From c1bc9644ecd1f663f918d42b33b41a508683b0ee Mon Sep 17 00:00:00 2001 From: Veaceslav Falico Date: Fri, 10 Jan 2014 11:59:43 +0100 Subject: bonding: fix bond_3ad_set_carrier() RCU usage Currently, its usage is just plainly wrong. It first gets a slave under RCU, and, after releasing the RCU lock, continues to use it - whilst it can be freed. Fix this by ensuring that bond_3ad_set_carrier() holds RCU till it uses its slave (or its agg). Fixes: be79bd048ab ("bonding: add RCU for bond_3ad_state_machine_handler()") CC: dingtianhong@huawei.com CC: Jay Vosburgh CC: Andy Gospodarek Signed-off-by: Veaceslav Falico Signed-off-by: David S. Miller diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c index 29db1ca..da0d7c5 100644 --- a/drivers/net/bonding/bond_3ad.c +++ b/drivers/net/bonding/bond_3ad.c @@ -2327,32 +2327,32 @@ int bond_3ad_set_carrier(struct bonding *bond) { struct aggregator *active; struct slave *first_slave; + int ret = 1; rcu_read_lock(); first_slave = bond_first_slave_rcu(bond); - rcu_read_unlock(); - if (!first_slave) - return 0; + if (!first_slave) { + ret = 0; + goto out; + } active = __get_active_agg(&(SLAVE_AD_INFO(first_slave).aggregator)); if (active) { /* are enough slaves available to consider link up? */ if (active->num_of_ports < bond->params.min_links) { if (netif_carrier_ok(bond->dev)) { netif_carrier_off(bond->dev); - return 1; + goto out; } } else if (!netif_carrier_ok(bond->dev)) { netif_carrier_on(bond->dev); - return 1; + goto out; } - return 0; - } - - if (netif_carrier_ok(bond->dev)) { + } else if (netif_carrier_ok(bond->dev)) { netif_carrier_off(bond->dev); - return 1; } - return 0; +out: + rcu_read_unlock(); + return ret; } /** -- cgit v0.10.2 From 768b954922e69a92a363bd4041cb93040ae4e9cf Mon Sep 17 00:00:00 2001 From: Veaceslav Falico Date: Fri, 10 Jan 2014 11:59:44 +0100 Subject: bonding: fix __get_first_agg RCU usage Currently, the RCU read lock usage is just wrong - it gets the slave struct under RCU and continues to use it when RCU lock is released. However, it's still safe to do this cause we didn't need the rcu_read_lock() initially - all of the __get_first_agg() callers are either holding RCU read lock or the RTNL lock, so that we can't sync while in it. Fixes: be79bd048 ("bonding: add RCU for bond_3ad_state_machine_handler()") CC: dingtianhong@huawei.com CC: Jay Vosburgh CC: Andy Gospodarek Signed-off-by: Veaceslav Falico Signed-off-by: David S. Miller diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c index da0d7c5..b49f421 100644 --- a/drivers/net/bonding/bond_3ad.c +++ b/drivers/net/bonding/bond_3ad.c @@ -143,11 +143,13 @@ static inline struct bonding *__get_bond_by_port(struct port *port) * * Return the aggregator of the first slave in @bond, or %NULL if it can't be * found. + * The caller must hold RCU or RTNL lock. */ static inline struct aggregator *__get_first_agg(struct port *port) { struct bonding *bond = __get_bond_by_port(port); struct slave *first_slave; + struct aggregator *agg; /* If there's no bond for this port, or bond has no slaves */ if (bond == NULL) @@ -155,9 +157,10 @@ static inline struct aggregator *__get_first_agg(struct port *port) rcu_read_lock(); first_slave = bond_first_slave_rcu(bond); + agg = first_slave ? &(SLAVE_AD_INFO(first_slave).aggregator) : NULL; rcu_read_unlock(); - return first_slave ? &(SLAVE_AD_INFO(first_slave).aggregator) : NULL; + return agg; } /** -- cgit v0.10.2 From 49b7624eda6867d2803bcc5bbf6f25936184304a Mon Sep 17 00:00:00 2001 From: Veaceslav Falico Date: Fri, 10 Jan 2014 11:59:45 +0100 Subject: bonding: fix __get_active_agg() RCU logic Currently, the implementation is meaningless - once again, we take the slave structure and use it after we've exited RCU critical section. Fix this by removing the rcu_read_lock() from __get_active_agg(), and ensuring that all its callers are holding RCU. Fixes: be79bd048 ("bonding: add RCU for bond_3ad_state_machine_handler()") CC: dingtianhong@huawei.com CC: Jay Vosburgh CC: Andy Gospodarek Signed-off-by: Veaceslav Falico Signed-off-by: David S. Miller diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c index b49f421..cce1f1b 100644 --- a/drivers/net/bonding/bond_3ad.c +++ b/drivers/net/bonding/bond_3ad.c @@ -678,6 +678,8 @@ static u32 __get_agg_bandwidth(struct aggregator *aggregator) /** * __get_active_agg - get the current active aggregator * @aggregator: the aggregator we're looking at + * + * Caller must hold RCU lock. */ static struct aggregator *__get_active_agg(struct aggregator *aggregator) { @@ -685,13 +687,9 @@ static struct aggregator *__get_active_agg(struct aggregator *aggregator) struct list_head *iter; struct slave *slave; - rcu_read_lock(); bond_for_each_slave_rcu(bond, slave, iter) - if (SLAVE_AD_INFO(slave).aggregator.is_active) { - rcu_read_unlock(); + if (SLAVE_AD_INFO(slave).aggregator.is_active) return &(SLAVE_AD_INFO(slave).aggregator); - } - rcu_read_unlock(); return NULL; } @@ -1499,11 +1497,11 @@ static void ad_agg_selection_logic(struct aggregator *agg) struct slave *slave; struct port *port; + rcu_read_lock(); origin = agg; active = __get_active_agg(agg); best = (active && agg_device_up(active)) ? active : NULL; - rcu_read_lock(); bond_for_each_slave_rcu(bond, slave, iter) { agg = &(SLAVE_AD_INFO(slave).aggregator); -- cgit v0.10.2