| From d7145013c4c46dcaf9fe414cafd3f531dbfa7166 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Mon, 5 Jul 2021 15:38:13 +0000 |
| Subject: bonding: fix suspicious RCU usage in bond_ipsec_offload_ok() |
| |
| From: Taehee Yoo <ap420073@gmail.com> |
| |
| [ Upstream commit 955b785ec6b3b2f9b91914d6eeac8ee66ee29239 ] |
| |
| To dereference bond->curr_active_slave, it uses rcu_dereference(). |
| But it and the caller doesn't acquire RCU so a warning occurs. |
| So add rcu_read_lock(). |
| |
| Splat looks like: |
| WARNING: suspicious RCU usage |
| 5.13.0-rc6+ #1179 Not tainted |
| drivers/net/bonding/bond_main.c:571 suspicious |
| rcu_dereference_check() usage! |
| |
| other info that might help us debug this: |
| |
| rcu_scheduler_active = 2, debug_locks = 1 |
| 1 lock held by ping/974: |
| #0: ffff888109e7db70 (sk_lock-AF_INET){+.+.}-{0:0}, |
| at: raw_sendmsg+0x1303/0x2cb0 |
| |
| stack backtrace: |
| CPU: 2 PID: 974 Comm: ping Not tainted 5.13.0-rc6+ #1179 |
| Call Trace: |
| dump_stack+0xa4/0xe5 |
| bond_ipsec_offload_ok+0x1f4/0x260 [bonding] |
| xfrm_output+0x179/0x890 |
| xfrm4_output+0xfa/0x410 |
| ? __xfrm4_output+0x4b0/0x4b0 |
| ? __ip_make_skb+0xecc/0x2030 |
| ? xfrm4_udp_encap_rcv+0x800/0x800 |
| ? ip_local_out+0x21/0x3a0 |
| ip_send_skb+0x37/0xa0 |
| raw_sendmsg+0x1bfd/0x2cb0 |
| |
| Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves") |
| Signed-off-by: Taehee Yoo <ap420073@gmail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/net/bonding/bond_main.c | 22 ++++++++++++++++------ |
| 1 file changed, 16 insertions(+), 6 deletions(-) |
| |
| diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c |
| index 3f67b4b794ac..d267791a06c0 100644 |
| --- a/drivers/net/bonding/bond_main.c |
| +++ b/drivers/net/bonding/bond_main.c |
| @@ -573,24 +573,34 @@ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs) |
| struct net_device *real_dev; |
| struct slave *curr_active; |
| struct bonding *bond; |
| + int err; |
| |
| bond = netdev_priv(bond_dev); |
| + rcu_read_lock(); |
| curr_active = rcu_dereference(bond->curr_active_slave); |
| real_dev = curr_active->dev; |
| |
| - if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) |
| - return true; |
| + if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) { |
| + err = true; |
| + goto out; |
| + } |
| |
| - if (!xs->xso.real_dev) |
| - return false; |
| + if (!xs->xso.real_dev) { |
| + err = false; |
| + goto out; |
| + } |
| |
| if (!real_dev->xfrmdev_ops || |
| !real_dev->xfrmdev_ops->xdo_dev_offload_ok || |
| netif_is_bond_master(real_dev)) { |
| - return false; |
| + err = false; |
| + goto out; |
| } |
| |
| - return real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs); |
| + err = real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs); |
| +out: |
| + rcu_read_unlock(); |
| + return err; |
| } |
| |
| static const struct xfrmdev_ops bond_xfrmdev_ops = { |
| -- |
| 2.30.2 |
| |