4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Tonghao Zhang <xiangxia.m.yue@xxxxxxxxx> [ Upstream commit 27de77cec985233bdf6546437b9761853265c505 ] syzbot wrote: | ============================= | WARNING: suspicious RCU usage | 5.7.0-rc1+ #45 Not tainted | ----------------------------- | net/openvswitch/conntrack.c:1898 RCU-list traversed in non-reader section!! | | other info that might help us debug this: | rcu_scheduler_active = 2, debug_locks = 1 | ... | | stack backtrace: | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014 | Workqueue: netns cleanup_net | Call Trace: | ... | ovs_ct_exit | ovs_exit_net | ops_exit_list.isra.7 | cleanup_net | process_one_work | worker_thread To avoid that warning, invoke the ovs_ct_exit under ovs_lock and add lockdep_ovsl_is_held as optional lockdep expression. Link: https://lore.kernel.org/lkml/000000000000e642a905a0cbee6e@xxxxxxxxxx Fixes: 11efd5cb04a1 ("openvswitch: Support conntrack zone limit") Cc: Pravin B Shelar <pshelar@xxxxxxx> Cc: Yi-Hung Wei <yihung.wei@xxxxxxxxx> Reported-by: syzbot+7ef50afd3a211f879112@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Tonghao Zhang <xiangxia.m.yue@xxxxxxxxx> Acked-by: Pravin B Shelar <pshelar@xxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Stable-dep-of: 5ea7b72d4fac ("net: openvswitch: Fix Use-After-Free in ovs_ct_exit") Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> --- net/openvswitch/conntrack.c | 3 ++- net/openvswitch/datapath.c | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index 0777c8d416f1b..352e80e6cd75c 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -1837,7 +1837,8 @@ static void ovs_ct_limit_exit(struct net *net, struct ovs_net *ovs_net) struct hlist_head *head = &info->limits[i]; struct ovs_ct_limit *ct_limit; - hlist_for_each_entry_rcu(ct_limit, head, hlist_node) + hlist_for_each_entry_rcu(ct_limit, head, hlist_node, + lockdep_ovsl_is_held()) kfree_rcu(ct_limit, rcu); } kfree(ovs_net->ct_limit_info->limits); diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c index 0551915519d9f..db27a43f5c5ab 100644 --- a/net/openvswitch/datapath.c +++ b/net/openvswitch/datapath.c @@ -2390,8 +2390,10 @@ static void __net_exit ovs_exit_net(struct net *dnet) struct net *net; LIST_HEAD(head); - ovs_ct_exit(dnet); ovs_lock(); + + ovs_ct_exit(dnet); + list_for_each_entry_safe(dp, dp_next, &ovs_net->dps, list_node) __dp_destroy(dp); -- 2.43.0
