releases/5.13.6/bonding-fix-suspicious-rcu-usage-in-bond_ipsec_offlo.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From d7145013c4c46dcaf9fe414cafd3f531dbfa7166 Mon Sep 17 00:00:00 2001
 From: Sasha Levin <sashal@kernel.org>
 Date: Mon, 5 Jul 2021 15:38:13 +0000
 Subject: bonding: fix suspicious RCU usage in bond_ipsec_offload_ok()

 From: Taehee Yoo <ap420073@gmail.com>

 [ Upstream commit 955b785ec6b3b2f9b91914d6eeac8ee66ee29239 ]

 To dereference bond->curr_active_slave, it uses rcu_dereference().
 But it and the caller doesn't acquire RCU so a warning occurs.
 So add rcu_read_lock().

 Splat looks like:
 WARNING: suspicious RCU usage
 5.13.0-rc6+ #1179 Not tainted
 drivers/net/bonding/bond_main.c:571 suspicious
 rcu_dereference_check() usage!

 other info that might help us debug this:

 rcu_scheduler_active = 2, debug_locks = 1
 1 lock held by ping/974:
  #0: ffff888109e7db70 (sk_lock-AF_INET){+.+.}-{0:0},
 at: raw_sendmsg+0x1303/0x2cb0

 stack backtrace:
 CPU: 2 PID: 974 Comm: ping Not tainted 5.13.0-rc6+ #1179
 Call Trace:
  dump_stack+0xa4/0xe5
  bond_ipsec_offload_ok+0x1f4/0x260 [bonding]
  xfrm_output+0x179/0x890
  xfrm4_output+0xfa/0x410
  ? __xfrm4_output+0x4b0/0x4b0
  ? __ip_make_skb+0xecc/0x2030
  ? xfrm4_udp_encap_rcv+0x800/0x800
  ? ip_local_out+0x21/0x3a0
  ip_send_skb+0x37/0xa0
  raw_sendmsg+0x1bfd/0x2cb0

 Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves")
 Signed-off-by: Taehee Yoo <ap420073@gmail.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
  drivers/net/bonding/bond_main.c | 22 ++++++++++++++++------
  1 file changed, 16 insertions(+), 6 deletions(-)

 diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
 index 3f67b4b794ac..d267791a06c0 100644
 --- a/drivers/net/bonding/bond_main.c
 +++ b/drivers/net/bonding/bond_main.c
 @@ -573,24 +573,34 @@ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
  	struct net_device *real_dev;
  	struct slave *curr_active;
  	struct bonding *bond;
 +	int err;

  	bond = netdev_priv(bond_dev);
 +	rcu_read_lock();
  	curr_active = rcu_dereference(bond->curr_active_slave);
  	real_dev = curr_active->dev;

 -	if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP)
 -		return true;
 +	if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) {
 +		err = true;
 +		goto out;
 +	}

 -	if (!xs->xso.real_dev)
 -		return false;
 +	if (!xs->xso.real_dev) {
 +		err = false;
 +		goto out;
 +	}

  	if (!real_dev->xfrmdev_ops ||
  	    !real_dev->xfrmdev_ops->xdo_dev_offload_ok ||
  	    netif_is_bond_master(real_dev)) {
 -		return false;
 +		err = false;
 +		goto out;
  	}

 -	return real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs);
 +	err = real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs);
 +out:
 +	rcu_read_unlock();
 +	return err;
  }

  static const struct xfrmdev_ops bond_xfrmdev_ops = {
 --
 2.30.2
	From d7145013c4c46dcaf9fe414cafd3f531dbfa7166 Mon Sep 17 00:00:00 2001
	From: Sasha Levin <sashal@kernel.org>
	Date: Mon, 5 Jul 2021 15:38:13 +0000
	Subject: bonding: fix suspicious RCU usage in bond_ipsec_offload_ok()

	From: Taehee Yoo <ap420073@gmail.com>

	[ Upstream commit 955b785ec6b3b2f9b91914d6eeac8ee66ee29239 ]

	To dereference bond->curr_active_slave, it uses rcu_dereference().
	But it and the caller doesn't acquire RCU so a warning occurs.
	So add rcu_read_lock().

	Splat looks like:
	WARNING: suspicious RCU usage
	5.13.0-rc6+ #1179 Not tainted
	drivers/net/bonding/bond_main.c:571 suspicious
	rcu_dereference_check() usage!

	other info that might help us debug this:

	rcu_scheduler_active = 2, debug_locks = 1
	1 lock held by ping/974:
	#0: ffff888109e7db70 (sk_lock-AF_INET){+.+.}-{0:0},
	at: raw_sendmsg+0x1303/0x2cb0

	stack backtrace:
	CPU: 2 PID: 974 Comm: ping Not tainted 5.13.0-rc6+ #1179
	Call Trace:
	dump_stack+0xa4/0xe5
	bond_ipsec_offload_ok+0x1f4/0x260 [bonding]
	xfrm_output+0x179/0x890
	xfrm4_output+0xfa/0x410
	? __xfrm4_output+0x4b0/0x4b0
	? __ip_make_skb+0xecc/0x2030
	? xfrm4_udp_encap_rcv+0x800/0x800
	? ip_local_out+0x21/0x3a0
	ip_send_skb+0x37/0xa0
	raw_sendmsg+0x1bfd/0x2cb0

	Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves")
	Signed-off-by: Taehee Yoo <ap420073@gmail.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Sasha Levin <sashal@kernel.org>
	---
	drivers/net/bonding/bond_main.c \| 22 ++++++++++++++++------
	1 file changed, 16 insertions(+), 6 deletions(-)

	diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
	index 3f67b4b794ac..d267791a06c0 100644
	--- a/drivers/net/bonding/bond_main.c
	+++ b/drivers/net/bonding/bond_main.c
	@@ -573,24 +573,34 @@ static bool bond_ipsec_offload_ok(struct sk_buff skb, struct xfrm_state xs)
	struct net_device *real_dev;
	struct slave *curr_active;
	struct bonding *bond;
	+ int err;

	bond = netdev_priv(bond_dev);
	+ rcu_read_lock();
	curr_active = rcu_dereference(bond->curr_active_slave);
	real_dev = curr_active->dev;

	- if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP)
	- return true;
	+ if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) {
	+ err = true;
	+ goto out;
	+ }

	- if (!xs->xso.real_dev)
	- return false;
	+ if (!xs->xso.real_dev) {
	+ err = false;
	+ goto out;
	+ }

	if (!real_dev->xfrmdev_ops \|\|
	!real_dev->xfrmdev_ops->xdo_dev_offload_ok \|\|
	netif_is_bond_master(real_dev)) {
	- return false;
	+ err = false;
	+ goto out;
	}

	- return real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs);
	+ err = real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs);
	+out:
	+ rcu_read_unlock();
	+ return err;
	}

	static const struct xfrmdev_ops bond_xfrmdev_ops = {
	--
	2.30.2