[PATCH net v1 1/1] tipc: fix nametbl deadlock at tipc_nametbl

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net v1 1/1] tipc: fix nametbl deadlock at tipc_nametbl_unsubscribe
@ 2017-03-21  9:47 Parthasarathy Bhuvaragan
  2017-03-22 18:59 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Parthasarathy Bhuvaragan @ 2017-03-21  9:47 UTC (permalink / raw)
  To: davem; +Cc: netdev, tipc-discussion, jon.maloy, maloy, ying.xue, thompa.atl

From: Ying Xue <ying.xue@windriver.com>

Until now, tipc_nametbl_unsubscribe() is called at subscriptions
reference count cleanup. Usually the subscriptions cleanup is
called at subscription timeout or at subscription cancel or at
subscriber delete.

We have ignored the possibility of this being called from other
locations, which causes deadlock as we try to grab the
tn->nametbl_lock while holding it already.

   CPU1:                             CPU2:
----------                     ----------------
tipc_nametbl_publish
spin_lock_bh(&tn->nametbl_lock)
tipc_nametbl_insert_publ
tipc_nameseq_insert_publ
tipc_subscrp_report_overlap
tipc_subscrp_get
tipc_subscrp_send_event
                             tipc_close_conn
                             tipc_subscrb_release_cb
                             tipc_subscrb_delete
                             tipc_subscrp_put
tipc_subscrp_put
tipc_subscrp_kref_release
tipc_nametbl_unsubscribe
spin_lock_bh(&tn->nametbl_lock)
<<grab nametbl_lock again>>

   CPU1:                              CPU2:
----------                     ----------------
tipc_nametbl_stop
spin_lock_bh(&tn->nametbl_lock)
tipc_purge_publications
tipc_nameseq_remove_publ
tipc_subscrp_report_overlap
tipc_subscrp_get
tipc_subscrp_send_event
                             tipc_close_conn
                             tipc_subscrb_release_cb
                             tipc_subscrb_delete
                             tipc_subscrp_put
tipc_subscrp_put
tipc_subscrp_kref_release
tipc_nametbl_unsubscribe
spin_lock_bh(&tn->nametbl_lock)
<<grab nametbl_lock again>>

In this commit, we advance the calling of tipc_nametbl_unsubscribe()
from the refcount cleanup to the intended callers.

Fixes: d094c4d5f5c7 ("tipc: add subscription refcount to avoid invalid delete")
Reported-by: John Thompson <thompa.atl@gmail.com>
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
---
 net/tipc/subscr.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/tipc/subscr.c b/net/tipc/subscr.c
index 9d94e65d0894..271cd66e4b3b 100644
--- a/net/tipc/subscr.c
+++ b/net/tipc/subscr.c
@@ -141,6 +141,11 @@ void tipc_subscrp_report_overlap(struct tipc_subscription *sub, u32 found_lower,
 static void tipc_subscrp_timeout(unsigned long data)
 {
 	struct tipc_subscription *sub = (struct tipc_subscription *)data;
+	struct tipc_subscriber *subscriber = sub->subscriber;
+
+	spin_lock_bh(&subscriber->lock);
+	tipc_nametbl_unsubscribe(sub);
+	spin_unlock_bh(&subscriber->lock);
 
 	/* Notify subscriber of timeout */
 	tipc_subscrp_send_event(sub, sub->evt.s.seq.lower, sub->evt.s.seq.upper,
@@ -173,7 +178,6 @@ static void tipc_subscrp_kref_release(struct kref *kref)
 	struct tipc_subscriber *subscriber = sub->subscriber;
 
 	spin_lock_bh(&subscriber->lock);
-	tipc_nametbl_unsubscribe(sub);
 	list_del(&sub->subscrp_list);
 	atomic_dec(&tn->subscription_count);
 	spin_unlock_bh(&subscriber->lock);
@@ -205,6 +209,7 @@ static void tipc_subscrb_subscrp_delete(struct tipc_subscriber *subscriber,
 		if (s && memcmp(s, &sub->evt.s, sizeof(struct tipc_subscr)))
 			continue;
 
+		tipc_nametbl_unsubscribe(sub);
 		tipc_subscrp_get(sub);
 		spin_unlock_bh(&subscriber->lock);
 		tipc_subscrp_delete(sub);
-- 
2.1.4

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH net v1 1/1] tipc: fix nametbl deadlock at tipc_nametbl_unsubscribe
  2017-03-21  9:47 [PATCH net v1 1/1] tipc: fix nametbl deadlock at tipc_nametbl_unsubscribe Parthasarathy Bhuvaragan
@ 2017-03-22 18:59 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2017-03-22 18:59 UTC (permalink / raw)
  To: parthasarathy.bhuvaragan
  Cc: netdev, tipc-discussion, jon.maloy, maloy, ying.xue, thompa.atl

From: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
Date: Tue, 21 Mar 2017 10:47:49 +0100

> From: Ying Xue <ying.xue@windriver.com>
> 
> Until now, tipc_nametbl_unsubscribe() is called at subscriptions
> reference count cleanup. Usually the subscriptions cleanup is
> called at subscription timeout or at subscription cancel or at
> subscriber delete.
> 
> We have ignored the possibility of this being called from other
> locations, which causes deadlock as we try to grab the
> tn->nametbl_lock while holding it already.
 ...
> In this commit, we advance the calling of tipc_nametbl_unsubscribe()
> from the refcount cleanup to the intended callers.
> 
> Fixes: d094c4d5f5c7 ("tipc: add subscription refcount to avoid invalid delete")
> Reported-by: John Thompson <thompa.atl@gmail.com>
> Acked-by: Jon Maloy <jon.maloy@ericsson.com>
> Signed-off-by: Ying Xue <ying.xue@windriver.com>
> Signed-off-by: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>

Applied, thank you.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2017-03-22 19:00 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-03-21  9:47 [PATCH net v1 1/1] tipc: fix nametbl deadlock at tipc_nametbl_unsubscribe Parthasarathy Bhuvaragan
2017-03-22 18:59 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).