Re: [PATCH net-next 18/32] netfilter: egress: avoid a lockdep splat

[PATCH net-next 00/32] Netfilter updates for net-next · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 01/32] netfilter: nfnetlink: add netns refcount tracker to struct nfulnl_instance · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
Re: [PATCH net-next 01/32] netfilter: nfnetlink: add netns refcount tracker to struct nfulnl_instance · patchwork-bot+netdevbpf@kernel.org · 2022-01-10
[PATCH net-next 05/32] netfilter: nf_tables: consolidate rule verdict trace call · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 02/32] netfilter: nf_nat_masquerade: add netns refcount tracker to masq_dev_work · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 04/32] netfilter: nft_payload: WARN_ON_ONCE instead of BUG · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 06/32] netfilter: nf_tables: replace WARN_ON by WARN_ON_ONCE for unknown verdicts · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 03/32] netfilter: nf_tables: remove rcu read-size lock · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 11/32] netfilter: nft_set_pipapo_avx2: remove redundant pointer lt · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 08/32] netfilter: conntrack: tag conntracks picked up in local out hook · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 07/32] netfilter: nf_tables: make counter support built-in · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 09/32] netfilter: nat: force port remap to prevent shadowing well-known ports · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 10/32] netfilter: flowtable: remove ipv4/ipv6 modules · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
Re: [PATCH net-next 10/32] netfilter: flowtable: remove ipv4/ipv6 modules · Geert Uytterhoeven <geert@linux-m68k.org> · 2022-01-11
[PATCH net-next 12/32] netfilter: conntrack: Use max() instead of doing it manually · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 14/32] netfilter: core: move ip_ct_attach indirection to struct nf_ct_hook · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 15/32] netfilter: make function op structures const · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 16/32] netfilter: conntrack: avoid useless indirection during conntrack destruction · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 13/32] netfilter: conntrack: convert to refcount_t api · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 17/32] net: prefer nf_ct_put instead of nf_conntrack_put · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 19/32] netfilter: nft_connlimit: move stateful fields out of expression data · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
Re: [PATCH net-next 19/32] netfilter: nft_connlimit: move stateful fields out of expression data · Julian Wiedmann <hidden> · 2022-01-10
Re: [PATCH net-next 19/32] netfilter: nft_connlimit: move stateful fields out of expression data · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-10
[PATCH net-next 21/32] netfilter: nft_quota: move stateful fields out of expression data · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 20/32] netfilter: nft_last: move stateful fields out of expression data · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 22/32] netfilter: nft_numgen: move stateful fields out of expression data · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 25/32] netfilter: nf_tables: add rule blob layout · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 28/32] netfilter: nft_payload: track register operations · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 31/32] netfilter: nft_payload: cancel register tracking after payload update · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 30/32] netfilter: nft_bitwise: track register operations · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 32/32] netfilter: nft_meta: cancel register tracking after meta update · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 18/32] netfilter: egress: avoid a lockdep splat · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
Re: [PATCH net-next 18/32] netfilter: egress: avoid a lockdep splat · Eric Dumazet <hidden> · 2022-02-28
Re: [PATCH net-next 18/32] netfilter: egress: avoid a lockdep splat · Florian Westphal <fw@strlen.de> · 2022-02-28
[PATCH net-next 29/32] netfilter: nft_meta: track register operations · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 26/32] netfilter: nf_tables: add NFT_REG32_NUM · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 24/32] netfilter: nft_limit: move stateful fields out of expression data · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 27/32] netfilter: nf_tables: add register tracking infrastructure · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09
[PATCH net-next 23/32] netfilter: nft_limit: rename stateful structure · Pablo Neira Ayuso <pablo@netfilter.org> · 2022-01-09

From: Eric Dumazet <hidden>
Date: 2022-02-28 02:13:42
Also in: netfilter-devel

On 1/9/22 15:16, Pablo Neira Ayuso wrote:

quoted hunk ↗ jump to hunk

From: Florian Westphal <fw@strlen.de>

include/linux/netfilter_netdev.h:97 suspicious rcu_dereference_check() usage!
2 locks held by sd-resolve/1100:
  0: ..(rcu_read_lock_bh){1:3}, at: ip_finish_output2
  1: ..(rcu_read_lock_bh){1:3}, at: __dev_queue_xmit
  __dev_queue_xmit+0 ..

The helper has two callers, one uses rcu_read_lock, the other
rcu_read_lock_bh().  Annotate the dereference to reflect this.

Fixes: 42df6e1d221dd ("netfilter: Introduce egress hook")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
  include/linux/netfilter_netdev.h | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/netfilter_netdev.h b/include/linux/netfilter_netdev.h
index b71b57a83bb4..b4dd96e4dc8d 100644
--- a/include/linux/netfilter_netdev.h
+++ b/include/linux/netfilter_netdev.h

@@ -94,7 +94,7 @@ static inline struct sk_buff *nf_hook_egress(struct sk_buff *skb, int *rc,
  		return skb;
  #endif
  
-	e = rcu_dereference(dev->nf_hooks_egress);
+	e = rcu_dereference_check(dev->nf_hooks_egress, rcu_read_lock_bh_held());
  	if (!e)
  		return skb;


It seems other rcu_dereference() uses will also trigger lockdep splat.


nft_do_chain()

...

if (genbit)

     blob = rcu_dereference(chain->blob_gen_1);

else

    blob = rcu_dereference(chain->blob_gen_0);

I wonder how many other places will need a fix ?

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help