mirror of
https://github.com/torvalds/linux.git
synced 2026-05-12 16:18:45 +02:00
c4f050ce06
syzbot found a data-race in bond_3ad_get_active_agg_info /
bond_3ad_state_machine_handler [1] which hints at lack of proper
RCU implementation.
Add __rcu qualifier to port->aggregator, and add proper RCU API.
[1]
BUG: KCSAN: data-race in bond_3ad_get_active_agg_info / bond_3ad_state_machine_handler
write to 0xffff88813cf5c4b0 of 8 bytes by task 36 on cpu 0:
ad_port_selection_logic drivers/net/bonding/bond_3ad.c:1659 [inline]
bond_3ad_state_machine_handler+0x9d5/0x2d60 drivers/net/bonding/bond_3ad.c:2569
process_one_work kernel/workqueue.c:3302 [inline]
process_scheduled_works+0x4f0/0x9c0 kernel/workqueue.c:3385
worker_thread+0x58a/0x780 kernel/workqueue.c:3466
kthread+0x22a/0x280 kernel/kthread.c:436
ret_from_fork+0x146/0x330 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
read to 0xffff88813cf5c4b0 of 8 bytes by task 22063 on cpu 1:
__bond_3ad_get_active_agg_info drivers/net/bonding/bond_3ad.c:2858 [inline]
bond_3ad_get_active_agg_info+0x8c/0x230 drivers/net/bonding/bond_3ad.c:2881
bond_fill_info+0xe0f/0x10f0 drivers/net/bonding/bond_netlink.c:853
rtnl_link_info_fill net/core/rtnetlink.c:906 [inline]
rtnl_link_fill+0x1d7/0x4e0 net/core/rtnetlink.c:927
rtnl_fill_ifinfo+0xf8e/0x1380 net/core/rtnetlink.c:2168
rtmsg_ifinfo_build_skb+0x11c/0x1b0 net/core/rtnetlink.c:4453
rtmsg_ifinfo_event net/core/rtnetlink.c:4486 [inline]
rtmsg_ifinfo+0x6d/0x110 net/core/rtnetlink.c:4495
__dev_notify_flags+0x76/0x390 net/core/dev.c:9790
netif_change_flags+0xac/0xd0 net/core/dev.c:9823
do_setlink+0x905/0x2950 net/core/rtnetlink.c:3180
rtnl_group_changelink net/core/rtnetlink.c:3813 [inline]
__rtnl_newlink net/core/rtnetlink.c:3981 [inline]
rtnl_newlink+0xf55/0x1400 net/core/rtnetlink.c:4109
rtnetlink_rcv_msg+0x64b/0x720 net/core/rtnetlink.c:6995
netlink_rcv_skb+0x123/0x220 net/netlink/af_netlink.c:2550
rtnetlink_rcv+0x1c/0x30 net/core/rtnetlink.c:7022
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x5a8/0x680 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x5c8/0x6f0 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:787 [inline]
__sock_sendmsg net/socket.c:802 [inline]
____sys_sendmsg+0x563/0x5b0 net/socket.c:2698
___sys_sendmsg+0x195/0x1e0 net/socket.c:2752
__sys_sendmsg net/socket.c:2784 [inline]
__do_sys_sendmsg net/socket.c:2789 [inline]
__se_sys_sendmsg net/socket.c:2787 [inline]
__x64_sys_sendmsg+0xd4/0x160 net/socket.c:2787
x64_sys_call+0x194c/0x3020 arch/x86/include/generated/asm/syscalls_64.h:47
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x12c/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
value changed: 0x0000000000000000 -> 0xffff88813cf5c400
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 22063 Comm: syz.0.31122 Tainted: G W syzkaller #0 PREEMPT(full)
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Fixes: 47e91f5600 ("bonding: use RCU protection for 3ad xmit path")
Reported-by: syzbot+9bb2ff2a4ab9e17307e1@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/69f0a82f.050a0220.3aadc4.0000.GAE@google.com/
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Jay Vosburgh <jv@jvosburgh.net>
Cc: Andrew Lunn <andrew+netdev@lunn.ch>
Link: https://patch.msgid.link/20260428123207.3809211-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
146 lines
3.6 KiB
C
146 lines
3.6 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/* Sysfs attributes of bond slaves
|
|
*
|
|
* Copyright (c) 2014 Scott Feldman <sfeldma@cumulusnetworks.com>
|
|
*/
|
|
|
|
#include <linux/capability.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/netdevice.h>
|
|
|
|
#include <net/bonding.h>
|
|
|
|
struct slave_attribute {
|
|
struct attribute attr;
|
|
ssize_t (*show)(struct slave *, char *);
|
|
};
|
|
|
|
#define SLAVE_ATTR_RO(_name) \
|
|
const struct slave_attribute slave_attr_##_name = __ATTR_RO(_name)
|
|
|
|
static ssize_t state_show(struct slave *slave, char *buf)
|
|
{
|
|
switch (bond_slave_state(slave)) {
|
|
case BOND_STATE_ACTIVE:
|
|
return sysfs_emit(buf, "active\n");
|
|
case BOND_STATE_BACKUP:
|
|
return sysfs_emit(buf, "backup\n");
|
|
default:
|
|
return sysfs_emit(buf, "UNKNOWN\n");
|
|
}
|
|
}
|
|
static SLAVE_ATTR_RO(state);
|
|
|
|
static ssize_t mii_status_show(struct slave *slave, char *buf)
|
|
{
|
|
return sysfs_emit(buf, "%s\n", bond_slave_link_status(slave->link));
|
|
}
|
|
static SLAVE_ATTR_RO(mii_status);
|
|
|
|
static ssize_t link_failure_count_show(struct slave *slave, char *buf)
|
|
{
|
|
return sysfs_emit(buf, "%d\n", slave->link_failure_count);
|
|
}
|
|
static SLAVE_ATTR_RO(link_failure_count);
|
|
|
|
static ssize_t perm_hwaddr_show(struct slave *slave, char *buf)
|
|
{
|
|
return sysfs_emit(buf, "%*phC\n",
|
|
slave->dev->addr_len,
|
|
slave->perm_hwaddr);
|
|
}
|
|
static SLAVE_ATTR_RO(perm_hwaddr);
|
|
|
|
static ssize_t queue_id_show(struct slave *slave, char *buf)
|
|
{
|
|
return sysfs_emit(buf, "%d\n", READ_ONCE(slave->queue_id));
|
|
}
|
|
static SLAVE_ATTR_RO(queue_id);
|
|
|
|
static ssize_t ad_aggregator_id_show(struct slave *slave, char *buf)
|
|
{
|
|
const struct aggregator *agg;
|
|
|
|
if (BOND_MODE(slave->bond) == BOND_MODE_8023AD) {
|
|
rcu_read_lock();
|
|
agg = rcu_dereference(SLAVE_AD_INFO(slave)->port.aggregator);
|
|
if (agg) {
|
|
ssize_t res = sysfs_emit(buf, "%d\n",
|
|
agg->aggregator_identifier);
|
|
rcu_read_unlock();
|
|
return res;
|
|
}
|
|
rcu_read_unlock();
|
|
}
|
|
|
|
return sysfs_emit(buf, "N/A\n");
|
|
}
|
|
static SLAVE_ATTR_RO(ad_aggregator_id);
|
|
|
|
static ssize_t ad_actor_oper_port_state_show(struct slave *slave, char *buf)
|
|
{
|
|
const struct port *ad_port;
|
|
|
|
if (BOND_MODE(slave->bond) == BOND_MODE_8023AD) {
|
|
ad_port = &SLAVE_AD_INFO(slave)->port;
|
|
if (rcu_access_pointer(ad_port->aggregator))
|
|
return sysfs_emit(buf, "%u\n",
|
|
ad_port->actor_oper_port_state);
|
|
}
|
|
|
|
return sysfs_emit(buf, "N/A\n");
|
|
}
|
|
static SLAVE_ATTR_RO(ad_actor_oper_port_state);
|
|
|
|
static ssize_t ad_partner_oper_port_state_show(struct slave *slave, char *buf)
|
|
{
|
|
const struct port *ad_port;
|
|
|
|
if (BOND_MODE(slave->bond) == BOND_MODE_8023AD) {
|
|
ad_port = &SLAVE_AD_INFO(slave)->port;
|
|
if (rcu_access_pointer(ad_port->aggregator))
|
|
return sysfs_emit(buf, "%u\n",
|
|
ad_port->partner_oper.port_state);
|
|
}
|
|
|
|
return sysfs_emit(buf, "N/A\n");
|
|
}
|
|
static SLAVE_ATTR_RO(ad_partner_oper_port_state);
|
|
|
|
static const struct attribute *slave_attrs[] = {
|
|
&slave_attr_state.attr,
|
|
&slave_attr_mii_status.attr,
|
|
&slave_attr_link_failure_count.attr,
|
|
&slave_attr_perm_hwaddr.attr,
|
|
&slave_attr_queue_id.attr,
|
|
&slave_attr_ad_aggregator_id.attr,
|
|
&slave_attr_ad_actor_oper_port_state.attr,
|
|
&slave_attr_ad_partner_oper_port_state.attr,
|
|
NULL
|
|
};
|
|
|
|
#define to_slave_attr(_at) container_of(_at, struct slave_attribute, attr)
|
|
|
|
static ssize_t slave_show(struct kobject *kobj,
|
|
struct attribute *attr, char *buf)
|
|
{
|
|
struct slave_attribute *slave_attr = to_slave_attr(attr);
|
|
struct slave *slave = to_slave(kobj);
|
|
|
|
return slave_attr->show(slave, buf);
|
|
}
|
|
|
|
const struct sysfs_ops slave_sysfs_ops = {
|
|
.show = slave_show,
|
|
};
|
|
|
|
int bond_sysfs_slave_add(struct slave *slave)
|
|
{
|
|
return sysfs_create_files(&slave->kobj, slave_attrs);
|
|
}
|
|
|
|
void bond_sysfs_slave_del(struct slave *slave)
|
|
{
|
|
sysfs_remove_files(&slave->kobj, slave_attrs);
|
|
}
|