Commit 04efcee6 authored by Stanislav Fomichev's avatar Stanislav Fomichev Committed by Jakub Kicinski
Browse files

net: hold instance lock during NETDEV_CHANGE 

Cosmin reports an issue with ipv6_add_dev being called from
NETDEV_CHANGE notifier:

[ 3455.008776]  ? ipv6_add_dev+0x370/0x620
[ 3455.010097]  ipv6_find_idev+0x96/0xe0
[ 3455.010725]  addrconf_add_dev+0x1e/0xa0
[ 3455.011382]  addrconf_init_auto_addrs+0xb0/0x720
[ 3455.013537]  addrconf_notify+0x35f/0x8d0
[ 3455.014214]  notifier_call_chain+0x38/0xf0
[ 3455.014903]  netdev_state_change+0x65/0x90
[ 3455.015586]  linkwatch_do_dev+0x5a/0x70
[ 3455.016238]  rtnl_getlink+0x241/0x3e0
[ 3455.019046]  rtnetlink_rcv_msg+0x177/0x5e0

Similarly, linkwatch might get to ipv6_add_dev without ops lock:
[ 3456.656261]  ? ipv6_add_dev+0x370/0x620
[ 3456.660039]  ipv6_find_idev+0x96/0xe0
[ 3456.660445]  addrconf_add_dev+0x1e/0xa0
[ 3456.660861]  addrconf_init_auto_addrs+0xb0/0x720
[ 3456.661803]  addrconf_notify+0x35f/0x8d0
[ 3456.662236]  notifier_call_chain+0x38/0xf0
[ 3456.662676]  netdev_state_change+0x65/0x90
[ 3456.663112]  linkwatch_do_dev+0x5a/0x70
[ 3456.663529]  __linkwatch_run_queue+0xeb/0x200
[ 3456.663990]  linkwatch_event+0x21/0x30
[ 3456.664399]  process_one_work+0x211/0x610
[ 3456.664828]  worker_thread+0x1cc/0x380
[ 3456.665691]  kthread+0xf4/0x210

Reclassify NETDEV_CHANGE as a notifier that consistently runs under the
instance lock.

Link: https://lore.kernel.org/netdev/aac073de8beec3e531c86c101b274d434741c28e.camel@nvidia.com/


Reported-by: default avatarCosmin Ratiu <cratiu@nvidia.com>
Tested-by: default avatarCosmin Ratiu <cratiu@nvidia.com>
Fixes: ad7c7b21 ("net: hold netdev instance lock during sysfs operations")
Signed-off-by: default avatarStanislav Fomichev <sdf@fomichev.me>
Link: https://patch.msgid.link/20250404161122.3907628-1-sdf@fomichev.me


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 54f5fafc

Documentation/networking/netdevices.rst

+6 −4
Original line number Diff line number Diff line
@@ -338,10 +338,11 @@ operations directly under the netdev instance lock. 
Devices drivers are encouraged to rely on the instance lock where possible.



For the (mostly software) drivers that need to interact with the core stack,

there are two sets of interfaces: ``dev_xxx`` and ``netif_xxx`` (e.g.,

``dev_set_mtu`` and ``netif_set_mtu``). The ``dev_xxx`` functions handle

acquiring the instance lock themselves, while the ``netif_xxx`` functions

assume that the driver has already acquired the instance lock.

there are two sets of interfaces: ``dev_xxx``/``netdev_xxx`` and ``netif_xxx``

(e.g., ``dev_set_mtu`` and ``netif_set_mtu``). The ``dev_xxx``/``netdev_xxx``

functions handle acquiring the instance lock themselves, while the

``netif_xxx`` functions assume that the driver has already acquired

the instance lock.



Notifiers and netdev instance lock

==================================
@@ -354,6 +355,7 @@ For devices with locked ops, currently only the following notifiers are 
running under the lock:

* ``NETDEV_REGISTER``

* ``NETDEV_UP``

* ``NETDEV_CHANGE``



The following notifiers are running without the lock:

* ``NETDEV_UNREGISTER``

include/linux/netdevice.h

+2 −0
Original line number Diff line number Diff line
@@ -4429,6 +4429,7 @@ void linkwatch_fire_event(struct net_device *dev); 
 * pending work list (if queued).

 */

void linkwatch_sync_dev(struct net_device *dev);

void __linkwatch_sync_dev(struct net_device *dev);



/**

 *	netif_carrier_ok - test if carrier present
@@ -4974,6 +4975,7 @@ void dev_set_rx_mode(struct net_device *dev); 
int dev_set_promiscuity(struct net_device *dev, int inc);

int netif_set_allmulti(struct net_device *dev, int inc, bool notify);

int dev_set_allmulti(struct net_device *dev, int inc);

void netif_state_change(struct net_device *dev);

void netdev_state_change(struct net_device *dev);

void __netdev_notify_peers(struct net_device *dev);

void netdev_notify_peers(struct net_device *dev);

include/linux/rtnetlink.h

+1 −1
Original line number Diff line number Diff line
@@ -240,6 +240,6 @@ rtnl_notify_needed(const struct net *net, u16 nlflags, u32 group) 
	return (nlflags & NLM_F_ECHO) || rtnl_has_listeners(net, group);

}



void netdev_set_operstate(struct net_device *dev, int newstate);

void netif_set_operstate(struct net_device *dev, int newstate);



#endif	/* __LINUX_RTNETLINK_H */

net/core/dev.c

+1 −10
Original line number Diff line number Diff line
@@ -1518,15 +1518,7 @@ void netdev_features_change(struct net_device *dev) 
}

EXPORT_SYMBOL(netdev_features_change);



/**

 *	netdev_state_change - device changes state

 *	@dev: device to cause notification

 *

 *	Called to indicate a device has changed state. This function calls

 *	the notifier chains for netdev_chain and sends a NEWLINK message

 *	to the routing socket.

 */

void netdev_state_change(struct net_device *dev)

void netif_state_change(struct net_device *dev)

{

	if (dev->flags & IFF_UP) {

		struct netdev_notifier_change_info change_info = {
@@ -1538,7 +1530,6 @@ void netdev_state_change(struct net_device *dev) 
		rtmsg_ifinfo(RTM_NEWLINK, dev, 0, GFP_KERNEL, 0, NULL);

	}

}

EXPORT_SYMBOL(netdev_state_change);



/**

 * __netdev_notify_peers - notify network peers about existence of @dev,

net/core/dev_api.c

+16 −0
Original line number Diff line number Diff line
@@ -327,3 +327,19 @@ int dev_xdp_propagate(struct net_device *dev, struct netdev_bpf *bpf) 
	return ret;

}

EXPORT_SYMBOL_GPL(dev_xdp_propagate);



/**

 * netdev_state_change() - device changes state

 * @dev: device to cause notification

 *

 * Called to indicate a device has changed state. This function calls

 * the notifier chains for netdev_chain and sends a NEWLINK message

 * to the routing socket.

 */

void netdev_state_change(struct net_device *dev)

{

	netdev_lock_ops(dev);

	netif_state_change(dev);

	netdev_unlock_ops(dev);

}

EXPORT_SYMBOL(netdev_state_change);