From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jon Maloy Subject: [net 1/1] tipc: fix unsafe rcu locking when accessing publication list Date: Fri, 12 Oct 2018 22:46:55 +0200 Message-ID: <1539377215-29145-1-git-send-email-jon.maloy@ericsson.com> Mime-Version: 1.0 Content-Type: text/plain Cc: , , , , , , To: , Return-path: Received: from sesbmg22.ericsson.net ([193.180.251.48]:54512 "EHLO sesbmg22.ericsson.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725745AbeJMEVp (ORCPT ); Sat, 13 Oct 2018 00:21:45 -0400 Sender: netdev-owner@vger.kernel.org List-ID: From: Tung Nguyen The binding table's 'cluster_scope' list is rcu protected to handle races between threads changing the list and those traversing the list at the same moment. We have now found that the function named_distribute() uses the regular list_for_each() macro to traverse the said list. Likewise, the function tipc_named_withdraw() is removing items from the same list using the regular list_del() call. When these two functions execute in parallel we see occasional crashes. This commit fixes this by adding the missing _rcu() suffixes. Signed-off-by: Tung Nguyen Signed-off-by: Jon Maloy --- net/tipc/name_distr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c index 51b4b96..3cfeb9d 100644 --- a/net/tipc/name_distr.c +++ b/net/tipc/name_distr.c @@ -115,7 +115,7 @@ struct sk_buff *tipc_named_withdraw(struct net *net, struct publication *publ) struct sk_buff *buf; struct distr_item *item; - list_del(&publ->binding_node); + list_del_rcu(&publ->binding_node); if (publ->scope == TIPC_NODE_SCOPE) return NULL; @@ -147,7 +147,7 @@ static void named_distribute(struct net *net, struct sk_buff_head *list, ITEM_SIZE) * ITEM_SIZE; u32 msg_rem = msg_dsz; - list_for_each_entry(publ, pls, binding_node) { + list_for_each_entry_rcu(publ, pls, binding_node) { /* Prepare next buffer: */ if (!skb) { skb = named_prepare_buf(net, PUBLICATION, msg_rem, -- 2.1.4