From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.linuxfoundation.org ([140.211.169.12]:36874 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752584AbdF2Q7k (ORCPT
        <rfc822;stable@vger.kernel.org>); Thu, 29 Jun 2017 12:59:40 -0400
Subject: Patch "net: tipc: Fix a sleep-in-atomic bug in tipc_msg_reverse" has been added to the 4.11-stable tree
To: baijiaju1990@163.com, davem@davemloft.net,
        gregkh@linuxfoundation.org
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
From: <gregkh@linuxfoundation.org>
Date: Thu, 29 Jun 2017 18:58:42 +0200
Message-ID: <1498755522194242@kroah.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>


This is a note to let you know that I've just added the patch titled

    net: tipc: Fix a sleep-in-atomic bug in tipc_msg_reverse

to the 4.11-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-tipc-fix-a-sleep-in-atomic-bug-in-tipc_msg_reverse.patch
and it can be found in the queue-4.11 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>>From foo@baz Thu Jun 29 18:58:00 CEST 2017
From: Jia-Ju Bai <baijiaju1990@163.com>
Date: Sat, 10 Jun 2017 17:03:35 +0800
Subject: net: tipc: Fix a sleep-in-atomic bug in tipc_msg_reverse

From: Jia-Ju Bai <baijiaju1990@163.com>


[ Upstream commit 343eba69c6968190d8654b857aea952fed9a6749 ]

The kernel may sleep under a rcu read lock in tipc_msg_reverse, and the
function call path is:
tipc_l2_rcv_msg (acquire the lock by rcu_read_lock)
  tipc_rcv
    tipc_sk_rcv
      tipc_msg_reverse
        pskb_expand_head(GFP_KERNEL) --> may sleep
tipc_node_broadcast
  tipc_node_xmit_skb
    tipc_node_xmit
      tipc_sk_rcv
        tipc_msg_reverse
          pskb_expand_head(GFP_KERNEL) --> may sleep

To fix it, "GFP_KERNEL" is replaced with "GFP_ATOMIC".

Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/tipc/msg.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/tipc/msg.c
+++ b/net/tipc/msg.c
@@ -508,7 +508,7 @@ bool tipc_msg_reverse(u32 own_node,  str
 	}
 
 	if (skb_cloned(_skb) &&
-	    pskb_expand_head(_skb, BUF_HEADROOM, BUF_TAILROOM, GFP_KERNEL))
+	    pskb_expand_head(_skb, BUF_HEADROOM, BUF_TAILROOM, GFP_ATOMIC))
 		goto exit;
 
 	/* Now reverse the concerned fields */


Patches currently in stable-queue which might be from baijiaju1990@163.com are

queue-4.11/net-tipc-fix-a-sleep-in-atomic-bug-in-tipc_msg_reverse.patch
queue-4.11/net-caif-fix-a-sleep-in-atomic-bug-in-cfpkt_create_pfx.patch