Patch "bonding: fix suspicious RCU usage in bond_ipsec_offload_ok()" has been added to the 5.13-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 25 Jul 2021 22:42:38 -0400

This is a note to let you know that I've just added the patch titled

    bonding: fix suspicious RCU usage in bond_ipsec_offload_ok()

to the 5.13-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bonding-fix-suspicious-rcu-usage-in-bond_ipsec_offlo.patch
and it can be found in the queue-5.13 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit d7145013c4c46dcaf9fe414cafd3f531dbfa7166
Author: Taehee Yoo <ap420073@xxxxxxxxx>
Date:   Mon Jul 5 15:38:13 2021 +0000

    bonding: fix suspicious RCU usage in bond_ipsec_offload_ok()
    
    [ Upstream commit 955b785ec6b3b2f9b91914d6eeac8ee66ee29239 ]
    
    To dereference bond->curr_active_slave, it uses rcu_dereference().
    But it and the caller doesn't acquire RCU so a warning occurs.
    So add rcu_read_lock().
    
    Splat looks like:
    WARNING: suspicious RCU usage
    5.13.0-rc6+ #1179 Not tainted
    drivers/net/bonding/bond_main.c:571 suspicious
    rcu_dereference_check() usage!
    
    other info that might help us debug this:
    
    rcu_scheduler_active = 2, debug_locks = 1
    1 lock held by ping/974:
     #0: ffff888109e7db70 (sk_lock-AF_INET){+.+.}-{0:0},
    at: raw_sendmsg+0x1303/0x2cb0
    
    stack backtrace:
    CPU: 2 PID: 974 Comm: ping Not tainted 5.13.0-rc6+ #1179
    Call Trace:
     dump_stack+0xa4/0xe5
     bond_ipsec_offload_ok+0x1f4/0x260 [bonding]
     xfrm_output+0x179/0x890
     xfrm4_output+0xfa/0x410
     ? __xfrm4_output+0x4b0/0x4b0
     ? __ip_make_skb+0xecc/0x2030
     ? xfrm4_udp_encap_rcv+0x800/0x800
     ? ip_local_out+0x21/0x3a0
     ip_send_skb+0x37/0xa0
     raw_sendmsg+0x1bfd/0x2cb0
    
    Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves")
    Signed-off-by: Taehee Yoo <ap420073@xxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 3f67b4b794ac..d267791a06c0 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -573,24 +573,34 @@ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
 	struct net_device *real_dev;
 	struct slave *curr_active;
 	struct bonding *bond;
+	int err;
 
 	bond = netdev_priv(bond_dev);
+	rcu_read_lock();
 	curr_active = rcu_dereference(bond->curr_active_slave);
 	real_dev = curr_active->dev;
 
-	if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP)
-		return true;
+	if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) {
+		err = true;
+		goto out;
+	}
 
-	if (!xs->xso.real_dev)
-		return false;
+	if (!xs->xso.real_dev) {
+		err = false;
+		goto out;
+	}
 
 	if (!real_dev->xfrmdev_ops ||
 	    !real_dev->xfrmdev_ops->xdo_dev_offload_ok ||
 	    netif_is_bond_master(real_dev)) {
-		return false;
+		err = false;
+		goto out;
 	}
 
-	return real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs);
+	err = real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs);
+out:
+	rcu_read_unlock();
+	return err;
 }
 
 static const struct xfrmdev_ops bond_xfrmdev_ops = {






