Re: [PATCH v3 net-next] bonding: no longer rely on RTNL in bond_fill_info()

Netdev List
 help / color / mirror / Atom feed

From: Jakub Kicinski <kuba@kernel.org>
To: edumazet@google.com
Cc: Jakub Kicinski <kuba@kernel.org>,
	davem@davemloft.net, pabeni@redhat.com, horms@kernel.org,
	netdev@vger.kernel.org, eric.dumazet@gmail.com, jv@jvosburgh.net,
	andrew+netdev@lunn.ch
Subject: Re: [PATCH v3 net-next] bonding: no longer rely on RTNL in bond_fill_info()
Date: Fri, 12 Jun 2026 15:53:13 -0700	[thread overview]
Message-ID: <20260612225313.2617858-1-kuba@kernel.org> (raw)
In-Reply-To: <20260610031946.466417-1-edumazet@google.com>

This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
---
bonding: no longer rely on RTNL in bond_fill_info()

This commit removes the RTNL lock dependency in bond_fill_info(), replacing
it with RCU protection and READ_ONCE()/WRITE_ONCE() annotations for reading
bond configuration fields.

> diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c
> index 90365d3f7ebff..aa1725e6a3776 100644
> --- a/drivers/net/bonding/bond_netlink.c
> +++ b/drivers/net/bonding/bond_netlink.c

[ ... ]

> @@ -674,53 +674,58 @@ static size_t bond_get_size(const struct net_device *bond_dev)

[ ... ]

>  static int bond_fill_info(struct sk_buff *skb,
>  			  const struct net_device *bond_dev)
>  {
> -	struct bonding *bond = netdev_priv(bond_dev);
> -	unsigned int packets_per_slave;
> -	int ifindex, i, targets_added;
> +	const struct bonding *bond = netdev_priv(bond_dev);
> +	int i, targets_added, miimon, mode;
> +	const struct slave *primary;
>  	struct nlattr *targets;
> -	struct slave *primary;
>  
> -	if (nla_put_u8(skb, IFLA_BOND_MODE, BOND_MODE(bond)))
> +	rcu_read_lock();
> +	mode = READ_ONCE(bond->params.mode);

[ ... ]

> -	if (BOND_MODE(bond) == BOND_MODE_8023AD) {
> +	if (mode == BOND_MODE_8023AD) {
>  		struct ad_info info;
>  
>  		if (capable(CAP_NET_ADMIN)) {
>  			if (nla_put_u16(skb, IFLA_BOND_AD_ACTOR_SYS_PRIO,
> -					bond->params.ad_actor_sys_prio))
> +					READ_ONCE(bond->params.ad_actor_sys_prio)))
>  				goto nla_put_failure;
>  
>  			if (nla_put_u16(skb, IFLA_BOND_AD_USER_PORT_KEY,
> -					bond->params.ad_user_port_key))
> +					READ_ONCE(bond->params.ad_user_port_key)))
>  				goto nla_put_failure;
>  
> +			/* Small race here, this is a minor trade off. */
>  			if (nla_put(skb, IFLA_BOND_AD_ACTOR_SYSTEM,
>  				    ETH_ALEN, &bond->params.ad_actor_system))
>  				goto nla_put_failure;
>  		}
> -		if (!bond_3ad_get_active_agg_info(bond, &info)) {
> +		if (!__bond_3ad_get_active_agg_info(bond, &info)) {
        ^^^^

[Severity: Critical]
Is it possible for a concurrent mode change to cause a NULL pointer
dereference here?

Since bond_fill_info() no longer holds the RTNL lock, another thread could
concurrently change the bonding mode from BOND_MODE_8023AD to
BOND_MODE_ACTIVEBACKUP and immediately enslave a new device.

During bond_alloc_slave(), if the new mode is ACTIVEBACKUP, slave->ad_info
is not allocated and remains NULL. The slave is then added to the
RCU-protected bond->slave_list.

Because bond_fill_info() cached the mode earlier as BOND_MODE_8023AD:

    mode = READ_ONCE(bond->params.mode);

It will still enter this block and call __bond_3ad_get_active_agg_info().
That function iterates over the slave list and attempts to dereference the
newly added slave's ad_info without checking if it is NULL:

drivers/net/bonding/bond_3ad.c:__bond_3ad_get_active_agg_info() {
        ...
        bond_for_each_slave_rcu(bond, slave, iter) {
                port = &(SLAVE_AD_INFO(slave)->port);
                tmp = rcu_dereference(port->aggregator);
        ...
}

Could this be addressed by adding a NULL check for SLAVE_AD_INFO(slave) in
__bond_3ad_get_active_agg_info(), or by re-evaluating the mode?

>  			struct nlattr *nest;
>  
>  			nest = nla_nest_start_noflag(skb, IFLA_BOND_AD_INFO);
-- 
pw-bot: cr

     prev parent reply	other threads:[~2026-06-12 22:53 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-10  3:19 [PATCH v3 net-next] bonding: no longer rely on RTNL in bond_fill_info() Eric Dumazet
2026-06-12 22:53 ` Jakub Kicinski [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260612225313.2617858-1-kuba@kernel.org \
    --to=kuba@kernel.org \
    --cc=andrew+netdev@lunn.ch \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=eric.dumazet@gmail.com \
    --cc=horms@kernel.org \
    --cc=jv@jvosburgh.net \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox