| Message ID | 1550828682-10608-1-git-send-email-lirongqing@baidu.com |
|---|---|
| State | Rejected |
| Delegated to: | David Miller |
| Headers | show |
| Series | [net-next] ipv6: sanitize RCU usage on fib6_next | expand |
On 2/22/19 4:44 AM, Li RongQing wrote: > diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c > index 6613d8dbb0e5..b73d40d68178 100644 > --- a/net/ipv6/ip6_fib.c > +++ b/net/ipv6/ip6_fib.c > @@ -1143,7 +1143,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, > > atomic_inc(&rt->fib6_ref); > rcu_assign_pointer(rt->fib6_node, fn); > - rt->fib6_next = iter->fib6_next; > + rcu_assign_pointer(rt->fib6_next, iter->fib6_next); > rcu_assign_pointer(*ins, rt); > if (!info->skip_notify) > inet6_rt_notify(RTM_NEWROUTE, rt, info, NLM_F_REPLACE); > @@ -1761,7 +1761,9 @@ static void fib6_del_route(struct fib6_table *table, struct fib6_node *fn, > RT6_TRACE("fib6_del_route\n"); > > /* Unlink it */ > - *rtp = rt->fib6_next; > + *rtp = rcu_dereference_protected(rt->fib6_next, > + lockdep_is_held(&rt->fib6_table->tb6_lock)); > + > rt->fib6_node = NULL; > net->ipv6.rt6_stats->fib_rt_entries--; > net->ipv6.rt6_stats->fib_discarded_routes++; > There are a number of fib6_next references not using rcu api's. Why are you only touching these 2?
On 02/22/2019 01:44 AM, Li RongQing wrote: > using rcu_assign_pointer when setting, which has a memory > barrier to ensure the initialization is seen first. > > using rcu_dereference when dereference this pointer > > Signed-off-by: Zhang Yu <zhangyu31@baidu.com> > Signed-off-by: Li RongQing <lirongqing@baidu.com> > --- > net/ipv6/ip6_fib.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c > index 6613d8dbb0e5..b73d40d68178 100644 > --- a/net/ipv6/ip6_fib.c > +++ b/net/ipv6/ip6_fib.c > @@ -1143,7 +1143,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, > > atomic_inc(&rt->fib6_ref); > rcu_assign_pointer(rt->fib6_node, fn); > - rt->fib6_next = iter->fib6_next; > + rcu_assign_pointer(rt->fib6_next, iter->fib6_next); We do not need a barrier here, the object is still private. > rcu_assign_pointer(*ins, rt); > if (!info->skip_notify) > inet6_rt_notify(RTM_NEWROUTE, rt, info, NLM_F_REPLACE); > @@ -1761,7 +1761,9 @@ static void fib6_del_route(struct fib6_table *table, struct fib6_node *fn, > RT6_TRACE("fib6_del_route\n"); > > /* Unlink it */ > - *rtp = rt->fib6_next; > + *rtp = rcu_dereference_protected(rt->fib6_next, > + lockdep_is_held(&rt->fib6_table->tb6_lock)); This change will likely add a sparse bug. > + > rt->fib6_node = NULL; > net->ipv6.rt6_stats->fib_rt_entries--; > net->ipv6.rt6_stats->fib_discarded_routes++; > Really I do not believe these changes are needed. barriers should be added blindly.
Hi Li,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on net/master]
[also build test WARNING on v5.0-rc4 next-20190222]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Li-RongQing/ipv6-sanitize-RCU-usage-on-fib6_next/20190224-083824
reproduce:
# apt-get install sparse
make ARCH=x86_64 allmodconfig
make C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__'
All warnings (new ones prefixed by >>):
>> net/ipv6/ip6_fib.c:1764:14: sparse: warning: incorrect type in assignment (different address spaces)
net/ipv6/ip6_fib.c:1764:14: sparse: expected struct fib6_info [noderef] <asn:4> *
net/ipv6/ip6_fib.c:1764:14: sparse: got struct fib6_info *
sparse warnings: (new ones prefixed by >>)
net/ipv6/ip6_fib.c:1764:14: sparse: warning: incorrect type in assignment (different address spaces)
>> net/ipv6/ip6_fib.c:1764:14: sparse: expected struct fib6_info [noderef] <asn:4> *
>> net/ipv6/ip6_fib.c:1764:14: sparse: got struct fib6_info *
vim +1764 net/ipv6/ip6_fib.c
1752
1753 static void fib6_del_route(struct fib6_table *table, struct fib6_node *fn,
1754 struct fib6_info __rcu **rtp, struct nl_info *info)
1755 {
1756 struct fib6_walker *w;
1757 struct fib6_info *rt = rcu_dereference_protected(*rtp,
1758 lockdep_is_held(&table->tb6_lock));
1759 struct net *net = info->nl_net;
1760
1761 RT6_TRACE("fib6_del_route\n");
1762
1763 /* Unlink it */
> 1764 *rtp = rcu_dereference_protected(rt->fib6_next,
1765 lockdep_is_held(&rt->fib6_table->tb6_lock));
1766
1767 rt->fib6_node = NULL;
1768 net->ipv6.rt6_stats->fib_rt_entries--;
1769 net->ipv6.rt6_stats->fib_discarded_routes++;
1770
1771 /* Flush all cached dst in exception table */
1772 rt6_flush_exceptions(rt);
1773
1774 /* Reset round-robin state, if necessary */
1775 if (rcu_access_pointer(fn->rr_ptr) == rt)
1776 fn->rr_ptr = NULL;
1777
1778 /* Remove this entry from other siblings */
1779 if (rt->fib6_nsiblings) {
1780 struct fib6_info *sibling, *next_sibling;
1781
1782 list_for_each_entry_safe(sibling, next_sibling,
1783 &rt->fib6_siblings, fib6_siblings)
1784 sibling->fib6_nsiblings--;
1785 rt->fib6_nsiblings = 0;
1786 list_del_init(&rt->fib6_siblings);
1787 rt6_multipath_rebalance(next_sibling);
1788 }
1789
1790 /* Adjust walkers */
1791 read_lock(&net->ipv6.fib6_walker_lock);
1792 FOR_WALKERS(net, w) {
1793 if (w->state == FWS_C && w->leaf == rt) {
1794 RT6_TRACE("walker %p adjusted by delroute\n", w);
1795 w->leaf = rcu_dereference_protected(rt->fib6_next,
1796 lockdep_is_held(&table->tb6_lock));
1797 if (!w->leaf)
1798 w->state = FWS_U;
1799 }
1800 }
1801 read_unlock(&net->ipv6.fib6_walker_lock);
1802
1803 /* If it was last route, call fib6_repair_tree() to:
1804 * 1. For root node, put back null_entry as how the table was created.
1805 * 2. For other nodes, expunge its radix tree node.
1806 */
1807 if (!rcu_access_pointer(fn->leaf)) {
1808 if (!(fn->fn_flags & RTN_TL_ROOT)) {
1809 fn->fn_flags &= ~RTN_RTINFO;
1810 net->ipv6.rt6_stats->fib_route_nodes--;
1811 }
1812 fn = fib6_repair_tree(net, table, fn);
1813 }
1814
1815 fib6_purge_rt(rt, fn, net);
1816
1817 call_fib6_entry_notifiers(net, FIB_EVENT_ENTRY_DEL, rt, NULL);
1818 if (!info->skip_notify)
1819 inet6_rt_notify(RTM_DELROUTE, rt, info, 0);
1820 fib6_info_release(rt);
1821 }
1822
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index 6613d8dbb0e5..b73d40d68178 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c @@ -1143,7 +1143,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, atomic_inc(&rt->fib6_ref); rcu_assign_pointer(rt->fib6_node, fn); - rt->fib6_next = iter->fib6_next; + rcu_assign_pointer(rt->fib6_next, iter->fib6_next); rcu_assign_pointer(*ins, rt); if (!info->skip_notify) inet6_rt_notify(RTM_NEWROUTE, rt, info, NLM_F_REPLACE); @@ -1761,7 +1761,9 @@ static void fib6_del_route(struct fib6_table *table, struct fib6_node *fn, RT6_TRACE("fib6_del_route\n"); /* Unlink it */ - *rtp = rt->fib6_next; + *rtp = rcu_dereference_protected(rt->fib6_next, + lockdep_is_held(&rt->fib6_table->tb6_lock)); + rt->fib6_node = NULL; net->ipv6.rt6_stats->fib_rt_entries--; net->ipv6.rt6_stats->fib_discarded_routes++;