neighbour: Convert RTM_SETNEIGHTBL to RCU.

neightbl_set() fetches neigh_tables[] and updates attributes under
write_lock_bh(&tbl->lock), so RTNL is not needed.

neigh_table_clear() synchronises RCU only, and rcu_dereference_rtnl()
protects nothing here.

If we released RCU after fetching neigh_tables[], there would be no
synchronisation to block neigh_table_clear() further, so RCU is held
until the end of the function.

Another option would be to protect neigh_tables[] user with SRCU
and add synchronize_srcu() in neigh_table_clear().

But, holding RCU should be fine as we hold write_lock_bh() for the
rest of neightbl_set() anyway.

Let's perform RTM_SETNEIGHTBL under RCU and drop RTNL.

Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20251022054004.2514876-5-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index a660723476fd1e9b3188392de8d7e202054cebba..6d2164b4d99980dc605f381abf2c3fa611f58578 100644 (file)
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -2362,9 +2362,9 @@ static int neightbl_set(struct sk_buff *skb, struct nlmsghdr *nlh,
                        struct netlink_ext_ack *extack)
 {
        struct net *net = sock_net(skb->sk);
+       struct nlattr *tb[NDTA_MAX + 1];
        struct neigh_table *tbl;
        struct ndtmsg *ndtmsg;
-       struct nlattr *tb[NDTA_MAX+1];
        bool found = false;
        int err, tidx;
 
@@ -2380,20 +2380,27 @@ static int neightbl_set(struct sk_buff *skb, struct nlmsghdr *nlh,
 
        ndtmsg = nlmsg_data(nlh);
 
+       rcu_read_lock();
+
        for (tidx = 0; tidx < NEIGH_NR_TABLES; tidx++) {
-               tbl = rcu_dereference_rtnl(neigh_tables[tidx]);
+               tbl = rcu_dereference(neigh_tables[tidx]);
                if (!tbl)
                        continue;
+
                if (ndtmsg->ndtm_family && tbl->family != ndtmsg->ndtm_family)
                        continue;
+
                if (nla_strcmp(tb[NDTA_NAME], tbl->id) == 0) {
                        found = true;
                        break;
                }
        }
 
-       if (!found)
-               return -ENOENT;
+       if (!found) {
+               rcu_read_unlock();
+               err = -ENOENT;
+               goto errout;
+       }
 
        /*
         * We acquire tbl->lock to be nice to the periodic timers and
@@ -2519,6 +2526,7 @@ static int neightbl_set(struct sk_buff *skb, struct nlmsghdr *nlh,
 
 errout_tbl_lock:
        write_unlock_bh(&tbl->lock);
+       rcu_read_unlock();
 errout:
        return err;
 }
@@ -3909,7 +3917,8 @@ static const struct rtnl_msg_handler neigh_rtnl_msg_handlers[] __initconst = {
         .flags = RTNL_FLAG_DOIT_UNLOCKED | RTNL_FLAG_DUMP_UNLOCKED},
        {.msgtype = RTM_GETNEIGHTBL, .dumpit = neightbl_dump_info,
         .flags = RTNL_FLAG_DUMP_UNLOCKED},
-       {.msgtype = RTM_SETNEIGHTBL, .doit = neightbl_set},
+       {.msgtype = RTM_SETNEIGHTBL, .doit = neightbl_set,
+        .flags = RTNL_FLAG_DOIT_UNLOCKED},
 };
 
 static int __init neigh_init(void)