This is a note to let you know that I've just added the patch titled
net: openvswitch: ovs_ct_exit to be done under ovs_lock
to the 4.19-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
net-openvswitch-ovs_ct_exit-to-be-done-under-ovs_loc.patch
and it can be found in the queue-4.19 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit d910ac79e9895b7ee2628ac4269935ebe68ccd21
Author: Tonghao Zhang <xiangxia.m.yue@xxxxxxxxx>
Date: Fri Apr 17 02:57:31 2020 +0800
net: openvswitch: ovs_ct_exit to be done under ovs_lock
[ Upstream commit 27de77cec985233bdf6546437b9761853265c505 ]
syzbot wrote:
| =============================
| WARNING: suspicious RCU usage
| 5.7.0-rc1+ #45 Not tainted
| -----------------------------
| net/openvswitch/conntrack.c:1898 RCU-list traversed in non-reader section!!
|
| other info that might help us debug this:
| rcu_scheduler_active = 2, debug_locks = 1
| ...
|
| stack backtrace:
| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014
| Workqueue: netns cleanup_net
| Call Trace:
| ...
| ovs_ct_exit
| ovs_exit_net
| ops_exit_list.isra.7
| cleanup_net
| process_one_work
| worker_thread
To avoid that warning, invoke the ovs_ct_exit under ovs_lock and add
lockdep_ovsl_is_held as optional lockdep expression.
Link: https://lore.kernel.org/lkml/000000000000e642a905a0cbee6e@xxxxxxxxxx
Fixes: 11efd5cb04a1 ("openvswitch: Support conntrack zone limit")
Cc: Pravin B Shelar <pshelar@xxxxxxx>
Cc: Yi-Hung Wei <yihung.wei@xxxxxxxxx>
Reported-by: syzbot+7ef50afd3a211f879112@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Tonghao Zhang <xiangxia.m.yue@xxxxxxxxx>
Acked-by: Pravin B Shelar <pshelar@xxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Stable-dep-of: 5ea7b72d4fac ("net: openvswitch: Fix Use-After-Free in ovs_ct_exit")
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index 0777c8d416f1b..352e80e6cd75c 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -1837,7 +1837,8 @@ static void ovs_ct_limit_exit(struct net *net, struct ovs_net *ovs_net)
struct hlist_head *head = &info->limits[i];
struct ovs_ct_limit *ct_limit;
- hlist_for_each_entry_rcu(ct_limit, head, hlist_node)
+ hlist_for_each_entry_rcu(ct_limit, head, hlist_node,
+ lockdep_ovsl_is_held())
kfree_rcu(ct_limit, rcu);
}
kfree(ovs_net->ct_limit_info->limits);
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index 0551915519d9f..db27a43f5c5ab 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -2390,8 +2390,10 @@ static void __net_exit ovs_exit_net(struct net *dnet)
struct net *net;
LIST_HEAD(head);
- ovs_ct_exit(dnet);
ovs_lock();
+
+ ovs_ct_exit(dnet);
+
list_for_each_entry_safe(dp, dp_next, &ovs_net->dps, list_node)
__dp_destroy(dp);
