer, and
subsequently passed to ptp_clock_unregister() which would cause a
kernel oops. No one seems to have thought about that... and that
definitely needs fixing.

However, one wonders why it's necessary to unregister a _user_
_interface_ when responding to a change in WoL, ring parameters, or
merely handling a transmit timeout. It doesn't seem particularly
nice to userspace for a device that its using to suddenly go away
for these reasons. I wonder whether anyone has tested anything
that uses the PTP clock interfaces while changing e.g. the WoL
settings.

-- 
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!