lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20070906154612.GD8030@linux.vnet.ibm.com> Date: Thu, 6 Sep 2007 08:46:12 -0700 From: "Paul E. McKenney" <paulmck@...ux.vnet.ibm.com> To: Johannes Berg <johannes@...solutions.net> Cc: Herbert Xu <herbert@...dor.apana.org.au>, satyam@...radead.org, flo@...822.org, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, linux-wireless@...r.kernel.org, michal.k.k.piotrowski@...il.com, ipw3945-devel@...ts.sourceforge.net, yi.zhu@...el.com, flamingice@...rmilk.net Subject: Re: BUG: scheduling while atomic: ifconfig/0x00000002/4170 On Thu, Sep 06, 2007 at 03:36:55PM +0200, Johannes Berg wrote: > On Thu, 2007-09-06 at 20:36 +0800, Herbert Xu wrote: > > > Yeah I think they're all under RTNL too. So you don't need to > > take the lock here at all since you should already have the RTNL. > > Ok, this patch gets rid of the lock. I'd appreciate if you could give it > a quick look for obvious RCU abuse as I haven't tested it. It also > doesn't apply against net-2.6.24 because I based it after the patches I > have queued with John for net-2.6.24. Looks good to me from an RCU viewpoint. I cannot claim familiarity with this code. I therefore especially like the indications of where RTNL is held and not!!! Some questions below based on a quick scan. And a global question: should the comments about RTNL being held be replaced by ASSERT_RTNL()? Thanx, Paul > johannes > > --- netdev-2.6.orig/net/mac80211/ieee80211.c 2007-09-06 15:35:23.324447686 +0200 > +++ netdev-2.6/net/mac80211/ieee80211.c 2007-09-06 15:35:23.394447686 +0200 > @@ -90,8 +90,9 @@ static struct dev_mc_list *ieee80211_get > > /* start of iteration, both unassigned */ > if (!mcd->cur && !mcd->sdata) { > - mcd->sdata = list_entry(local->sub_if_list.next, > - struct ieee80211_sub_if_data, list); > + mcd->sdata = list_entry( > + rcu_dereference(local->interfaces.next), > + struct ieee80211_sub_if_data, list); > mcd->cur = mcd->sdata->dev->mc_list; > } > > @@ -100,10 +101,11 @@ static struct dev_mc_list *ieee80211_get > > while (!mcd->cur) { > /* reached end of interface list? */ > - if (mcd->sdata->list.next == &local->sub_if_list) > + if (rcu_dereference(mcd->sdata->list.next) == > + &local->interfaces) > break; > /* otherwise try next interface */ > - mcd->sdata = list_entry(mcd->sdata->list.next, > + mcd->sdata = list_entry(rcu_dereference(mcd->sdata->list.next), > struct ieee80211_sub_if_data, list); > mcd->cur = mcd->sdata->dev->mc_list; > } > @@ -145,9 +147,10 @@ static void ieee80211_configure_filter(s > > /* > * We can iterate through the device list for the multicast > - * address list so need to lock it. > + * address list so need to be in a RCU read-side section, > + * the RTNL isn't held in this function. > */ > - read_lock(&local->sub_if_lock); > + rcu_read_lock(); > > /* be a bit nasty */ > new_flags |= (1<<31); > @@ -163,7 +166,7 @@ static void ieee80211_configure_filter(s > WARN_ON(mcd.cur); > > local->filter_flags = new_flags & ~(1<<31); > - read_unlock(&local->sub_if_lock); > + rcu_read_unlock(); > > netif_tx_unlock(local->mdev); > } > @@ -176,14 +179,13 @@ static int ieee80211_master_open(struct > struct ieee80211_sub_if_data *sdata; > int res = -EOPNOTSUPP; > > - read_lock(&local->sub_if_lock); > - list_for_each_entry(sdata, &local->sub_if_list, list) { > + /* we hold the RTNL here so can safely walk the list */ > + list_for_each_entry(sdata, &local->interfaces, list) { > if (sdata->dev != dev && netif_running(sdata->dev)) { > res = 0; > break; > } > } > - read_unlock(&local->sub_if_lock); > return res; > } > > @@ -192,11 +194,10 @@ static int ieee80211_master_stop(struct > struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr); > struct ieee80211_sub_if_data *sdata; > > - read_lock(&local->sub_if_lock); > - list_for_each_entry(sdata, &local->sub_if_list, list) > + /* we hold the RTNL here so can safely walk the list */ > + list_for_each_entry(sdata, &local->interfaces, list) > if (sdata->dev != dev && netif_running(sdata->dev)) > dev_close(sdata->dev); > - read_unlock(&local->sub_if_lock); > > return 0; > } > @@ -430,8 +431,8 @@ static int ieee80211_open(struct net_dev > > sdata = IEEE80211_DEV_TO_SUB_IF(dev); > > - read_lock(&local->sub_if_lock); > - list_for_each_entry(nsdata, &local->sub_if_list, list) { > + /* we hold the RTNL here so can safely walk the list */ > + list_for_each_entry(nsdata, &local->interfaces, list) { > struct net_device *ndev = nsdata->dev; > > if (ndev != dev && ndev != local->mdev && netif_running(ndev) && > @@ -440,10 +441,8 @@ static int ieee80211_open(struct net_dev > * check whether it may have the same address > */ > if (!identical_mac_addr_allowed(sdata->type, > - nsdata->type)) { > - read_unlock(&local->sub_if_lock); > + nsdata->type)) > return -ENOTUNIQ; > - } > > /* > * can only add VLANs to enabled APs > @@ -454,7 +453,6 @@ static int ieee80211_open(struct net_dev > sdata->u.vlan.ap = nsdata; > } > } > - read_unlock(&local->sub_if_lock); > > switch (sdata->type) { > case IEEE80211_IF_TYPE_WDS: > @@ -575,14 +573,13 @@ static int ieee80211_stop(struct net_dev > sdata->u.sta.state = IEEE80211_DISABLED; > del_timer_sync(&sdata->u.sta.timer); > /* > - * Holding the sub_if_lock for writing here blocks > - * out the receive path and makes sure it's not > - * currently processing a packet that may get > - * added to the queue. > + * When we get here, the interface is marked down. > + * Call synchronize_rcu() to wait for the RX path > + * should it be using the interface and enqueuing > + * frames at this very time on another CPU. > */ > - write_lock_bh(&local->sub_if_lock); > + synchronize_rcu(); > skb_queue_purge(&sdata->u.sta.skb_queue); > - write_unlock_bh(&local->sub_if_lock); > > if (!local->ops->hw_scan && > local->scan_dev == sdata->dev) { > @@ -1134,9 +1131,9 @@ void ieee80211_tx_status(struct ieee8021 > > rthdr->data_retries = status->retry_count; > > - read_lock(&local->sub_if_lock); > + rcu_read_lock(); > monitors = local->monitors; > - list_for_each_entry(sdata, &local->sub_if_list, list) { > + list_for_each_entry_rcu(sdata, &local->interfaces, list) { > /* > * Using the monitors counter is possibly racy, but > * if the value is wrong we simply either clone the skb > @@ -1152,7 +1149,7 @@ void ieee80211_tx_status(struct ieee8021 > continue; > monitors--; > if (monitors) > - skb2 = skb_clone(skb, GFP_KERNEL); > + skb2 = skb_clone(skb, GFP_ATOMIC); > else > skb2 = NULL; > skb->dev = sdata->dev; > @@ -1167,7 +1164,7 @@ void ieee80211_tx_status(struct ieee8021 > } > } > out: > - read_unlock(&local->sub_if_lock); > + rcu_read_unlock(); > if (skb) > dev_kfree_skb(skb); > } > @@ -1255,8 +1252,7 @@ struct ieee80211_hw *ieee80211_alloc_hw( > > INIT_LIST_HEAD(&local->modes_list); > > - rwlock_init(&local->sub_if_lock); > - INIT_LIST_HEAD(&local->sub_if_list); > + INIT_LIST_HEAD(&local->interfaces); > > INIT_DELAYED_WORK(&local->scan_work, ieee80211_sta_scan_work); > ieee80211_rx_bss_list_init(mdev); > @@ -1275,7 +1271,8 @@ struct ieee80211_hw *ieee80211_alloc_hw( > sdata->u.ap.force_unicast_rateidx = -1; > sdata->u.ap.max_ratectrl_rateidx = -1; > ieee80211_if_sdata_init(sdata); > - list_add_tail(&sdata->list, &local->sub_if_list); > + /* no RCU needed since we're still during init phase */ > + list_add_tail(&sdata->list, &local->interfaces); > > tasklet_init(&local->tx_pending_tasklet, ieee80211_tx_pending, > (unsigned long)local); > @@ -1434,7 +1431,6 @@ void ieee80211_unregister_hw(struct ieee > { > struct ieee80211_local *local = hw_to_local(hw); > struct ieee80211_sub_if_data *sdata, *tmp; > - struct list_head tmp_list; > int i; > > tasklet_kill(&local->tx_pending_tasklet); > @@ -1448,11 +1444,12 @@ void ieee80211_unregister_hw(struct ieee > if (local->apdev) > ieee80211_if_del_mgmt(local); > > - write_lock_bh(&local->sub_if_lock); > - list_replace_init(&local->sub_if_list, &tmp_list); > - write_unlock_bh(&local->sub_if_lock); > - > - list_for_each_entry_safe(sdata, tmp, &tmp_list, list) > + /* > + * At this point, interface list manipulations are fine > + * because the driver cannot be handing us frames any > + * more and the tasklet is killed. > + */ > + list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) > __ieee80211_if_del(local, sdata); > > rtnl_unlock(); > --- netdev-2.6.orig/net/mac80211/ieee80211_i.h 2007-09-06 15:35:23.334447686 +0200 > +++ netdev-2.6/net/mac80211/ieee80211_i.h 2007-09-06 15:35:23.404447686 +0200 > @@ -481,9 +481,8 @@ struct ieee80211_local { > ieee80211_rx_handler *rx_handlers; > ieee80211_tx_handler *tx_handlers; > > - rwlock_t sub_if_lock; /* Protects sub_if_list. Cannot be taken under > - * sta_bss_lock or sta_lock. */ > - struct list_head sub_if_list; > + struct list_head interfaces; > + > int sta_scanning; > int scan_channel_idx; > enum { SCAN_SET_CHANNEL, SCAN_SEND_PROBE } scan_state; > --- netdev-2.6.orig/net/mac80211/ieee80211_iface.c 2007-09-06 15:35:23.334447686 +0200 > +++ netdev-2.6/net/mac80211/ieee80211_iface.c 2007-09-06 15:35:23.404447686 +0200 > @@ -79,16 +79,15 @@ int ieee80211_if_add(struct net_device * > ieee80211_debugfs_add_netdev(sdata); > ieee80211_if_set_type(ndev, type); > > - write_lock_bh(&local->sub_if_lock); > + /* we're under RTNL so all this is fine */ > if (unlikely(local->reg_state == IEEE80211_DEV_UNREGISTERED)) { > - write_unlock_bh(&local->sub_if_lock); > __ieee80211_if_del(local, sdata); > return -ENODEV; > } > - list_add(&sdata->list, &local->sub_if_list); > + list_add_tail_rcu(&sdata->list, &local->interfaces); The _rcu is required because this list isn't protected by RTNL? > + > if (new_dev) > *new_dev = ndev; > - write_unlock_bh(&local->sub_if_lock); > > return 0; > > @@ -226,22 +225,22 @@ void ieee80211_if_reinit(struct net_devi > /* Remove all virtual interfaces that use this BSS > * as their sdata->bss */ > struct ieee80211_sub_if_data *tsdata, *n; > - LIST_HEAD(tmp_list); > > - write_lock_bh(&local->sub_if_lock); This code is also protected by RTNL? > - list_for_each_entry_safe(tsdata, n, &local->sub_if_list, list) { > + list_for_each_entry_safe(tsdata, n, &local->interfaces, list) { > if (tsdata != sdata && tsdata->bss == &sdata->u.ap) { > printk(KERN_DEBUG "%s: removing virtual " > "interface %s because its BSS interface" > " is being removed\n", > sdata->dev->name, tsdata->dev->name); > - list_move_tail(&tsdata->list, &tmp_list); > + list_del_rcu(&tsdata->list); > + /* > + * We have lots of time and can afford > + * to sync for each interface > + */ > + synchronize_rcu(); > + __ieee80211_if_del(local, tsdata); > } > } > - write_unlock_bh(&local->sub_if_lock); > - > - list_for_each_entry_safe(tsdata, n, &tmp_list, list) > - __ieee80211_if_del(local, tsdata); > > kfree(sdata->u.ap.beacon_head); > kfree(sdata->u.ap.beacon_tail); > @@ -318,18 +317,16 @@ int ieee80211_if_remove(struct net_devic > > ASSERT_RTNL(); I -like- this!!! ;-) > - write_lock_bh(&local->sub_if_lock); > - list_for_each_entry_safe(sdata, n, &local->sub_if_list, list) { > + list_for_each_entry_safe(sdata, n, &local->interfaces, list) { > if ((sdata->type == id || id == -1) && > strcmp(name, sdata->dev->name) == 0 && > sdata->dev != local->mdev) { > - list_del(&sdata->list); > - write_unlock_bh(&local->sub_if_lock); > + list_del_rcu(&sdata->list); > + synchronize_rcu(); > __ieee80211_if_del(local, sdata); > return 0; > } > } > - write_unlock_bh(&local->sub_if_lock); > return -ENODEV; > } > > --- netdev-2.6.orig/net/mac80211/ieee80211_sta.c 2007-09-06 15:35:23.224447686 +0200 > +++ netdev-2.6/net/mac80211/ieee80211_sta.c 2007-09-06 15:35:23.414447686 +0200 > @@ -2659,8 +2659,8 @@ void ieee80211_scan_completed(struct iee > memset(&wrqu, 0, sizeof(wrqu)); > wireless_send_event(dev, SIOCGIWSCAN, &wrqu, NULL); > > - read_lock(&local->sub_if_lock); > - list_for_each_entry(sdata, &local->sub_if_list, list) { > + rcu_read_lock(); > + list_for_each_entry_rcu(sdata, &local->interfaces, list) { > > /* No need to wake the master device. */ > if (sdata->dev == local->mdev) > @@ -2674,7 +2674,7 @@ void ieee80211_scan_completed(struct iee > > netif_wake_queue(sdata->dev); > } > - read_unlock(&local->sub_if_lock); > + rcu_read_unlock(); > > sdata = IEEE80211_DEV_TO_SUB_IF(dev); > if (sdata->type == IEEE80211_IF_TYPE_IBSS) { > @@ -2811,8 +2811,8 @@ static int ieee80211_sta_start_scan(stru > > local->sta_scanning = 1; > > - read_lock(&local->sub_if_lock); > - list_for_each_entry(sdata, &local->sub_if_list, list) { > + rcu_read_lock(); > + list_for_each_entry_rcu(sdata, &local->interfaces, list) { > > /* Don't stop the master interface, otherwise we can't transmit > * probes! */ > @@ -2824,7 +2824,7 @@ static int ieee80211_sta_start_scan(stru > (sdata->u.sta.flags & IEEE80211_STA_ASSOCIATED)) > ieee80211_send_nullfunc(local, sdata, 1); > } > - read_unlock(&local->sub_if_lock); > + rcu_read_unlock(); > > if (ssid) { > local->scan_ssid_len = ssid_len; > --- netdev-2.6.orig/net/mac80211/rx.c 2007-09-06 15:35:23.214447686 +0200 > +++ netdev-2.6/net/mac80211/rx.c 2007-09-06 15:35:23.414447686 +0200 > @@ -1385,8 +1385,9 @@ void __ieee80211_rx(struct ieee80211_hw > } > > /* > - * key references are protected using RCU and this requires that > - * we are in a read-site RCU section during receive processing > + * key references and virtual interfaces are protected using RCU > + * and this requires that we are in a read-side RCU section during > + * receive processing > */ > rcu_read_lock(); > > @@ -1441,8 +1442,7 @@ void __ieee80211_rx(struct ieee80211_hw > > bssid = ieee80211_get_bssid(hdr, skb->len - radiotap_len); > > - read_lock(&local->sub_if_lock); > - list_for_each_entry(sdata, &local->sub_if_list, list) { > + list_for_each_entry_rcu(sdata, &local->interfaces, list) { > rx.flags |= IEEE80211_TXRXD_RXRA_MATCH; > > if (!netif_running(sdata->dev)) > @@ -1494,7 +1494,6 @@ void __ieee80211_rx(struct ieee80211_hw > &rx, sta); > } else > dev_kfree_skb(skb); > - read_unlock(&local->sub_if_lock); > > end: > rcu_read_unlock(); > --- netdev-2.6.orig/net/mac80211/tx.c 2007-09-06 15:35:23.074447686 +0200 > +++ netdev-2.6/net/mac80211/tx.c 2007-09-06 15:35:23.424447686 +0200 > @@ -291,8 +291,12 @@ static void purge_old_ps_buffers(struct > struct ieee80211_sub_if_data *sdata; > struct sta_info *sta; > > - read_lock(&local->sub_if_lock); > - list_for_each_entry(sdata, &local->sub_if_list, list) { > + /* > + * virtual interfaces are protected by RCU > + */ > + rcu_read_lock(); > + > + list_for_each_entry_rcu(sdata, &local->interfaces, list) { > struct ieee80211_if_ap *ap; > if (sdata->dev == local->mdev || > sdata->type != IEEE80211_IF_TYPE_AP) > @@ -305,7 +309,7 @@ static void purge_old_ps_buffers(struct > } > total += skb_queue_len(&ap->ps_bc_buf); > } > - read_unlock(&local->sub_if_lock); > + rcu_read_unlock(); > > read_lock_bh(&local->sta_lock); > list_for_each_entry(sta, &local->sta_list, list) { > > > - > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists