Skip to content

Commit

Permalink
netfilter: nf_tables: fix false-positive lockdep splat
Browse files Browse the repository at this point in the history
[ Upstream commit b9f052d ]

->abort invocation may cause splat on debug kernels:

WARNING: suspicious RCU usage
net/netfilter/nft_set_pipapo.c:1697 suspicious rcu_dereference_check() usage!
[..]
rcu_scheduler_active = 2, debug_locks = 1
1 lock held by nft/133554: [..] (nft_net->commit_mutex){+.+.}-{3:3}, at: nf_tables_valid_genid
[..]
 lockdep_rcu_suspicious+0x1ad/0x260
 nft_pipapo_abort+0x145/0x180
 __nf_tables_abort+0x5359/0x63d0
 nf_tables_abort+0x24/0x40
 nfnetlink_rcv+0x1a0a/0x22c0
 netlink_unicast+0x73c/0x900
 netlink_sendmsg+0x7f0/0xc20
 ____sys_sendmsg+0x48d/0x760

Transaction mutex is held, so parallel updates are not possible.
Switch to _protected and check mutex is held for lockdep enabled builds.

Fixes: 212ed75 ("netfilter: nf_tables: integrate pipapo into commit protocol")
Signed-off-by: Florian Westphal <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
  • Loading branch information
Florian Westphal authored and gregkh committed Aug 23, 2023
1 parent d410a96 commit a8f3034
Showing 1 changed file with 12 additions and 1 deletion.
13 changes: 12 additions & 1 deletion net/netfilter/nft_set_pipapo.c
Original file line number Diff line number Diff line change
Expand Up @@ -1698,6 +1698,17 @@ static void nft_pipapo_commit(const struct nft_set *set)
priv->clone = new_clone;
}

static bool nft_pipapo_transaction_mutex_held(const struct nft_set *set)
{
#ifdef CONFIG_PROVE_LOCKING
const struct net *net = read_pnet(&set->net);

return lockdep_is_held(&nft_pernet(net)->commit_mutex);
#else
return true;
#endif
}

static void nft_pipapo_abort(const struct nft_set *set)
{
struct nft_pipapo *priv = nft_set_priv(set);
Expand All @@ -1706,7 +1717,7 @@ static void nft_pipapo_abort(const struct nft_set *set)
if (!priv->dirty)
return;

m = rcu_dereference(priv->match);
m = rcu_dereference_protected(priv->match, nft_pipapo_transaction_mutex_held(set));

new_clone = pipapo_clone(m);
if (IS_ERR(new_clone))
Expand Down

0 comments on commit a8f3034

Please sign in to comment.