• Taehee Yoo's avatar
    net: rmnet: fix suspicious RCU usage · 5cd211aa
    Taehee Yoo authored
    [ Upstream commit 102210f7 ]
    
    rmnet_get_port() internally calls rcu_dereference_rtnl(),
    which checks RTNL.
    But rmnet_get_port() could be called by packet path.
    The packet path is not protected by RTNL.
    So, the suspicious RCU usage problem occurs.
    
    Test commands:
        modprobe rmnet
        ip netns add nst
        ip link add veth0 type veth peer name veth1
        ip link set veth1 netns nst
        ip link add rmnet0 link veth0 type rmnet mux_id 1
        ip netns exec nst ip link add rmnet1 link veth1 type rmnet mux_id 1
        ip netns exec nst ip link set veth1 up
        ip netns exec nst ip link set rmnet1 up
        ip netns exec nst ip a a 192.168.100.2/24 dev rmnet1
        ip link set veth0 up
        ip link set rmnet0 up
        ip a a 192.168.100.1/24 dev rmnet0
        ping 192.168.100.2
    
    Splat looks like:
    [  146.630958][ T1174] WARNING: suspicious RCU usage
    [  146.631735][ T1174] 5.6.0-rc1+ #447 Not tainted
    [  146.632387][ T1174] -----------------------------
    [  146.633151][ T1174] drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c:386 suspicious rcu_dereference_check() !
    [  146.634742][ T1174]
    [  146.634742][ T1174] other info that might help us debug this:
    [  146.634742][ T1174]
    [  146.645992][ T1174]
    [  146.645992][ T1174] rcu_scheduler_active = 2, debug_locks = 1
    [  146.646937][ T1174] 5 locks held by ping/1174:
    [  146.647609][ T1174]  #0: ffff8880c31dea70 (sk_lock-AF_INET){+.+.}, at: raw_sendmsg+0xab8/0x2980
    [  146.662463][ T1174]  #1: ffffffff93925660 (rcu_read_lock_bh){....}, at: ip_finish_output2+0x243/0x2150
    [  146.671696][ T1174]  #2: ffffffff93925660 (rcu_read_lock_bh){....}, at: __dev_queue_xmit+0x213/0x2940
    [  146.673064][ T1174]  #3: ffff8880c19ecd58 (&dev->qdisc_running_key#7){+...}, at: ip_finish_output2+0x714/0x2150
    [  146.690358][ T1174]  #4: ffff8880c5796898 (&dev->qdisc_xmit_lock_key#3){+.-.}, at: sch_direct_xmit+0x1e2/0x1020
    [  146.699875][ T1174]
    [  146.699875][ T1174] stack backtrace:
    [  146.701091][ T1174] CPU: 0 PID: 1174 Comm: ping Not tainted 5.6.0-rc1+ #447
    [  146.705215][ T1174] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
    [  146.706565][ T1174] Call Trace:
    [  146.707102][ T1174]  dump_stack+0x96/0xdb
    [  146.708007][ T1174]  rmnet_get_port.part.9+0x76/0x80 [rmnet]
    [  146.709233][ T1174]  rmnet_egress_handler+0x107/0x420 [rmnet]
    [  146.710492][ T1174]  ? sch_direct_xmit+0x1e2/0x1020
    [  146.716193][ T1174]  rmnet_vnd_start_xmit+0x3d/0xa0 [rmnet]
    [  146.717012][ T1174]  dev_hard_start_xmit+0x160/0x740
    [  146.717854][ T1174]  sch_direct_xmit+0x265/0x1020
    [  146.718577][ T1174]  ? register_lock_class+0x14d0/0x14d0
    [  146.719429][ T1174]  ? dev_watchdog+0xac0/0xac0
    [  146.723738][ T1174]  ? __dev_queue_xmit+0x15fd/0x2940
    [  146.724469][ T1174]  ? lock_acquire+0x164/0x3b0
    [  146.725172][ T1174]  __dev_queue_xmit+0x20c7/0x2940
    [ ... ]
    
    Fixes: ceed73a2 ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation")
    Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    5cd211aa
rmnet_config.h 2.11 KB