From: Hangbin Liu <liuhangbin@gmail.com>
To: Simon Horman <horms@kernel.org>
Cc: netdev@vger.kernel.org, Jay Vosburgh <jv@jvosburgh.net>,
Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Nikolay Aleksandrov <razor@blackwall.org>,
Shuah Khan <shuah@kernel.org>, Tariq Toukan <tariqt@nvidia.com>,
Jianbo Liu <jianbol@nvidia.com>, Jarod Wilson <jarod@redhat.com>,
Steffen Klassert <steffen.klassert@secunet.com>,
Cosmin Ratiu <cratiu@nvidia.com>, Petr Machata <petrm@nvidia.com>,
linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCHv5 net 1/3] bonding: fix calling sleeping function in spin lock and some race conditions
Date: Mon, 10 Mar 2025 07:22:21 +0000 [thread overview]
Message-ID: <Z86TLTMKNX0NVq2N@fedora> (raw)
In-Reply-To: <20250308085451.GL3666230@kernel.org>
On Sat, Mar 08, 2025 at 08:54:51AM +0000, Simon Horman wrote:
> On Fri, Mar 07, 2025 at 03:19:01AM +0000, Hangbin Liu wrote:
>
> ...
>
> > @@ -616,9 +615,22 @@ static void bond_ipsec_del_sa_all(struct bonding *bond)
> > return;
> >
> > mutex_lock(&bond->ipsec_lock);
> > - list_for_each_entry(ipsec, &bond->ipsec_list, list) {
> > - if (!ipsec->xs->xso.real_dev)
> > + list_for_each_entry_safe(ipsec, tmp_ipsec, &bond->ipsec_list, list) {
> > + spin_lock_bh(&ipsec->xs->lock);
> > + if (!ipsec->xs->xso.real_dev) {
> > + spin_unlock_bh(&ipsec->xs->lock);
> > continue;
> > + }
> > +
> > + if (ipsec->xs->km.state == XFRM_STATE_DEAD) {
> > + list_del(&ipsec->list);
> > + kfree(ipsec);
>
> Hi Hangbin,
>
> Apologies if this was covered elsewhere, but ipsec is kfree'd here...
Oh.. I need to get the xs with xs = ipsec->xs, then hold the xs lock.
Thanks
Hangbin
>
>
> > + /* Need to free device here, or the xs->xso.real_dev
> > + * may changed in bond_ipsec_add_sa_all and free
> > + * on old device will never be called.
> > + */
> > + goto next;
> > + }
> >
> > if (!real_dev->xfrmdev_ops ||
> > !real_dev->xfrmdev_ops->xdo_dev_state_delete ||
> > @@ -626,11 +638,20 @@ static void bond_ipsec_del_sa_all(struct bonding *bond)
> > slave_warn(bond_dev, real_dev,
> > "%s: no slave xdo_dev_state_delete\n",
> > __func__);
> > - } else {
> > - real_dev->xfrmdev_ops->xdo_dev_state_delete(ipsec->xs);
> > - if (real_dev->xfrmdev_ops->xdo_dev_state_free)
> > - real_dev->xfrmdev_ops->xdo_dev_state_free(ipsec->xs);
> > + spin_unlock_bh(&ipsec->xs->lock);
> > + continue;
> > }
> > +
> > + real_dev->xfrmdev_ops->xdo_dev_state_delete(ipsec->xs);
> > +
> > +next:
> > + /* set real_dev to NULL in case __xfrm_state_delete() is called in parallel */
> > + ipsec->xs->xso.real_dev = NULL;
>
> ... and the dereferenced here.
>
> Flagged by Smatch.
>
> > +
> > + /* Unlock before freeing device state, it could sleep. */
> > + spin_unlock_bh(&ipsec->xs->lock);
> > + if (real_dev->xfrmdev_ops->xdo_dev_state_free)
> > + real_dev->xfrmdev_ops->xdo_dev_state_free(ipsec->xs);
> > }
> > mutex_unlock(&bond->ipsec_lock);
> > }
>
> ...
next prev parent reply other threads:[~2025-03-10 7:22 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-07 3:19 [PATCHv5 net 0/3] bond: fix xfrm offload issues Hangbin Liu
2025-03-07 3:19 ` [PATCHv5 net 1/3] bonding: fix calling sleeping function in spin lock and some race conditions Hangbin Liu
2025-03-07 7:42 ` Nikolay Aleksandrov
2025-03-07 8:11 ` Hangbin Liu
2025-03-07 8:33 ` Nikolay Aleksandrov
2025-03-07 10:31 ` Hangbin Liu
2025-03-07 17:03 ` Jakub Kicinski
2025-03-10 7:53 ` Hangbin Liu
2025-03-11 21:08 ` Cosmin Ratiu
2025-03-12 1:04 ` Hangbin Liu
2025-03-08 8:54 ` Simon Horman
2025-03-10 7:22 ` Hangbin Liu [this message]
2025-03-07 3:19 ` [PATCHv5 net 2/3] bonding: fix xfrm offload feature setup on active-backup mode Hangbin Liu
2025-03-07 3:19 ` [PATCHv5 net 3/3] selftests: bonding: add ipsec offload test Hangbin Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z86TLTMKNX0NVq2N@fedora \
--to=liuhangbin@gmail.com \
--cc=andrew+netdev@lunn.ch \
--cc=cratiu@nvidia.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jarod@redhat.com \
--cc=jianbol@nvidia.com \
--cc=jv@jvosburgh.net \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=petrm@nvidia.com \
--cc=razor@blackwall.org \
--cc=shuah@kernel.org \
--cc=steffen.klassert@secunet.com \
--cc=tariqt@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.