[PATCH v3] bridge: fix bridge netlink RCU usage

[PATCH v3] bridge: fix bridge netlink RCU usage

[Johannes Berg]

From: Johannes Berg <johannes.berg@intel.com>

When the STP timer fires, it can call br_ifinfo_notify(),
which in turn ends up in the new br_get_link_af_size().
This function is annotated to be using RTNL locking, which
clearly isn't the case here, and thus lockdep warns:

  ===============================
  [ INFO: suspicious RCU usage. ]
  3.19.0+ #569 Not tainted
  -------------------------------
  net/bridge/br_private.h:204 suspicious rcu_dereference_protected() usage!

Fix this by doing RCU locking here.

Fixes: b7853d73e39b ("bridge: add vlan info to bridge setlink and dellink notification messages")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 net/bridge/br_netlink.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index 17e0177467f5..72d8efa9b1eb 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -25,19 +25,20 @@
 static size_t br_get_link_af_size(const struct net_device *dev)
 {
 	struct net_port_vlans *pv;
+	unsigned int num_vlans;
 
+	rcu_read_lock();
 	if (br_port_exists(dev))
-		pv = nbp_get_vlan_info(br_port_get_rtnl(dev));
+		pv = nbp_get_vlan_info(br_port_get_rcu(dev));
 	else if (dev->priv_flags & IFF_EBRIDGE)
-		pv = br_get_vlan_info((struct net_bridge *)netdev_priv(dev));
+		pv = br_get_vlan_info(netdev_priv(dev));
 	else
-		return 0;
-
-	if (!pv)
-		return 0;
+		pv = NULL;
+	num_vlans = pv ? pv->num_vlans : 0;
+	rcu_read_unlock();
 
 	/* Each VLAN is returned in bridge_vlan_info along with flags */
-	return pv->num_vlans * nla_total_size(sizeof(struct bridge_vlan_info));
+	return num_vlans * nla_total_size(sizeof(struct bridge_vlan_info));
 }
 
 static inline size_t br_port_info_size(void)
-- 
2.1.4

Re: [PATCH v3] bridge: fix bridge netlink RCU usage

[roopa]

On 3/3/15, 5:49 AM, Johannes Berg wrote:
> From: Johannes Berg <johannes.berg@intel.com>
>
> When the STP timer fires, it can call br_ifinfo_notify(),
> which in turn ends up in the new br_get_link_af_size().
> This function is annotated to be using RTNL locking, which
> clearly isn't the case here, and thus lockdep warns:
>
>    ===============================
>    [ INFO: suspicious RCU usage. ]
>    3.19.0+ #569 Not tainted
>    -------------------------------
>    net/bridge/br_private.h:204 suspicious rcu_dereference_protected() usage!
>
> Fix this by doing RCU locking here.
>
> Fixes: b7853d73e39b ("bridge: add vlan info to bridge setlink and dellink notification messages")
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> ---
>   net/bridge/br_netlink.c | 15 ++++++++-------
>   1 file changed, 8 insertions(+), 7 deletions(-)
>
> diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
> index 17e0177467f5..72d8efa9b1eb 100644
> --- a/net/bridge/br_netlink.c
> +++ b/net/bridge/br_netlink.c
> @@ -25,19 +25,20 @@
>   static size_t br_get_link_af_size(const struct net_device *dev)
>   {
>   	struct net_port_vlans *pv;
> +	unsigned int num_vlans;
>   
> +	rcu_read_lock();
>   	if (br_port_exists(dev))
> -		pv = nbp_get_vlan_info(br_port_get_rtnl(dev));
> +		pv = nbp_get_vlan_info(br_port_get_rcu(dev));
>   	else if (dev->priv_flags & IFF_EBRIDGE)
> -		pv = br_get_vlan_info((struct net_bridge *)netdev_priv(dev));
> +		pv = br_get_vlan_info(netdev_priv(dev));
>   	else
> -		return 0;
> -
> -	if (!pv)
> -		return 0;
> +		pv = NULL;
> +	num_vlans = pv ? pv->num_vlans : 0;
> +	rcu_read_unlock();
>   
>   	/* Each VLAN is returned in bridge_vlan_info along with flags */
> -	return pv->num_vlans * nla_total_size(sizeof(struct bridge_vlan_info));
> +	return num_vlans * nla_total_size(sizeof(struct bridge_vlan_info));
>   }
>   
>   static inline size_t br_port_info_size(void)
Thanks!

I used an existing function and did not realize I was newly adding the 
stp notify case to the mix.
Will make sure I run with lockdep on next time.

My subsequent patch  in net-next related to this code, changes things a 
bit (fed0a159c8c5e453d79d6a73897c576efea0a8a5 bridge: fix link 
notification skb size calculation to include vlan ranges).
It reverts the use of this function which makes sure this is always 
called under rtnl.
But, I did add another version of this function in net-next which has 
the same problem.
Assuming that patch in net-next is on its way to net soon, am wondering 
if fixing it in net-next is the right course.

I can apply your patch there and re-submit. Or if you prefer to 
re-submit your patch on net-next that's great too.

please let me know.

Thanks,
Roopa

Re: [PATCH v3] bridge: fix bridge netlink RCU usage

[Johannes Berg]

Hi Roopa,

> My subsequent patch  in net-next related to this code, changes things a 
> bit (fed0a159c8c5e453d79d6a73897c576efea0a8a5 bridge: fix link 
> notification skb size calculation to include vlan ranges).

Yeah, I saw this, but thought the original patch had already gone to
net.git. Then later I found it hasn't but didn't remember ... sorry
about that.

> It reverts the use of this function which makes sure this is always 
> called under rtnl.
> But, I did add another version of this function in net-next which has 
> the same problem.
> Assuming that patch in net-next is on its way to net soon, am wondering 
> if fixing it in net-next is the right course.

Of course, this patch should then only ever be applied to net-next.

> I can apply your patch there and re-submit. Or if you prefer to 
> re-submit your patch on net-next that's great too.

I can resend it. I even have a pretty simple test case to reproduce the
failure :)

johannes

Re: [PATCH v3] bridge: fix bridge netlink RCU usage

[roopa]

On 3/3/15, 6:51 AM, Johannes Berg wrote:
> Hi Roopa,
>
>> My subsequent patch  in net-next related to this code, changes things a
>> bit (fed0a159c8c5e453d79d6a73897c576efea0a8a5 bridge: fix link
>> notification skb size calculation to include vlan ranges).
> Yeah, I saw this, but thought the original patch had already gone to
> net.git. Then later I found it hasn't but didn't remember ... sorry
> about that.
>
>> It reverts the use of this function which makes sure this is always
>> called under rtnl.
>> But, I did add another version of this function in net-next which has
>> the same problem.
>> Assuming that patch in net-next is on its way to net soon, am wondering
>> if fixing it in net-next is the right course.
> Of course, this patch should then only ever be applied to net-next.
>
>> I can apply your patch there and re-submit. Or if you prefer to
>> re-submit your patch on net-next that's great too.
> I can resend it. I even have a pretty simple test case to reproduce the
> failure :)
>
great!. Thank you.