From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 55EB4C072B5 for ; Fri, 24 May 2019 08:29:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 2437320675 for ; Fri, 24 May 2019 08:29:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389425AbfEXI3O (ORCPT ); Fri, 24 May 2019 04:29:14 -0400 Received: from s3.sipsolutions.net ([144.76.43.62]:51720 "EHLO sipsolutions.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389361AbfEXI3O (ORCPT ); Fri, 24 May 2019 04:29:14 -0400 Received: by sipsolutions.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1hU5Zg-00082t-Jn; Fri, 24 May 2019 10:29:12 +0200 Message-ID: <6e162d98ba05a71577c623fe1e8e06a7051eb01c.camel@sipsolutions.net> Subject: Re: [PATCH] mac80211: mesh: fix RCU warning From: Johannes Berg To: Thomas Pedersen , linux-wireless@vger.kernel.org Cc: peter.oh@bowerswilkins.com Date: Fri, 24 May 2019 10:29:11 +0200 In-Reply-To: <1557958906-1432-1-git-send-email-thomas@eero.com> (sfid-20190516_002404_881630_27A31E38) References: <1557958906-1432-1-git-send-email-thomas@eero.com> (sfid-20190516_002404_881630_27A31E38) Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.5 (3.28.5-2.fc28) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On Wed, 2019-05-15 at 15:21 -0700, Thomas Pedersen wrote: > ifmsh->csa was being dereferenced without the RCU read > lock held. > +++ b/net/mac80211/mesh.c > @@ -1220,10 +1220,12 @@ int ieee80211_mesh_finish_csa(struct ieee80211_sub_if_data *sdata) > ifmsh->chsw_ttl = 0; > > /* Remove the CSA and MCSP elements from the beacon */ > + rcu_read_lock(); > tmp_csa_settings = rcu_dereference(ifmsh->csa); > RCU_INIT_POINTER(ifmsh->csa, NULL); > if (tmp_csa_settings) > kfree_rcu(tmp_csa_settings, rcu_head); > + rcu_read_unlock(); This seems wrong to me. Really this code is the *writer* side, so you should do something like this: diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c index 766e5e5bab8a..d578147ad7e8 100644 --- a/net/mac80211/mesh.c +++ b/net/mac80211/mesh.c @@ -1220,7 +1220,8 @@ int ieee80211_mesh_finish_csa(struct ieee80211_sub_if_data *sdata) ifmsh->chsw_ttl = 0; /* Remove the CSA and MCSP elements from the beacon */ - tmp_csa_settings = rcu_dereference(ifmsh->csa); + tmp_csa_settings = rcu_dereference_protected(ifmsh->csa, + lockdep_is_held(&sdata->wdev.mtx)); RCU_INIT_POINTER(ifmsh->csa, NULL); if (tmp_csa_settings) kfree_rcu(tmp_csa_settings, rcu_head); @@ -1242,6 +1243,8 @@ int ieee80211_mesh_csa_beacon(struct ieee80211_sub_if_data *sdata, struct mesh_csa_settings *tmp_csa_settings; int ret = 0; + lockdep_assert_held(&sdata->wdev.mtx); + tmp_csa_settings = kmalloc(sizeof(*tmp_csa_settings), GFP_ATOMIC); if (!tmp_csa_settings) Can you test that and send a proper patch? johannes