[PATCHv2 net] bonding: fix missed rcu protection

[PATCHv2 net] bonding: fix missed rcu protection

[Hangbin Liu]

When removing the rcu_read_lock in bond_ethtool_get_ts_info() as
discussed [1], I didn't notice it could be called via setsockopt,
which doesn't hold rcu lock, as syzbot pointed:

  Call Trace:
   <TASK>
   __dump_stack lib/dump_stack.c:88 [inline]
   dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
   bond_option_active_slave_get_rcu include/net/bonding.h:353 [inline]
   bond_ethtool_get_ts_info+0x32c/0x3a0 drivers/net/bonding/bond_main.c:5595
   __ethtool_get_ts_info+0x173/0x240 net/ethtool/common.c:554
   ethtool_get_phc_vclocks+0x99/0x110 net/ethtool/common.c:568
   sock_timestamping_bind_phc net/core/sock.c:869 [inline]
   sock_set_timestamping+0x3a3/0x7e0 net/core/sock.c:916
   sock_setsockopt+0x543/0x2ec0 net/core/sock.c:1221
   __sys_setsockopt+0x55e/0x6a0 net/socket.c:2223
   __do_sys_setsockopt net/socket.c:2238 [inline]
   __se_sys_setsockopt net/socket.c:2235 [inline]
   __x64_sys_setsockopt+0xba/0x150 net/socket.c:2235
   do_syscall_x64 arch/x86/entry/common.c:50 [inline]
   do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
   entry_SYSCALL_64_after_hwframe+0x44/0xae
  RIP: 0033:0x7f8902c8eb39

Fix it by adding rcu_read_lock and take a ref on the real_dev.

[1] https://lore.kernel.org/netdev/27565.1642742439@famine/

Reported-by: syzbot+92beb3d46aab498710fa@syzkaller.appspotmail.com
Fixes: aa6034678e87 ("bonding: use rcu_dereference_rtnl when get bonding active slave")
Suggested-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>

---
v2: add ref on the real_dev as Jakub and Paolo suggested.
---
 drivers/net/bonding/bond_main.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 38e152548126..fcaa5ccea7af 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -5591,24 +5591,35 @@ static int bond_ethtool_get_ts_info(struct net_device *bond_dev,
 	const struct ethtool_ops *ops;
 	struct net_device *real_dev;
 	struct phy_device *phydev;
+	int ret = 0;
 
+	rcu_read_lock();
 	real_dev = bond_option_active_slave_get_rcu(bond);
 	if (real_dev) {
+		dev_hold(real_dev);
+		rcu_read_unlock();
 		ops = real_dev->ethtool_ops;
 		phydev = real_dev->phydev;
 
 		if (phy_has_tsinfo(phydev)) {
-			return phy_ts_info(phydev, info);
+			ret = phy_ts_info(phydev, info);
+			goto out;
 		} else if (ops->get_ts_info) {
-			return ops->get_ts_info(real_dev, info);
+			ret = ops->get_ts_info(real_dev, info);
+			goto out;
 		}
+	} else {
+		rcu_read_unlock();
 	}
 
 	info->so_timestamping = SOF_TIMESTAMPING_RX_SOFTWARE |
 				SOF_TIMESTAMPING_SOFTWARE;
 	info->phc_index = -1;
 
-	return 0;
+out:
+	if (real_dev)
+		dev_put(real_dev);
+	return ret;
 }
 
 static const struct ethtool_ops bond_ethtool_ops = {
-- 
2.35.1

Re: [PATCHv2 net] bonding: fix missed rcu protection

[Jonathan Toppins]

Signed-off-by: Jonathan Toppins <jtoppins@redhat.com>
---
RESEND, list still didn't receive my last version

The diffstat is slightly larger but IMO a slightly more readable version.
When I was reading v2 I found myself jumping around.
I only compile tested it, so YMMV.

If this amount of change is too much v2 from Hangbin looks correct to
me.

 drivers/net/bonding/bond_main.c | 31 ++++++++++++++++++++-----------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 38e152548126..f9d27b63c454 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -5591,23 +5591,32 @@ static int bond_ethtool_get_ts_info(struct net_device *bond_dev,
 	const struct ethtool_ops *ops;
 	struct net_device *real_dev;
 	struct phy_device *phydev;
+	int ret = 0;
 
+	rcu_read_lock();
 	real_dev = bond_option_active_slave_get_rcu(bond);
-	if (real_dev) {
-		ops = real_dev->ethtool_ops;
-		phydev = real_dev->phydev;
-
-		if (phy_has_tsinfo(phydev)) {
-			return phy_ts_info(phydev, info);
-		} else if (ops->get_ts_info) {
-			return ops->get_ts_info(real_dev, info);
-		}
-	}
+	if (real_dev)
+		dev_hold(real_dev);
+	rcu_read_unlock();
+
+	if (!real_dev)
+		goto software;
 
+	ops = real_dev->ethtool_ops;
+	phydev = real_dev->phydev;
+
+	if (phy_has_tsinfo(phydev))
+		ret = phy_ts_info(phydev, info);
+	else if (ops->get_ts_info)
+		ret = ops->get_ts_info(real_dev, info);
+
+	dev_put(real_dev);
+	return ret;
+
+software:
 	info->so_timestamping = SOF_TIMESTAMPING_RX_SOFTWARE |
 				SOF_TIMESTAMPING_SOFTWARE;
 	info->phc_index = -1;
-
 	return 0;
 }
 
-- 
2.27.0

Re: [PATCHv2 net] bonding: fix missed rcu protection

[Hangbin Liu]

On Tue, May 17, 2022 at 01:32:58PM -0400, Jonathan Toppins wrote:
> Signed-off-by: Jonathan Toppins <jtoppins@redhat.com>
> ---
> RESEND, list still didn't receive my last version
> 
> The diffstat is slightly larger but IMO a slightly more readable version.
> When I was reading v2 I found myself jumping around.

Hi Jon,

Thanks for the commit. But..

> diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
> index 38e152548126..f9d27b63c454 100644
> --- a/drivers/net/bonding/bond_main.c
> +++ b/drivers/net/bonding/bond_main.c
> @@ -5591,23 +5591,32 @@ static int bond_ethtool_get_ts_info(struct net_device *bond_dev,
>  	const struct ethtool_ops *ops;
>  	struct net_device *real_dev;
>  	struct phy_device *phydev;
> +	int ret = 0;
>  
> +	rcu_read_lock();
>  	real_dev = bond_option_active_slave_get_rcu(bond);
> -	if (real_dev) {
> -		ops = real_dev->ethtool_ops;
> -		phydev = real_dev->phydev;
> -
> -		if (phy_has_tsinfo(phydev)) {
> -			return phy_ts_info(phydev, info);
> -		} else if (ops->get_ts_info) {
> -			return ops->get_ts_info(real_dev, info);
> -		}
> -	}
> +	if (real_dev)
> +		dev_hold(real_dev);
> +	rcu_read_unlock();
> +
> +	if (!real_dev)
> +		goto software;
>  
> +	ops = real_dev->ethtool_ops;
> +	phydev = real_dev->phydev;
> +
> +	if (phy_has_tsinfo(phydev))
> +		ret = phy_ts_info(phydev, info);
> +	else if (ops->get_ts_info)
> +		ret = ops->get_ts_info(real_dev, info);
	else {
		dev_put(real_dev);
		goto software;
	}

Here we need another check and goto software if !phy_has_tsinfo() and
no ops->get_ts_info. With this change we also have 2 goto and dev_put().

> +
> +	dev_put(real_dev);
> +	return ret;
> +
> +software:
>  	info->so_timestamping = SOF_TIMESTAMPING_RX_SOFTWARE |
>  				SOF_TIMESTAMPING_SOFTWARE;
>  	info->phc_index = -1;
> -
>  	return 0;
>  }

As Jakub remind, dev_hold() and dev_put() can take NULL now. So how about
this new patch:

diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 38e152548126..b5c5196e03ee 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -5591,16 +5591,23 @@ static int bond_ethtool_get_ts_info(struct net_device *bond_dev,
 	const struct ethtool_ops *ops;
 	struct net_device *real_dev;
 	struct phy_device *phydev;
+	int ret = 0;
 
+	rcu_read_lock();
 	real_dev = bond_option_active_slave_get_rcu(bond);
+	dev_hold(real_dev);
+	rcu_read_unlock();
+
 	if (real_dev) {
 		ops = real_dev->ethtool_ops;
 		phydev = real_dev->phydev;
 
 		if (phy_has_tsinfo(phydev)) {
-			return phy_ts_info(phydev, info);
+			ret = phy_ts_info(phydev, info);
+			goto out;
 		} else if (ops->get_ts_info) {
-			return ops->get_ts_info(real_dev, info);
+			ret = ops->get_ts_info(real_dev, info);
+			goto out;
 		}
 	}
 
@@ -5608,7 +5615,9 @@ static int bond_ethtool_get_ts_info(struct net_device *bond_dev,
 				SOF_TIMESTAMPING_SOFTWARE;
 	info->phc_index = -1;
 
-	return 0;
+out:
+	dev_put(real_dev);
+	return ret;
 }

Thanks
Hangbin

Re: [PATCHv2 net] bonding: fix missed rcu protection

[Jonathan Toppins]

On 5/17/22 22:18, Hangbin Liu wrote:
> On Tue, May 17, 2022 at 01:32:58PM -0400, Jonathan Toppins wrote:
>> Signed-off-by: Jonathan Toppins <jtoppins@redhat.com>
>> ---
>> RESEND, list still didn't receive my last version
>>
>> The diffstat is slightly larger but IMO a slightly more readable version.
>> When I was reading v2 I found myself jumping around.
> 
> Hi Jon,
> 
> Thanks for the commit. But..
> 
>> diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
>> index 38e152548126..f9d27b63c454 100644
>> --- a/drivers/net/bonding/bond_main.c
>> +++ b/drivers/net/bonding/bond_main.c
>> @@ -5591,23 +5591,32 @@ static int bond_ethtool_get_ts_info(struct net_device *bond_dev,
>>   	const struct ethtool_ops *ops;
>>   	struct net_device *real_dev;
>>   	struct phy_device *phydev;
>> +	int ret = 0;
>>   
>> +	rcu_read_lock();
>>   	real_dev = bond_option_active_slave_get_rcu(bond);
>> -	if (real_dev) {
>> -		ops = real_dev->ethtool_ops;
>> -		phydev = real_dev->phydev;
>> -
>> -		if (phy_has_tsinfo(phydev)) {
>> -			return phy_ts_info(phydev, info);
>> -		} else if (ops->get_ts_info) {
>> -			return ops->get_ts_info(real_dev, info);
>> -		}
>> -	}
>> +	if (real_dev)
>> +		dev_hold(real_dev);
>> +	rcu_read_unlock();
>> +
>> +	if (!real_dev)
>> +		goto software;
>>   
>> +	ops = real_dev->ethtool_ops;
>> +	phydev = real_dev->phydev;
>> +
>> +	if (phy_has_tsinfo(phydev))
>> +		ret = phy_ts_info(phydev, info);
>> +	else if (ops->get_ts_info)
>> +		ret = ops->get_ts_info(real_dev, info);
> 	else {
> 		dev_put(real_dev);
> 		goto software;
> 	}
> 
> Here we need another check and goto software if !phy_has_tsinfo() and
> no ops->get_ts_info. With this change we also have 2 goto and dev_put().

Ah yes. I cannot think of a way to make this simpler. The patch below 
looks good.

> 
>> +
>> +	dev_put(real_dev);
>> +	return ret;
>> +
>> +software:
>>   	info->so_timestamping = SOF_TIMESTAMPING_RX_SOFTWARE |
>>   				SOF_TIMESTAMPING_SOFTWARE;
>>   	info->phc_index = -1;
>> -
>>   	return 0;
>>   }
> 
> As Jakub remind, dev_hold() and dev_put() can take NULL now. So how about
> this new patch:
> 
> diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
> index 38e152548126..b5c5196e03ee 100644
> --- a/drivers/net/bonding/bond_main.c
> +++ b/drivers/net/bonding/bond_main.c
> @@ -5591,16 +5591,23 @@ static int bond_ethtool_get_ts_info(struct net_device *bond_dev,
>   	const struct ethtool_ops *ops;
>   	struct net_device *real_dev;
>   	struct phy_device *phydev;
> +	int ret = 0;
>   
> +	rcu_read_lock();
>   	real_dev = bond_option_active_slave_get_rcu(bond);
> +	dev_hold(real_dev);
> +	rcu_read_unlock();
> +
>   	if (real_dev) {
>   		ops = real_dev->ethtool_ops;
>   		phydev = real_dev->phydev;
>   
>   		if (phy_has_tsinfo(phydev)) {
> -			return phy_ts_info(phydev, info);
> +			ret = phy_ts_info(phydev, info);
> +			goto out;
>   		} else if (ops->get_ts_info) {
> -			return ops->get_ts_info(real_dev, info);
> +			ret = ops->get_ts_info(real_dev, info);
> +			goto out;
>   		}
>   	}
>   
> @@ -5608,7 +5615,9 @@ static int bond_ethtool_get_ts_info(struct net_device *bond_dev,
>   				SOF_TIMESTAMPING_SOFTWARE;
>   	info->phc_index = -1;
>   
> -	return 0;
> +out:
> +	dev_put(real_dev);
> +	return ret;
>   }
> 
> Thanks
> Hangbin
> 

Re: [PATCHv2 net] bonding: fix missed rcu protection

[Vladimir Oltean]

On Tue, May 17, 2022 at 01:32:58PM -0400, Jonathan Toppins wrote:
> Signed-off-by: Jonathan Toppins <jtoppins@redhat.com>
> ---
> RESEND, list still didn't receive my last version
> 
> The diffstat is slightly larger but IMO a slightly more readable version.
> When I was reading v2 I found myself jumping around.
> I only compile tested it, so YMMV.
> 
> If this amount of change is too much v2 from Hangbin looks correct to
> me.

Seems to be too big of a change for what the issue is, yes, sorry.

Re: [PATCHv2 net] bonding: fix missed rcu protection

[Jakub Kicinski]

On Tue, 17 May 2022 16:23:12 +0800 Hangbin Liu wrote:
> +	rcu_read_lock();
>  	real_dev = bond_option_active_slave_get_rcu(bond);
>  	if (real_dev) {
> +		dev_hold(real_dev);
> +		rcu_read_unlock();
>  		ops = real_dev->ethtool_ops;
>  		phydev = real_dev->phydev;
>  
>  		if (phy_has_tsinfo(phydev)) {
> -			return phy_ts_info(phydev, info);
> +			ret = phy_ts_info(phydev, info);
> +			goto out;
>  		} else if (ops->get_ts_info) {
> -			return ops->get_ts_info(real_dev, info);
> +			ret = ops->get_ts_info(real_dev, info);
> +			goto out;
>  		}
> +	} else {
> +		rcu_read_unlock();
>  	}
>  
>  	info->so_timestamping = SOF_TIMESTAMPING_RX_SOFTWARE |
>  				SOF_TIMESTAMPING_SOFTWARE;
>  	info->phc_index = -1;
>  
> -	return 0;
> +out:
> +	if (real_dev)
> +		dev_put(real_dev);

dev_hold() and dev_put() can take NULL these days, for better or worse.
I think the code simplification is worth making use of that, even tho
it will make the backport slightly more tricky (perhaps make a not of
this in the commit message).

Re: [PATCHv2 net] bonding: fix missed rcu protection

[Stephen Hemminger]

On Tue, 17 May 2022 10:54:45 -0700
Jakub Kicinski <kuba@kernel.org> wrote:

> dev_hold() and dev_put() can take NULL these days, for better or worse.
> I think the code simplification is worth making use of that, even tho
> it will make the backport slightly more tricky (perhaps make a not of
> this in the commit message).

Since that is so, would be worth having coccinelle script to cleanup
existing code.

See scripts/coccinelle/ifnullfree.cocci for similar example.