tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

genetlink: hold RCU in genlmsg_mcast()

While running net selftests with CONFIG_PROVE_RCU_LIST=y I saw
one lockdep splat [1].

genlmsg_mcast() uses for_each_net_rcu(), and must therefore hold RCU.

Instead of letting all callers guard genlmsg_multicast_allns()
with a rcu_read_lock()/rcu_read_unlock() pair, do it in genlmsg_mcast().

This also means the @flags parameter is useless, we need to always use
GFP_ATOMIC.

[1]
[10882.424136] =============================
[10882.424166] WARNING: suspicious RCU usage
[10882.424309] 6.12.0-rc2-virtme #1156 Not tainted
[10882.424400] -----------------------------
[10882.424423] net/netlink/genetlink.c:1940 RCU-list traversed in non-reader section!!
[10882.424469]
other info that might help us debug this:

[10882.424500]
rcu_scheduler_active = 2, debug_locks = 1
[10882.424744] 2 locks held by ip/15677:
[10882.424791] #0: ffffffffb6b491b0 (cb_lock){++++}-{3:3}, at: genl_rcv (net/netlink/genetlink.c:1219)
[10882.426334] #1: ffffffffb6b49248 (genl_mutex){+.+.}-{3:3}, at: genl_rcv_msg (net/netlink/genetlink.c:61 net/netlink/genetlink.c:57 net/netlink/genetlink.c:1209)
[10882.426465]
stack backtrace:
[10882.426805] CPU: 14 UID: 0 PID: 15677 Comm: ip Not tainted 6.12.0-rc2-virtme #1156
[10882.426919] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[10882.427046] Call Trace:
[10882.427131] <TASK>
[10882.427244] dump_stack_lvl (lib/dump_stack.c:123)
[10882.427335] lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822)
[10882.427387] genlmsg_multicast_allns (net/netlink/genetlink.c:1940 (discriminator 7) net/netlink/genetlink.c:1977 (discriminator 7))
[10882.427436] l2tp_tunnel_notify.constprop.0 (net/l2tp/l2tp_netlink.c:119) l2tp_netlink
[10882.427683] l2tp_nl_cmd_tunnel_create (net/l2tp/l2tp_netlink.c:253) l2tp_netlink
[10882.427748] genl_family_rcv_msg_doit (net/netlink/genetlink.c:1115)
[10882.427834] genl_rcv_msg (net/netlink/genetlink.c:1195 net/netlink/genetlink.c:1210)
[10882.427877] ? __pfx_l2tp_nl_cmd_tunnel_create (net/l2tp/l2tp_netlink.c:186) l2tp_netlink
[10882.427927] ? __pfx_genl_rcv_msg (net/netlink/genetlink.c:1201)
[10882.427959] netlink_rcv_skb (net/netlink/af_netlink.c:2551)
[10882.428069] genl_rcv (net/netlink/genetlink.c:1220)
[10882.428095] netlink_unicast (net/netlink/af_netlink.c:1332 net/netlink/af_netlink.c:1357)
[10882.428140] netlink_sendmsg (net/netlink/af_netlink.c:1901)
[10882.428210] ____sys_sendmsg (net/socket.c:729 (discriminator 1) net/socket.c:744 (discriminator 1) net/socket.c:2607 (discriminator 1))

Fixes: 33f72e6f0c67 ("l2tp : multicast notification to the registered listeners")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: James Chapman <jchapman@katalix.com>
Cc: Tom Parkin <tparkin@katalix.com>
Cc: Johannes Berg <johannes.berg@intel.com>
Link: https://patch.msgid.link/20241011171217.3166614-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Eric Dumazet and committed by
Jakub Kicinski 56440d7e 1833d8a2

+20 -25
+1 -1
drivers/target/target_core_user.c
··· 2130 2130 } 2131 2131 2132 2132 ret = genlmsg_multicast_allns(&tcmu_genl_family, skb, 0, 2133 - TCMU_MCGRP_CONFIG, GFP_KERNEL); 2133 + TCMU_MCGRP_CONFIG); 2134 2134 2135 2135 /* Wait during an add as the listener may not be up yet */ 2136 2136 if (ret == 0 ||
+1 -2
include/net/genetlink.h
··· 531 531 * @skb: netlink message as socket buffer 532 532 * @portid: own netlink portid to avoid sending to yourself 533 533 * @group: offset of multicast group in groups array 534 - * @flags: allocation flags 535 534 * 536 535 * This function must hold the RTNL or rcu_read_lock(). 537 536 */ 538 537 int genlmsg_multicast_allns(const struct genl_family *family, 539 538 struct sk_buff *skb, u32 portid, 540 - unsigned int group, gfp_t flags); 539 + unsigned int group); 541 540 542 541 /** 543 542 * genlmsg_unicast - unicast a netlink message
+2 -2
net/l2tp/l2tp_netlink.c
··· 116 116 NLM_F_ACK, tunnel, cmd); 117 117 118 118 if (ret >= 0) { 119 - ret = genlmsg_multicast_allns(family, msg, 0, 0, GFP_ATOMIC); 119 + ret = genlmsg_multicast_allns(family, msg, 0, 0); 120 120 /* We don't care if no one is listening */ 121 121 if (ret == -ESRCH) 122 122 ret = 0; ··· 144 144 NLM_F_ACK, session, cmd); 145 145 146 146 if (ret >= 0) { 147 - ret = genlmsg_multicast_allns(family, msg, 0, 0, GFP_ATOMIC); 147 + ret = genlmsg_multicast_allns(family, msg, 0, 0); 148 148 /* We don't care if no one is listening */ 149 149 if (ret == -ESRCH) 150 150 ret = 0;
+14 -14
net/netlink/genetlink.c
··· 1501 1501 if (IS_ERR(msg)) 1502 1502 return PTR_ERR(msg); 1503 1503 1504 - if (!family->netnsok) { 1504 + if (!family->netnsok) 1505 1505 genlmsg_multicast_netns(&genl_ctrl, &init_net, msg, 0, 1506 1506 0, GFP_KERNEL); 1507 - } else { 1508 - rcu_read_lock(); 1509 - genlmsg_multicast_allns(&genl_ctrl, msg, 0, 1510 - 0, GFP_ATOMIC); 1511 - rcu_read_unlock(); 1512 - } 1507 + else 1508 + genlmsg_multicast_allns(&genl_ctrl, msg, 0, 0); 1513 1509 1514 1510 return 0; 1515 1511 } ··· 1925 1929 1926 1930 core_initcall(genl_init); 1927 1931 1928 - static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group, 1929 - gfp_t flags) 1932 + static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group) 1930 1933 { 1931 1934 struct sk_buff *tmp; 1932 1935 struct net *net, *prev = NULL; 1933 1936 bool delivered = false; 1934 1937 int err; 1935 1938 1939 + rcu_read_lock(); 1936 1940 for_each_net_rcu(net) { 1937 1941 if (prev) { 1938 - tmp = skb_clone(skb, flags); 1942 + tmp = skb_clone(skb, GFP_ATOMIC); 1939 1943 if (!tmp) { 1940 1944 err = -ENOMEM; 1941 1945 goto error; 1942 1946 } 1943 1947 err = nlmsg_multicast(prev->genl_sock, tmp, 1944 - portid, group, flags); 1948 + portid, group, GFP_ATOMIC); 1945 1949 if (!err) 1946 1950 delivered = true; 1947 1951 else if (err != -ESRCH) ··· 1950 1954 1951 1955 prev = net; 1952 1956 } 1957 + err = nlmsg_multicast(prev->genl_sock, skb, portid, group, GFP_ATOMIC); 1953 1958 1954 - err = nlmsg_multicast(prev->genl_sock, skb, portid, group, flags); 1959 + rcu_read_unlock(); 1960 + 1955 1961 if (!err) 1956 1962 delivered = true; 1957 1963 else if (err != -ESRCH) 1958 1964 return err; 1959 1965 return delivered ? 0 : -ESRCH; 1960 1966 error: 1967 + rcu_read_unlock(); 1968 + 1961 1969 kfree_skb(skb); 1962 1970 return err; 1963 1971 } 1964 1972 1965 1973 int genlmsg_multicast_allns(const struct genl_family *family, 1966 1974 struct sk_buff *skb, u32 portid, 1967 - unsigned int group, gfp_t flags) 1975 + unsigned int group) 1968 1976 { 1969 1977 if (WARN_ON_ONCE(group >= family->n_mcgrps)) 1970 1978 return -EINVAL; 1971 1979 1972 1980 group = family->mcgrp_offset + group; 1973 - return genlmsg_mcast(skb, portid, group, flags); 1981 + return genlmsg_mcast(skb, portid, group); 1974 1982 } 1975 1983 EXPORT_SYMBOL(genlmsg_multicast_allns); 1976 1984
+2 -6
net/wireless/nl80211.c
··· 17986 17986 17987 17987 genlmsg_end(msg, hdr); 17988 17988 17989 - rcu_read_lock(); 17990 17989 genlmsg_multicast_allns(&nl80211_fam, msg, 0, 17991 - NL80211_MCGRP_REGULATORY, GFP_ATOMIC); 17992 - rcu_read_unlock(); 17990 + NL80211_MCGRP_REGULATORY); 17993 17991 17994 17992 return; 17995 17993 ··· 18720 18722 18721 18723 genlmsg_end(msg, hdr); 18722 18724 18723 - rcu_read_lock(); 18724 18725 genlmsg_multicast_allns(&nl80211_fam, msg, 0, 18725 - NL80211_MCGRP_REGULATORY, GFP_ATOMIC); 18726 - rcu_read_unlock(); 18726 + NL80211_MCGRP_REGULATORY); 18727 18727 18728 18728 return; 18729 18729