netdevsim: psp: rcu protect psp_dev reference

There are two issues with the way psp_dev is used in nsim_do_psp():

1. There is no check for IS_ERR() on the peers psp_dev, before
   dereferencing.
2. The refcount on this psp_dev can be dropped by
   nsim_psp_rereg_write()

To fix this, we can make netdevsim's reference to its psp_dev an rcu
reference, and then nsim_do_psp() can read the fields it needs from an
rcu critical section.

Fixes: f857478d6206 ("netdevsim: a basic test PSP implementation")
Signed-off-by: Daniel Zahka <daniel.zahka@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260505-psd-rcu-v1-3-a8f69ec1ab96@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/drivers/net/netdevsim/netdevsim.h b/drivers/net/netdevsim/netdevsim.h
index e373ffc26b0c0f6992acf73edceb2d63c3bf24dc..d909c4160ea1fe4fc4c8ed1164f23564ea99400d 100644 (file)
--- a/drivers/net/netdevsim/netdevsim.h
+++ b/drivers/net/netdevsim/netdevsim.h
@@ -120,7 +120,7 @@ struct netdevsim {
                u64_stats_t tx_packets;
                u64_stats_t tx_bytes;
                struct u64_stats_sync syncp;
-               struct psp_dev *dev;
+               struct psp_dev __rcu *dev;
                struct dentry *rereg;
                struct mutex rereg_lock;
                u32 spi;

diff --git a/drivers/net/netdevsim/psp.c b/drivers/net/netdevsim/psp.c
index 86d84b7e566b28795b51ca493605b62afa864a16..6936ecb8173e20b34e59400d841dd0083b7a2e4c 100644 (file)
--- a/drivers/net/netdevsim/psp.c
+++ b/drivers/net/netdevsim/psp.c
@@ -19,6 +19,7 @@ nsim_do_psp(struct sk_buff *skb, struct netdevsim *ns,
            struct netdevsim *peer_ns, struct skb_ext **psp_ext)
 {
        enum skb_drop_reason rc = 0;
+       struct psp_dev *peer_psd;
        struct psp_assoc *pas;
        struct net *net;
        void **ptr;
@@ -48,7 +49,8 @@ nsim_do_psp(struct sk_buff *skb, struct netdevsim *ns,
        }
 
        /* Now pretend we just received this frame */
-       if (peer_ns->psp.dev->config.versions & (1 << pas->version)) {
+       peer_psd = rcu_dereference(peer_ns->psp.dev);
+       if (peer_psd && peer_psd->config.versions & (1 << pas->version)) {
                bool strip_icv = false;
                u8 generation;
 
@@ -61,8 +63,7 @@ nsim_do_psp(struct sk_buff *skb, struct netdevsim *ns,
 
                skb_ext_reset(skb);
                skb->mac_len = ETH_HLEN;
-               if (psp_dev_rcv(skb, peer_ns->psp.dev->id, generation,
-                               strip_icv)) {
+               if (psp_dev_rcv(skb, peer_psd->id, generation, strip_icv)) {
                        rc = SKB_DROP_REASON_PSP_OUTPUT;
                        goto out_unlock;
                }
@@ -209,10 +210,18 @@ static struct psp_dev_caps nsim_psp_caps = {
        .assoc_drv_spc = sizeof(void *),
 };
 
-static void __nsim_psp_uninit(struct netdevsim *ns)
+static void __nsim_psp_uninit(struct netdevsim *ns, bool teardown)
 {
-       if (!IS_ERR(ns->psp.dev))
-               psp_dev_unregister(ns->psp.dev);
+       struct psp_dev *psd;
+
+       psd = rcu_dereference_protected(ns->psp.dev,
+                                       teardown ||
+                                       lockdep_is_held(&ns->psp.rereg_lock));
+       if (psd) {
+               rcu_assign_pointer(ns->psp.dev, NULL);
+               synchronize_rcu();
+               psp_dev_unregister(psd);
+       }
        WARN_ON(ns->psp.assoc_cnt);
 }
 
@@ -220,7 +229,7 @@ void nsim_psp_uninit(struct netdevsim *ns)
 {
        debugfs_remove(ns->psp.rereg);
        mutex_destroy(&ns->psp.rereg_lock);
-       __nsim_psp_uninit(ns);
+       __nsim_psp_uninit(ns, true);
 }
 
 static ssize_t
@@ -228,16 +237,23 @@ nsim_psp_rereg_write(struct file *file, const char __user *data, size_t count,
                     loff_t *ppos)
 {
        struct netdevsim *ns = file->private_data;
-       int err;
+       struct psp_dev *psd;
+       ssize_t ret;
 
        mutex_lock(&ns->psp.rereg_lock);
-       __nsim_psp_uninit(ns);
+       __nsim_psp_uninit(ns, false);
+
+       psd = psp_dev_create(ns->netdev, &nsim_psp_ops, &nsim_psp_caps, ns);
+       if (IS_ERR(psd)) {
+               ret = PTR_ERR(psd);
+               goto out;
+       }
 
-       ns->psp.dev = psp_dev_create(ns->netdev, &nsim_psp_ops,
-                                    &nsim_psp_caps, ns);
-       err = PTR_ERR_OR_ZERO(ns->psp.dev);
+       rcu_assign_pointer(ns->psp.dev, psd);
+       ret = count;
+out:
        mutex_unlock(&ns->psp.rereg_lock);
-       return err ?: count;
+       return ret;
 }
 
 static const struct file_operations nsim_psp_rereg_fops = {
@@ -250,13 +266,13 @@ static const struct file_operations nsim_psp_rereg_fops = {
 int nsim_psp_init(struct netdevsim *ns)
 {
        struct dentry *ddir = ns->nsim_dev_port->ddir;
-       int err;
+       struct psp_dev *psd;
+
+       psd = psp_dev_create(ns->netdev, &nsim_psp_ops, &nsim_psp_caps, ns);
+       if (IS_ERR(psd))
+               return PTR_ERR(psd);
 
-       ns->psp.dev = psp_dev_create(ns->netdev, &nsim_psp_ops,
-                                    &nsim_psp_caps, ns);
-       err = PTR_ERR_OR_ZERO(ns->psp.dev);
-       if (err)
-               return err;
+       rcu_assign_pointer(ns->psp.dev, psd);
 
        mutex_init(&ns->psp.rereg_lock);
        ns->psp.rereg = debugfs_create_file("psp_rereg", 0200, ddir, ns,