From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Linus Lüssing" <linus.luessing@c0d3.blue>,
syzbot+83f2d54ec6b7e417e13f@syzkaller.appspotmail.com,
syzbot+050927a651272b145a5d@syzkaller.appspotmail.com,
syzbot+979ffc89b87309b1b94b@syzkaller.appspotmail.com,
syzbot+f9f3f388440283da2965@syzkaller.appspotmail.com,
"Sven Eckelmann" <sven@narfation.org>,
"Simon Wunderlich" <sw@simonwunderlich.de>,
"Sasha Levin" <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.1 010/375] batman-adv: mcast: fix multicast tt/tvlv worker locking
Date: Wed, 22 May 2019 15:15:10 -0400 [thread overview]
Message-ID: <20190522192115.22666-10-sashal@kernel.org> (raw)
In-Reply-To: <20190522192115.22666-1-sashal@kernel.org>
From: Linus Lüssing <linus.luessing@c0d3.blue>
[ Upstream commit a3c7cd0cdf1107f891aff847ad481e34df727055 ]
Syzbot has reported some issues with the locking assumptions made for
the multicast tt/tvlv worker: It was able to trigger the WARN_ON() in
batadv_mcast_mla_tt_retract() and batadv_mcast_mla_tt_add().
While hard/not reproduceable for us so far it seems that the
delayed_work_pending() we use might not be quite safe from reordering.
Therefore this patch adds an explicit, new spinlock to protect the
update of the mla_list and flags in bat_priv and then removes the
WARN_ON(delayed_work_pending()).
Reported-by: syzbot+83f2d54ec6b7e417e13f@syzkaller.appspotmail.com
Reported-by: syzbot+050927a651272b145a5d@syzkaller.appspotmail.com
Reported-by: syzbot+979ffc89b87309b1b94b@syzkaller.appspotmail.com
Reported-by: syzbot+f9f3f388440283da2965@syzkaller.appspotmail.com
Fixes: cbebd363b2e9 ("batman-adv: Use own timer for multicast TT and TVLV updates")
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/main.c | 1 +
net/batman-adv/multicast.c | 11 +++--------
net/batman-adv/types.h | 5 +++++
3 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/net/batman-adv/main.c b/net/batman-adv/main.c
index 75750870cf048..f8725786b5961 100644
--- a/net/batman-adv/main.c
+++ b/net/batman-adv/main.c
@@ -161,6 +161,7 @@ int batadv_mesh_init(struct net_device *soft_iface)
spin_lock_init(&bat_priv->tt.commit_lock);
spin_lock_init(&bat_priv->gw.list_lock);
#ifdef CONFIG_BATMAN_ADV_MCAST
+ spin_lock_init(&bat_priv->mcast.mla_lock);
spin_lock_init(&bat_priv->mcast.want_lists_lock);
#endif
spin_lock_init(&bat_priv->tvlv.container_list_lock);
diff --git a/net/batman-adv/multicast.c b/net/batman-adv/multicast.c
index f91b1b6265cfe..1b985ab89c087 100644
--- a/net/batman-adv/multicast.c
+++ b/net/batman-adv/multicast.c
@@ -325,8 +325,6 @@ static void batadv_mcast_mla_list_free(struct hlist_head *mcast_list)
* translation table except the ones listed in the given mcast_list.
*
* If mcast_list is NULL then all are retracted.
- *
- * Do not call outside of the mcast worker! (or cancel mcast worker first)
*/
static void batadv_mcast_mla_tt_retract(struct batadv_priv *bat_priv,
struct hlist_head *mcast_list)
@@ -334,8 +332,6 @@ static void batadv_mcast_mla_tt_retract(struct batadv_priv *bat_priv,
struct batadv_hw_addr *mcast_entry;
struct hlist_node *tmp;
- WARN_ON(delayed_work_pending(&bat_priv->mcast.work));
-
hlist_for_each_entry_safe(mcast_entry, tmp, &bat_priv->mcast.mla_list,
list) {
if (mcast_list &&
@@ -359,8 +355,6 @@ static void batadv_mcast_mla_tt_retract(struct batadv_priv *bat_priv,
*
* Adds multicast listener announcements from the given mcast_list to the
* translation table if they have not been added yet.
- *
- * Do not call outside of the mcast worker! (or cancel mcast worker first)
*/
static void batadv_mcast_mla_tt_add(struct batadv_priv *bat_priv,
struct hlist_head *mcast_list)
@@ -368,8 +362,6 @@ static void batadv_mcast_mla_tt_add(struct batadv_priv *bat_priv,
struct batadv_hw_addr *mcast_entry;
struct hlist_node *tmp;
- WARN_ON(delayed_work_pending(&bat_priv->mcast.work));
-
if (!mcast_list)
return;
@@ -658,7 +650,10 @@ static void batadv_mcast_mla_update(struct work_struct *work)
priv_mcast = container_of(delayed_work, struct batadv_priv_mcast, work);
bat_priv = container_of(priv_mcast, struct batadv_priv, mcast);
+ spin_lock(&bat_priv->mcast.mla_lock);
__batadv_mcast_mla_update(bat_priv);
+ spin_unlock(&bat_priv->mcast.mla_lock);
+
batadv_mcast_start_timer(bat_priv);
}
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index a21b34ed6548f..ed0f6a519de55 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -1223,6 +1223,11 @@ struct batadv_priv_mcast {
/** @bridged: whether the soft interface has a bridge on top */
unsigned char bridged:1;
+ /**
+ * @mla_lock: a lock protecting mla_list and mla_flags
+ */
+ spinlock_t mla_lock;
+
/**
* @num_want_all_unsnoopables: number of nodes wanting unsnoopable IP
* traffic
--
2.20.1
next prev parent reply other threads:[~2019-05-22 19:21 UTC|newest]
Thread overview: 98+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-22 19:15 [Cluster-devel] [PATCH AUTOSEL 5.1 001/375] gfs2: Fix lru_count going negative Sasha Levin
2019-05-22 19:15 ` Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 002/375] cxgb4: Fix error path in cxgb4_init_module Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 003/375] afs: Fix getting the afs.fid xattr Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 004/375] NFS: make nfs_match_client killable Sasha Levin
2019-05-23 15:02 ` Benjamin Coddington
2019-05-29 18:46 ` Sasha Levin
2019-05-22 19:15 ` [Cluster-devel] [PATCH AUTOSEL 5.1 005/375] gfs2: fix race between gfs2_freeze_func and unmount Sasha Levin
2019-05-22 19:15 ` Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 006/375] io_uring: use cpu_online() to check p->sq_thread_cpu instead of cpu_possible() Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 007/375] IB/hfi1: Fix WQ_MEM_RECLAIM warning Sasha Levin
2019-05-22 19:15 ` [Cluster-devel] [PATCH AUTOSEL 5.1 008/375] gfs2: Fix occasional glock use-after-free Sasha Levin
2019-05-22 19:15 ` Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 009/375] mmc: core: Verify SD bus width Sasha Levin
2019-05-22 19:15 ` Sasha Levin [this message]
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 011/375] ip6: fix skb leak in ip6frag_expire_frag_queue() Sasha Levin
2019-05-23 7:47 ` Stefan Bader
2019-05-29 18:48 ` Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 012/375] tools/bpf: fix perf build error with uClibc (seen on ARC) Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 013/375] i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 014/375] libbpf: fix invalid munmap call Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 015/375] selftests/bpf: set RLIMIT_MEMLOCK properly for test_libbpf_open.c Sasha Levin
2019-05-22 19:15 ` Sasha Levin
2019-05-22 19:15 ` sashal
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 016/375] bpftool: exclude bash-completion/bpftool from .gitignore pattern Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 017/375] ice: Separate if conditions for ice_set_features() Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 018/375] ice: Preserve VLAN Rx stripping settings Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 019/375] blk-mq: split blk_mq_alloc_and_init_hctx into two parts Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 020/375] blk-mq: grab .q_usage_counter when queuing request from plug code path Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 021/375] dmaengine: tegra210-dma: free dma controller in remove() Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 022/375] net: ena: gcc 8: fix compilation warning Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 023/375] net: ena: fix: set freed objects to NULL to avoid failing future allocations Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 024/375] hv_netvsc: fix race that may miss tx queue wakeup Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 025/375] orangefs: truncate before updating size Sasha Levin
2019-05-22 21:44 ` martin
2019-05-29 18:51 ` Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 026/375] Bluetooth: Ignore CC events not matching the last HCI command Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 027/375] pinctrl: zte: fix leaked of_node references Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 028/375] ASoC: Intel: kbl_da7219_max98357a: Map BTN_0 to KEY_PLAYPAUSE Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 029/375] usb: dwc2: gadget: Increase descriptors count for ISOC's Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 030/375] usb: dwc3: move synchronize_irq() out of the spinlock protected block Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 031/375] usb: gadget: f_fs: don't free buffer prematurely Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 032/375] ASoC: hdmi-codec: unlock the device on startup errors Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 033/375] leds: avoid races with workqueue Sasha Levin
2019-05-24 22:55 ` Pavel Machek
2019-05-29 18:51 ` Sasha Levin
2019-06-17 15:57 ` Pavel Machek
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 034/375] powerpc/perf: Return accordingly on invalid chip-id in Sasha Levin
2019-05-22 19:15 ` Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 035/375] powerpc/boot: Fix missing check of lseek() return value Sasha Levin
2019-05-22 19:15 ` Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 036/375] powerpc/perf: Fix loop exit condition in nest_imc_event_init Sasha Levin
2019-05-22 19:15 ` Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 037/375] spi: atmel-quadspi: fix crash while suspending Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 038/375] ASoC: imx: fix fiq dependencies Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 039/375] spi: pxa2xx: fix SCR (divisor) calculation Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 040/375] net/mlx5: E-Switch, Use atomic rep state to serialize state change Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 041/375] brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler() Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 042/375] ACPI / property: fix handling of data_nodes in acpi_get_next_subnode() Sasha Levin
[not found] ` <20190522192115.22666-1-sashal-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 043/375] drm/nouveau/bar/nv50: ensure BAR is mapped Sasha Levin
2019-05-22 19:15 ` Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 044/375] media: stm32-dcmi: return appropriate error codes during probe Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 045/375] ARM: vdso: Remove dependency with the arch_timer driver internals Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 046/375] arm64: Fix compiler warning from pte_unmap() with -Wunused-but-set-variable Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 047/375] mt76: remove mt76_queue dependency from tx_queue_skb function pointer Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 048/375] x86/ftrace: Set trampoline pages as executable Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 049/375] powerpc/watchdog: Use hrtimers for per-CPU heartbeat Sasha Levin
2019-05-22 19:15 ` Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 050/375] cpufreq: Fix kobject memleak Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 051/375] scsi: qla2xxx: Fix a qla24xx_enable_msix() error path Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 052/375] scsi: qla2xxx: Fix abort handling in tcm_qla2xxx_write_pending() Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 053/375] scsi: qla2xxx: Avoid that lockdep complains about unsafe locking in tcm_qla2xxx_close_session() Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 054/375] scsi: qla2xxx: Fix hardirq-unsafe locking Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 055/375] x86/modules: Avoid breaking W^X while loading modules Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 056/375] Btrfs: fix data bytes_may_use underflow with fallocate due to failed quota reserve Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 057/375] btrfs: fix panic during relocation after ENOSPC before writeback happens Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 058/375] btrfs: reloc: Fix NULL pointer dereference due to expanded reloc_root lifespan Sasha Levin
2019-05-22 19:15 ` [PATCH AUTOSEL 5.1 059/375] btrfs: Don't panic when we can't find a root key Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 060/375] iwlwifi: pcie: don't crash on invalid RX interrupt Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 061/375] rtc: 88pm860x: prevent use-after-free on device remove Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 062/375] rtc: stm32: manage the get_irq probe defer case Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 063/375] scsi: qedi: Abort ep termination if offload not scheduled Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 064/375] s390/kexec_file: Fix detection of text segment in ELF loader Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 065/375] ALSA: hda: fix unregister device twice on ASoC driver Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 066/375] sched/nohz: Run NOHZ idle load balancer on HK_FLAG_MISC CPUs Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 067/375] net: ethernet: ti: cpsw: fix allmulti cfg in dual_mac mode Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 068/375] w1: fix the resume command API Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 069/375] net: hns3: fix pause configure fail problem Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 070/375] net: hns3: fix for TX clean num when cleaning TX BD Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 071/375] net: phy: improve genphy_soft_reset Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 072/375] s390: qeth: address type mismatch warning Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 073/375] arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 074/375] net: hns3: use atomic_t replace u32 for arq's count Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 075/375] dmaengine: pl330: _stop: clear interrupt status Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 076/375] mac80211/cfg80211: update bss channel on channel switch Sasha Levin
2019-05-22 19:16 ` [PATCH AUTOSEL 5.1 077/375] USB: serial: fix initial-termios handling Sasha Levin
2019-05-23 5:26 ` Johan Hovold
2019-05-29 18:56 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190522192115.22666-10-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linus.luessing@c0d3.blue \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=sven@narfation.org \
--cc=sw@simonwunderlich.de \
--cc=syzbot+050927a651272b145a5d@syzkaller.appspotmail.com \
--cc=syzbot+83f2d54ec6b7e417e13f@syzkaller.appspotmail.com \
--cc=syzbot+979ffc89b87309b1b94b@syzkaller.appspotmail.com \
--cc=syzbot+f9f3f388440283da2965@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.