Re: [PATCHv5 net 1/3] bonding: fix calling sleeping function in spin lock and some race conditions

Hangbin Liu <liuhangbin@xxxxxxxxx> · Mon, 10 Mar 2025 07:22:21 +0000

On Sat, Mar 08, 2025 at 08:54:51AM +0000, Simon Horman wrote:
> On Fri, Mar 07, 2025 at 03:19:01AM +0000, Hangbin Liu wrote:
> 
> ...
> 
> > @@ -616,9 +615,22 @@ static void bond_ipsec_del_sa_all(struct bonding *bond)
> >  		return;
> >  
> >  	mutex_lock(&bond->ipsec_lock);
> > -	list_for_each_entry(ipsec, &bond->ipsec_list, list) {
> > -		if (!ipsec->xs->xso.real_dev)
> > +	list_for_each_entry_safe(ipsec, tmp_ipsec, &bond->ipsec_list, list) {
> > +		spin_lock_bh(&ipsec->xs->lock);
> > +		if (!ipsec->xs->xso.real_dev) {
> > +			spin_unlock_bh(&ipsec->xs->lock);
> >  			continue;
> > +		}
> > +
> > +		if (ipsec->xs->km.state == XFRM_STATE_DEAD) {
> > +			list_del(&ipsec->list);
> > +			kfree(ipsec);
> 
> Hi Hangbin,
> 
> Apologies if this was covered elsewhere, but ipsec is kfree'd here...

Oh.. I need to get the xs with xs = ipsec->xs, then hold the xs lock.

Thanks
Hangbin
> 
> 
> > +			/* Need to free device here, or the xs->xso.real_dev
> > +			 * may changed in bond_ipsec_add_sa_all and free
> > +			 * on old device will never be called.
> > +			 */
> > +			goto next;
> > +		}
> >  
> >  		if (!real_dev->xfrmdev_ops ||
> >  		    !real_dev->xfrmdev_ops->xdo_dev_state_delete ||
> > @@ -626,11 +638,20 @@ static void bond_ipsec_del_sa_all(struct bonding *bond)
> >  			slave_warn(bond_dev, real_dev,
> >  				   "%s: no slave xdo_dev_state_delete\n",
> >  				   __func__);
> > -		} else {
> > -			real_dev->xfrmdev_ops->xdo_dev_state_delete(ipsec->xs);
> > -			if (real_dev->xfrmdev_ops->xdo_dev_state_free)
> > -				real_dev->xfrmdev_ops->xdo_dev_state_free(ipsec->xs);
> > +			spin_unlock_bh(&ipsec->xs->lock);
> > +			continue;
> >  		}
> > +
> > +		real_dev->xfrmdev_ops->xdo_dev_state_delete(ipsec->xs);
> > +
> > +next:
> > +		/* set real_dev to NULL in case __xfrm_state_delete() is called in parallel */
> > +		ipsec->xs->xso.real_dev = NULL;
> 
> ... and the dereferenced here.
> 
> Flagged by Smatch.
> 
> > +
> > +		/* Unlock before freeing device state, it could sleep. */
> > +		spin_unlock_bh(&ipsec->xs->lock);
> > +		if (real_dev->xfrmdev_ops->xdo_dev_state_free)
> > +			real_dev->xfrmdev_ops->xdo_dev_state_free(ipsec->xs);
> >  	}
> >  	mutex_unlock(&bond->ipsec_lock);
> >  }
> 
> ...