[PATCH] bridge: fix bridge netlink RCU usage

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] bridge: fix bridge netlink RCU usage
@ 2015-03-03 13:29 Johannes Berg
  2015-03-03 13:33 ` Johannes Berg
  2015-03-03 13:40 ` Eric Dumazet
  0 siblings, 2 replies; 4+ messages in thread
From: Johannes Berg @ 2015-03-03 13:29 UTC (permalink / raw)
  To: netdev; +Cc: Roopa Prabhu, Stephen Hemminger, Johannes Berg

From: Johannes Berg <johannes.berg@intel.com>

When the STP timer fires, it can call br_ifinfo_notify(),
which in turn ends up in the new br_get_link_af_size().
This function is annotated to be using RTNL locking, which
clearly isn't the case here, and thus lockdep warns:

  ===============================
  [ INFO: suspicious RCU usage. ]
  3.19.0+ #569 Not tainted
  -------------------------------
  net/bridge/br_private.h:204 suspicious rcu_dereference_protected() usage!

Fix this by doing RCU locking here.

Fixes: b7853d73e39b ("bridge: add vlan info to bridge setlink and dellink notification messages")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 net/bridge/br_netlink.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index 17e0177467f5..c63ac0d13add 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -26,12 +26,15 @@ static size_t br_get_link_af_size(const struct net_device *dev)
 {
 	struct net_port_vlans *pv;
 
-	if (br_port_exists(dev))
-		pv = nbp_get_vlan_info(br_port_get_rtnl(dev));
-	else if (dev->priv_flags & IFF_EBRIDGE)
+	if (br_port_exists(dev)) {
+		rcu_read_lock();
+		pv = nbp_get_vlan_info(br_port_get_rcu(dev));
+		rcu_read_unlock();
+	} else if (dev->priv_flags & IFF_EBRIDGE) {
 		pv = br_get_vlan_info((struct net_bridge *)netdev_priv(dev));
-	else
+	} else {
 		return 0;
+	}
 
 	if (!pv)
 		return 0;
-- 
2.1.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] bridge: fix bridge netlink RCU usage
  2015-03-03 13:29 [PATCH] bridge: fix bridge netlink RCU usage Johannes Berg
@ 2015-03-03 13:33 ` Johannes Berg
  2015-03-03 13:40 ` Eric Dumazet
  1 sibling, 0 replies; 4+ messages in thread
From: Johannes Berg @ 2015-03-03 13:33 UTC (permalink / raw)
  To: netdev@vger.kernel.org; +Cc: Roopa Prabhu, Stephen Hemminger

On Tue, 2015-03-03 at 13:29 +0000, Johannes Berg wrote:

> @@ -26,12 +26,15 @@ static size_t br_get_link_af_size(const struct net_device *dev)
>  {
>         struct net_port_vlans *pv;
> 
> -       if (br_port_exists(dev))
> -               pv = nbp_get_vlan_info(br_port_get_rtnl(dev));
> -       else if (dev->priv_flags & IFF_EBRIDGE)
> +       if (br_port_exists(dev)) {
> +               rcu_read_lock();
> +               pv = nbp_get_vlan_info(br_port_get_rcu(dev));
> +               rcu_read_unlock();

Note that I'm not entirely sure about the locking for "pv" here. In this
patch I'm basically assuming that nbp_get_vlan_info() is safe in any
context, which actually seems rather unlikely.

This clearly gets rid of the lockdep complaint for me, but I'm not sure
it's actually safe.

johannes

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] bridge: fix bridge netlink RCU usage
  2015-03-03 13:29 [PATCH] bridge: fix bridge netlink RCU usage Johannes Berg
  2015-03-03 13:33 ` Johannes Berg
@ 2015-03-03 13:40 ` Eric Dumazet
  2015-03-03 13:43   ` Johannes Berg
  1 sibling, 1 reply; 4+ messages in thread
From: Eric Dumazet @ 2015-03-03 13:40 UTC (permalink / raw)
  To: Johannes Berg; +Cc: netdev, Roopa Prabhu, Stephen Hemminger, Johannes Berg

On Tue, 2015-03-03 at 14:29 +0100, Johannes Berg wrote:
> From: Johannes Berg <johannes.berg@intel.com>
> 
> When the STP timer fires, it can call br_ifinfo_notify(),
> which in turn ends up in the new br_get_link_af_size().
> This function is annotated to be using RTNL locking, which
> clearly isn't the case here, and thus lockdep warns:
> 
>   ===============================
>   [ INFO: suspicious RCU usage. ]
>   3.19.0+ #569 Not tainted
>   -------------------------------
>   net/bridge/br_private.h:204 suspicious rcu_dereference_protected() usage!
> 
> Fix this by doing RCU locking here.
> 
> Fixes: b7853d73e39b ("bridge: add vlan info to bridge setlink and dellink notification messages")
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> ---
>  net/bridge/br_netlink.c | 11 +++++++----
>  1 file changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
> index 17e0177467f5..c63ac0d13add 100644
> --- a/net/bridge/br_netlink.c
> +++ b/net/bridge/br_netlink.c
> @@ -26,12 +26,15 @@ static size_t br_get_link_af_size(const struct net_device *dev)
>  {
>  	struct net_port_vlans *pv;
>  
> -	if (br_port_exists(dev))
> -		pv = nbp_get_vlan_info(br_port_get_rtnl(dev));
> -	else if (dev->priv_flags & IFF_EBRIDGE)
> +	if (br_port_exists(dev)) {
> +		rcu_read_lock();
> +		pv = nbp_get_vlan_info(br_port_get_rcu(dev));
> +		rcu_read_unlock();

right after this rcu_read_unlock(), you no longer are allowed to deref
pv


> +	} else if (dev->priv_flags & IFF_EBRIDGE) {
>  		pv = br_get_vlan_info((struct net_bridge *)netdev_priv(dev));
> -	else
> +	} else {
>  		return 0;
> +	}
>  
>  	if (!pv)
>  		return 0;

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] bridge: fix bridge netlink RCU usage
  2015-03-03 13:40 ` Eric Dumazet
@ 2015-03-03 13:43   ` Johannes Berg
  0 siblings, 0 replies; 4+ messages in thread
From: Johannes Berg @ 2015-03-03 13:43 UTC (permalink / raw)
  To: Eric Dumazet; +Cc: netdev, Roopa Prabhu, Stephen Hemminger

On Tue, 2015-03-03 at 05:40 -0800, Eric Dumazet wrote:
> On Tue, 2015-03-03 at 14:29 +0100, Johannes Berg wrote:
> > From: Johannes Berg <johannes.berg@intel.com>
> > 
> > When the STP timer fires, it can call br_ifinfo_notify(),
> > which in turn ends up in the new br_get_link_af_size().
> > This function is annotated to be using RTNL locking, which
> > clearly isn't the case here, and thus lockdep warns:
> > 
> >   ===============================
> >   [ INFO: suspicious RCU usage. ]
> >   3.19.0+ #569 Not tainted
> >   -------------------------------
> >   net/bridge/br_private.h:204 suspicious rcu_dereference_protected() usage!
> > 
> > Fix this by doing RCU locking here.
> > 
> > Fixes: b7853d73e39b ("bridge: add vlan info to bridge setlink and dellink notification messages")
> > Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> > ---
> >  net/bridge/br_netlink.c | 11 +++++++----
> >  1 file changed, 7 insertions(+), 4 deletions(-)
> > 
> > diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
> > index 17e0177467f5..c63ac0d13add 100644
> > --- a/net/bridge/br_netlink.c
> > +++ b/net/bridge/br_netlink.c
> > @@ -26,12 +26,15 @@ static size_t br_get_link_af_size(const struct net_device *dev)
> >  {
> >  	struct net_port_vlans *pv;
> >  
> > -	if (br_port_exists(dev))
> > -		pv = nbp_get_vlan_info(br_port_get_rtnl(dev));
> > -	else if (dev->priv_flags & IFF_EBRIDGE)
> > +	if (br_port_exists(dev)) {
> > +		rcu_read_lock();
> > +		pv = nbp_get_vlan_info(br_port_get_rcu(dev));
> > +		rcu_read_unlock();
> 
> right after this rcu_read_unlock(), you no longer are allowed to deref
> pv

Right, that's what I feared, hence my other email :)

But if I reorder it to later it would be OK?

johannes

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2015-03-03 13:43 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-03-03 13:29 [PATCH] bridge: fix bridge netlink RCU usage Johannes Berg
2015-03-03 13:33 ` Johannes Berg
2015-03-03 13:40 ` Eric Dumazet
2015-03-03 13:43   ` Johannes Berg

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).