Revision - 99f62a7 - net: bridge: br_vlan_get_pvid_rcu() should dereference the VLAN [...]

Revision 99f62a746066fa436aa15d4606a538569540db08 authored by Vladimir Oltean on 21 September 2020, 22:07:09 UTC, committed by David S. Miller on 22 September 2020, 00:37:44 UTC

net: bridge: br_vlan_get_pvid_rcu() should dereference the VLAN group under RCU

When calling the RCU brother of br_vlan_get_pvid(), lockdep warns:

=============================
WARNING: suspicious RCU usage
5.9.0-rc3-01631-g13c17acb8e38-dirty #814 Not tainted
-----------------------------
net/bridge/br_private.h:1054 suspicious rcu_dereference_protected() usage!

Call trace:
 lockdep_rcu_suspicious+0xd4/0xf8
 __br_vlan_get_pvid+0xc0/0x100
 br_vlan_get_pvid_rcu+0x78/0x108

The warning is because br_vlan_get_pvid_rcu() calls nbp_vlan_group()
which calls rtnl_dereference() instead of rcu_dereference(). In turn,
rtnl_dereference() calls rcu_dereference_protected() which assumes
operation under an RCU write-side critical section, which obviously is
not the case here. So, when the incorrect primitive is used to access
the RCU-protected VLAN group pointer, READ_ONCE() is not used, which may
cause various unexpected problems.

I'm sad to say that br_vlan_get_pvid() and br_vlan_get_pvid_rcu() cannot
share the same implementation. So fix the bug by splitting the 2
functions, and making br_vlan_get_pvid_rcu() retrieve the VLAN groups
under proper locking annotations.

Fixes: 7582f5b70f9a ("bridge: add br_vlan_get_pvid_rcu()")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 parent 47cec3f

Files
Changes

Permalinks

Makefile.kasan

# SPDX-License-Identifier: GPL-2.0
ifdef CONFIG_KASAN
CFLAGS_KASAN_NOSANITIZE := -fno-builtin
KASAN_SHADOW_OFFSET ?= $(CONFIG_KASAN_SHADOW_OFFSET)
endif

ifdef CONFIG_KASAN_GENERIC

ifdef CONFIG_KASAN_INLINE
	call_threshold := 10000
else
	call_threshold := 0
endif

CFLAGS_KASAN_MINIMAL := -fsanitize=kernel-address

cc-param = $(call cc-option, -mllvm -$(1), $(call cc-option, --param $(1)))

# -fasan-shadow-offset fails without -fsanitize
CFLAGS_KASAN_SHADOW := $(call cc-option, -fsanitize=kernel-address \
			-fasan-shadow-offset=$(KASAN_SHADOW_OFFSET), \
			$(call cc-option, -fsanitize=kernel-address \
			-mllvm -asan-mapping-offset=$(KASAN_SHADOW_OFFSET)))

ifeq ($(strip $(CFLAGS_KASAN_SHADOW)),)
	CFLAGS_KASAN := $(CFLAGS_KASAN_MINIMAL)
else
	# Now add all the compiler specific options that are valid standalone
	CFLAGS_KASAN := $(CFLAGS_KASAN_SHADOW) \
	 $(call cc-param,asan-globals=1) \
	 $(call cc-param,asan-instrumentation-with-call-threshold=$(call_threshold)) \
	 $(call cc-param,asan-stack=$(CONFIG_KASAN_STACK)) \
	 $(call cc-param,asan-instrument-allocas=1)
endif

endif # CONFIG_KASAN_GENERIC

ifdef CONFIG_KASAN_SW_TAGS

ifdef CONFIG_KASAN_INLINE
    instrumentation_flags := -mllvm -hwasan-mapping-offset=$(KASAN_SHADOW_OFFSET)
else
    instrumentation_flags := -mllvm -hwasan-instrument-with-calls=1
endif

CFLAGS_KASAN := -fsanitize=kernel-hwaddress \
		-mllvm -hwasan-instrument-stack=$(CONFIG_KASAN_STACK) \
		-mllvm -hwasan-use-short-granules=0 \
		$(instrumentation_flags)

endif # CONFIG_KASAN_SW_TAGS

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...