bonding: 3ad: Fix the conflict between bond_update_slave_arr and the state machine

mainline-inclusion from mainline-v5.16-rc7 commit 83d686a6 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4RADY CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=83d686a6822322c4981b745dc1d7185f1f40811b ------------------------------------------------- The bond works in mode 4, and performs down/up operations on the bond that is normally negotiated. The probability of bond-> slave_arr is NULL Test commands: ifconfig bond1 down ifconfig bond1 up The conflict occurs in the following process： __dev_open (CPU A) --bond_open --queue_delayed_work(bond->wq,&bond->ad_work,0); --bond_update_slave_arr --bond_3ad_get_active_agg_info ad_work(CPU B) --bond_3ad_state_machine_handler --ad_agg_selection_logic ad_work runs on cpu B. In the function ad_agg_selection_logic, all agg->is_active will be cleared. Before the new active aggregator is selected on CPU B, bond_3ad_get_active_agg_info failed on CPU A, bond->slave_arr will be set to NULL. The best aggregator in ad_agg_selection_logic has not changed, no need to update slave arr. The conflict occurred in that ad_agg_selection_logic clears agg->is_active under mode_lock, but bond_open -> bond_update_slave_arr is inspecting agg->is_active outside the lock. Also, bond_update_slave_arr is normal for potential sleep when allocating memory, so replace the WARN_ON with a call to might_sleep. Signed-off-by: N jinyiting <jinyiting@huawei.com> Signed-off-by: N David S. Miller <davem@davemloft.net> Signed-off-by: N Aichun Li <liaichun@huawei.com> Signed-off-by: N Aichun Li <liaichun@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Reviewed-by: N wuchangye <wuchangye@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

bonding: 3ad: Fix the conflict between bond_update_slave_arr and the state machine
mainline-inclusion from mainline-v5.16-rc7 commit 83d686a6 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4RADY CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=83d686a6822322c4981b745dc1d7185f1f40811b ------------------------------------------------- The bond works in mode 4, and performs down/up operations on the bond that is normally negotiated. The probability of bond-> slave_arr is NULL Test commands: ifconfig bond1 down ifconfig bond1 up The conflict occurs in the following process： __dev_open (CPU A) --bond_open --queue_delayed_work(bond->wq,&bond->ad_work,0); --bond_update_slave_arr --bond_3ad_get_active_agg_info ad_work(CPU B) --bond_3ad_state_machine_handler --ad_agg_selection_logic ad_work runs on cpu B. In the function ad_agg_selection_logic, all agg->is_active will be cleared. Before the new active aggregator is selected on CPU B, bond_3ad_get_active_agg_info failed on CPU A, bond->slave_arr will be set to NULL. The best aggregator in ad_agg_selection_logic has not changed, no need to update slave arr. The conflict occurred in that ad_agg_selection_logic clears agg->is_active under mode_lock, but bond_open -> bond_update_slave_arr is inspecting agg->is_active outside the lock. Also, bond_update_slave_arr is normal for potential sleep when allocating memory, so replace the WARN_ON with a call to might_sleep. Signed-off-by: N jinyiting <jinyiting@huawei.com> Signed-off-by: N David S. Miller <davem@davemloft.net> Signed-off-by: N Aichun Li <liaichun@huawei.com> Signed-off-by: N Aichun Li <liaichun@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Reviewed-by: N wuchangye <wuchangye@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
79f85f0b · jinyiting · Zheng Zengkai · 881f7b94 · 79f85f0b
隐藏空白更改
内联并排

Showing with 4 addition and 3 deletion

drivers/net/bonding/bond_main.c drivers/net/bonding/bond_main.c +4 -3

未找到文件。
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -4458,9 +4458,7 @@ int bond_update_slave_arr(struct bonding *bond, struct slave *skipslave)
 	int agg_id = 0;
 	int ret = 0;

-#ifdef CONFIG_LOCKDEP
-	WARN_ON(lockdep_is_held(&bond->mode_lock));
-#endif
+	might_sleep();

 	usable_slaves = kzalloc(struct_size(usable_slaves, arr,
 					    bond->slave_cnt), GFP_KERNEL);
@@ -4473,7 +4471,9 @@ int bond_update_slave_arr(struct bonding *bond, struct slave *skipslave)
 	if (BOND_MODE(bond) == BOND_MODE_8023AD) {
 		struct ad_info ad_info;

+		spin_lock_bh(&bond->mode_lock);
 		if (bond_3ad_get_active_agg_info(bond, &ad_info)) {
+			spin_unlock_bh(&bond->mode_lock);
 			pr_debug("bond_3ad_get_active_agg_info failed\n");
 			/* No active aggragator means it's not safe to use
 			 * the previous array.
@@ -4481,6 +4481,7 @@ int bond_update_slave_arr(struct bonding *bond, struct slave *skipslave)
 			bond_reset_slave_arr(bond);
 			goto out;
 		}
+		spin_unlock_bh(&bond->mode_lock);
 		agg_id = ad_info.aggregator_id;
 	}
 	bond_for_each_slave(bond, slave, iter) {