Patchwork [net-next] tuntap: fix possible deadlock when fail to register netdev

login
register
mail settings
Submitter Jason Wang
Date Dec. 8, 2017, 2:54 a.m.
Message ID <1512701655-18751-1-git-send-email-jasowang@redhat.com>
Download mbox | patch
Permalink /patch/10101503/
State New
Headers show

Comments

Jason Wang - Dec. 8, 2017, 2:54 a.m.
Private destructor could be called when register_netdev() fail with
rtnl lock held. This will lead deadlock in tun_free_netdev() who tries
to hold rtnl_lock. Fixing this by switching to use spinlock to
synchronize.

Fixes: 96f84061620c ("tun: add eBPF based queue selection method")
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
 drivers/net/tun.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
Eric Dumazet - Dec. 8, 2017, 3:11 a.m.
On Fri, 2017-12-08 at 10:54 +0800, Jason Wang wrote:
> Private destructor could be called when register_netdev() fail with
> rtnl lock held. This will lead deadlock in tun_free_netdev() who
> tries
> to hold rtnl_lock. Fixing this by switching to use spinlock to
> synchronize.
> 
> Fixes: 96f84061620c ("tun: add eBPF based queue selection method")
> Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
> Cc: Eric Dumazet <eric.dumazet@gmail.com>
> Cc: Willem de Bruijn <willemb@google.com>
> Signed-off-by: Jason Wang <jasowang@redhat.com>
> ---
>  drivers/net/tun.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> index 787cc35..f7ccd79 100644
> --- a/drivers/net/tun.c
> +++ b/drivers/net/tun.c
> @@ -2050,8 +2050,11 @@ static int __tun_set_steering_ebpf(struct
> tun_struct *tun,
>  		new->prog = prog;
>  	}
>  
> -	old = rtnl_dereference(tun->steering_prog);
> +	spin_lock(&tun->lock);
> +	old = rcu_dereference_protected(tun->steering_prog,
> +					lock_is_held(&tun->lock));
>  	rcu_assign_pointer(tun->steering_prog, new);
> +	spin_unlock(&tun->lock);
> 

Hi Jason, thank you for the following up.

Have you tested this code path with lockdep enabled ?

My gut feeling is that you need spin_lock_bh() here.

Thanks
Jason Wang - Dec. 8, 2017, 3:27 a.m.
On 2017年12月08日 11:11, Eric Dumazet wrote:
> On Fri, 2017-12-08 at 10:54 +0800, Jason Wang wrote:
>> Private destructor could be called when register_netdev() fail with
>> rtnl lock held. This will lead deadlock in tun_free_netdev() who
>> tries
>> to hold rtnl_lock. Fixing this by switching to use spinlock to
>> synchronize.
>>
>> Fixes: 96f84061620c ("tun: add eBPF based queue selection method")
>> Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
>> Cc: Eric Dumazet <eric.dumazet@gmail.com>
>> Cc: Willem de Bruijn <willemb@google.com>
>> Signed-off-by: Jason Wang <jasowang@redhat.com>
>> ---
>>   drivers/net/tun.c | 7 ++++---
>>   1 file changed, 4 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
>> index 787cc35..f7ccd79 100644
>> --- a/drivers/net/tun.c
>> +++ b/drivers/net/tun.c
>> @@ -2050,8 +2050,11 @@ static int __tun_set_steering_ebpf(struct
>> tun_struct *tun,
>>   		new->prog = prog;
>>   	}
>>   
>> -	old = rtnl_dereference(tun->steering_prog);
>> +	spin_lock(&tun->lock);
>> +	old = rcu_dereference_protected(tun->steering_prog,
>> +					lock_is_held(&tun->lock));
>>   	rcu_assign_pointer(tun->steering_prog, new);
>> +	spin_unlock(&tun->lock);
>>
> Hi Jason, thank you for the following up.
>
> Have you tested this code path with lockdep enabled ?

No I test without it.

>
> My gut feeling is that you need spin_lock_bh() here.
>
> Thanks
>

Yes, I miss the fact this the lock is used by e.g flow caches too. Will 
post V2.

Thanks

Patch

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 787cc35..f7ccd79 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -2050,8 +2050,11 @@  static int __tun_set_steering_ebpf(struct tun_struct *tun,
 		new->prog = prog;
 	}
 
-	old = rtnl_dereference(tun->steering_prog);
+	spin_lock(&tun->lock);
+	old = rcu_dereference_protected(tun->steering_prog,
+					lock_is_held(&tun->lock));
 	rcu_assign_pointer(tun->steering_prog, new);
+	spin_unlock(&tun->lock);
 
 	if (old)
 		call_rcu(&old->rcu, tun_steering_prog_free);
@@ -2067,9 +2070,7 @@  static void tun_free_netdev(struct net_device *dev)
 	free_percpu(tun->pcpu_stats);
 	tun_flow_uninit(tun);
 	security_tun_dev_free_security(tun->security);
-	rtnl_lock();
 	__tun_set_steering_ebpf(tun, NULL);
-	rtnl_unlock();
 }
 
 static void tun_setup(struct net_device *dev)