From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Johannes Berg <johannes@sipsolutions.net>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 5.9 05/49] mac80211: mesh: fix mesh_pathtbl_init() error path
Date: Sat, 19 Dec 2020 13:58:09 +0100 [thread overview]
Message-ID: <20201219125344.943408387@linuxfoundation.org> (raw)
In-Reply-To: <20201219125344.671832095@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 905b2032fa424f253d9126271439cc1db2b01130 ]
If tbl_mpp can not be allocated, we call mesh_table_free(tbl_path)
while tbl_path rhashtable has not yet been initialized, which causes
panics.
Simply factorize the rhashtable_init() call into mesh_table_alloc()
WARNING: CPU: 1 PID: 8474 at kernel/workqueue.c:3040 __flush_work kernel/workqueue.c:3040 [inline]
WARNING: CPU: 1 PID: 8474 at kernel/workqueue.c:3040 __cancel_work_timer+0x514/0x540 kernel/workqueue.c:3136
Modules linked in:
CPU: 1 PID: 8474 Comm: syz-executor663 Not tainted 5.10.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__flush_work kernel/workqueue.c:3040 [inline]
RIP: 0010:__cancel_work_timer+0x514/0x540 kernel/workqueue.c:3136
Code: 5d c3 e8 bf ae 29 00 0f 0b e9 f0 fd ff ff e8 b3 ae 29 00 0f 0b 43 80 3c 3e 00 0f 85 31 ff ff ff e9 34 ff ff ff e8 9c ae 29 00 <0f> 0b e9 dc fe ff ff 89 e9 80 e1 07 80 c1 03 38 c1 0f 8c 7d fd ff
RSP: 0018:ffffc9000165f5a0 EFLAGS: 00010293
RAX: ffffffff814b7064 RBX: 0000000000000001 RCX: ffff888021c80000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff888024039ca0 R08: dffffc0000000000 R09: fffffbfff1dd3e64
R10: fffffbfff1dd3e64 R11: 0000000000000000 R12: 1ffff920002cbebd
R13: ffff888024039c88 R14: 1ffff11004807391 R15: dffffc0000000000
FS: 0000000001347880(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000140 CR3: 000000002cc0a000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
rhashtable_free_and_destroy+0x25/0x9c0 lib/rhashtable.c:1137
mesh_table_free net/mac80211/mesh_pathtbl.c:69 [inline]
mesh_pathtbl_init+0x287/0x2e0 net/mac80211/mesh_pathtbl.c:785
ieee80211_mesh_init_sdata+0x2ee/0x530 net/mac80211/mesh.c:1591
ieee80211_setup_sdata+0x733/0xc40 net/mac80211/iface.c:1569
ieee80211_if_add+0xd5c/0x1cd0 net/mac80211/iface.c:1987
ieee80211_add_iface+0x59/0x130 net/mac80211/cfg.c:125
rdev_add_virtual_intf net/wireless/rdev-ops.h:45 [inline]
nl80211_new_interface+0x563/0xb40 net/wireless/nl80211.c:3855
genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
genl_rcv_msg+0xe4e/0x1280 net/netlink/genetlink.c:800
netlink_rcv_skb+0x190/0x3a0 net/netlink/af_netlink.c:2494
genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
netlink_unicast+0x780/0x930 net/netlink/af_netlink.c:1330
netlink_sendmsg+0x9a8/0xd40 net/netlink/af_netlink.c:1919
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg net/socket.c:671 [inline]
____sys_sendmsg+0x519/0x800 net/socket.c:2353
___sys_sendmsg net/socket.c:2407 [inline]
__sys_sendmsg+0x2b1/0x360 net/socket.c:2440
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Fixes: 60854fd94573 ("mac80211: mesh: convert path table to rhashtable")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Link: https://lore.kernel.org/r/20201204162428.2583119-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/mesh_pathtbl.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/net/mac80211/mesh_pathtbl.c
+++ b/net/mac80211/mesh_pathtbl.c
@@ -60,6 +60,7 @@ static struct mesh_table *mesh_table_all
atomic_set(&newtbl->entries, 0);
spin_lock_init(&newtbl->gates_lock);
spin_lock_init(&newtbl->walk_lock);
+ rhashtable_init(&newtbl->rhead, &mesh_rht_params);
return newtbl;
}
@@ -773,9 +774,6 @@ int mesh_pathtbl_init(struct ieee80211_s
goto free_path;
}
- rhashtable_init(&tbl_path->rhead, &mesh_rht_params);
- rhashtable_init(&tbl_mpp->rhead, &mesh_rht_params);
-
sdata->u.mesh.mesh_paths = tbl_path;
sdata->u.mesh.mpp_paths = tbl_mpp;
next prev parent reply other threads:[~2020-12-19 13:07 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-19 12:58 [PATCH 5.9 00/49] 5.9.16-rc1 review Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 01/49] ptrace: Prevent kernel-infoleak in ptrace_get_syscall_info() Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 02/49] net/sched: fq_pie: initialize timer earlier in fq_pie_init() Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 03/49] net: ipa: pass the correct size when freeing DMA memory Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 04/49] ipv4: fix error return code in rtm_to_fib_config() Greg Kroah-Hartman
2020-12-19 12:58 ` Greg Kroah-Hartman [this message]
2020-12-19 12:58 ` [PATCH 5.9 06/49] net: bridge: vlan: fix error return code in __vlan_add() Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 07/49] vrf: packets with lladdr src needs dst at input with orig_iif when needs strict Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 08/49] net: mscc: ocelot: fix dropping of unknown IPv4 multicast on Seville Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 09/49] net: hns3: remove a misused pragma packed Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 10/49] udp: fix the proto value passed to ip_protocol_deliver_rcu for the segments Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 11/49] enetc: Fix reporting of h/w packet counters Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 12/49] bridge: Fix a deadlock when enabling multicast snooping Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 13/49] mptcp: print new line in mptcp_seq_show() if mptcp isnt in use Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 14/49] net: stmmac: dwmac-meson8b: fix mask definition of the m250_sel mux Greg Kroah-Hartman
2020-12-19 21:51 ` Pavel Machek
2020-12-19 22:38 ` Martin Blumenstingl
2020-12-19 23:13 ` Pavel Machek
2020-12-21 14:31 ` Martin Blumenstingl
2020-12-19 12:58 ` [PATCH 5.9 15/49] net: stmmac: start phylink instance before stmmac_hw_setup() Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 16/49] net: stmmac: free tx skb buffer in stmmac_resume() Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 17/49] net: stmmac: delete the eee_ctrl_timer after napi disabled Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 18/49] net: stmmac: overwrite the dma_cap.addr64 according to HW design Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 19/49] net: ll_temac: Fix potential NULL dereference in temac_probe() Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 20/49] tcp: select sane initial rcvq_space.space for big MSS Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 21/49] e1000e: fix S0ix flow to allow S0i3.2 subset entry Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 22/49] ethtool: fix stack overflow in ethnl_parse_bitset() Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 23/49] tcp: fix cwnd-limited bug for TSO deferral where we send nothing Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 24/49] net: flow_offload: Fix memory leak for indirect flow block Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 25/49] net/mlx4_en: Avoid scheduling restart task if it is already running Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 26/49] net/mlx4_en: Handle TX error CQE Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 27/49] net: sched: Fix dump of MPLS_OPT_LSE_LABEL attribute in cls_flower Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 28/49] bonding: fix feature flag setting at init time Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 29/49] ch_ktls: fix build warning for ipv4-only config Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 30/49] lan743x: fix for potential NULL pointer dereference with bare card Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 31/49] net: stmmac: increase the timeout for dma reset Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 32/49] net: tipc: prevent possible null deref of link Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 33/49] ktest.pl: If size of log is too big to email, email error message Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 34/49] ktest.pl: Fix the logic for truncating the size of the log file for email Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 35/49] USB: dummy-hcd: Fix uninitialized array use in init() Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 36/49] USB: add RESET_RESUME quirk for Snapscan 1212 Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 37/49] ALSA: usb-audio: Fix potential out-of-bounds shift Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 38/49] ALSA: usb-audio: Fix control access overflow errors from chmap Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 39/49] xhci: Give USB2 ports time to enter U3 in bus suspend Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 40/49] xhci-pci: Allow host runtime PM as default for Intel Alpine Ridge LP Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 41/49] xhci-pci: Allow host runtime PM as default for Intel Maple Ridge xHCI Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 42/49] USB: UAS: introduce a quirk to set no_write_same Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 43/49] USB: sisusbvga: Make console support depend on BROKEN Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 44/49] ALSA: pcm: oss: Fix potential out-of-bounds shift Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 45/49] serial: 8250_omap: Avoid FIFO corruption caused by MDR1 access Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 46/49] KVM: mmu: Fix SPTE encoding of MMIO generation upper half Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 47/49] membarrier: Explicitly sync remote cores when SYNC_CORE is requested Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 48/49] x86/resctrl: Remove unused struct mbm_state::chunks_bw Greg Kroah-Hartman
2020-12-19 12:58 ` [PATCH 5.9 49/49] x86/resctrl: Fix incorrect local bandwidth when mba_sc is enabled Greg Kroah-Hartman
2020-12-19 21:49 ` [PATCH 5.9 00/49] 5.9.16-rc1 review Guenter Roeck
2020-12-20 3:51 ` Naresh Kamboju
2020-12-20 13:37 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201219125344.943408387@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=johannes@sipsolutions.net \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.