From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752565AbdK1NPU (ORCPT <rfc822;w@1wt.eu>);
        Tue, 28 Nov 2017 08:15:20 -0500
Received: from sesbmg22.ericsson.net ([193.180.251.48]:51500 "EHLO
        sesbmg22.ericsson.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751900AbdK1NPR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 28 Nov 2017 08:15:17 -0500
X-AuditID: c1b4fb30-a25ff70000002554-23-5a1d61639734
From: Jon Maloy <jon.maloy@ericsson.com>
To: Tommi Rantala <tommi.t.rantala@nokia.com>,
        Ying Xue <ying.xue@windriver.com>,
        "David S. Miller" <davem@davemloft.net>,
        "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
        "tipc-discussion@lists.sourceforge.net" 
        <tipc-discussion@lists.sourceforge.net>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: RE: [PATCH] tipc: call tipc_rcv() only if bearer is up in
 tipc_udp_recv()
Thread-Topic: [PATCH] tipc: call tipc_rcv() only if bearer is up in
 tipc_udp_recv()
Thread-Index: AQHTaEf9kqAqm6ZFuk6d92TKhW4vs6MpxRzQ
Date: Tue, 28 Nov 2017 13:15:13 +0000
Message-ID: <AM4PR07MB17141EC1C8321C9B4D530EE69A3A0@AM4PR07MB1714.eurprd07.prod.outlook.com>
References: <20171128125315.25334-1-tommi.t.rantala@nokia.com>
In-Reply-To: <20171128125315.25334-1-tommi.t.rantala@nokia.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [24.225.233.31]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;AM4PR07MB1716;6:zeE+sJHbFWkA6V/ckPWAk1MiGkOm+BUCuB/7jq7/qRG/6nomyouk8ynU3V7J0YiAO/LR2ikus73Jptaff45xsZZ7AlcPbPByToWZSMYVdIWIP4LpptB46EznClPtl0A9VoNqupo/+EMT6NmN2y3sT+lRphoVZjc6KR30Jz9IrLNQjJhvz/myXklRZ3c6J5wu395rjm1cCoinLHsCIGADkC1RrvWJCxQ6vjwGrTyhr6rh3JZkJbjycSYz1K1MZZU0h+jMeE7fPUuinrggKKy0GTzAkZRYhkL+0xvO8E/NCtbEVLqDCa41U/MwM9n2TJj+20fV0c4fxlBJ9D7J9ktTG74PfCW9XnPrpLQvXpbSxWM=;5:P90uDOizEw8OX/2C0h+hm6lnRDj1K5dcl7cAzPIaWfvoSxScmsCI9C10fMic4wDbk2Q67aaIzH/EhTARAge3zaUPrv8RVIHX9DxH1fGap7Iarfj6fgTKr63toknXnDHlr3C4GJG+nEXHI9yzmBamVGRPeMc7+UM+qbGHhUOaXn4=;24:m9EIWQfMSSPsy0m3CjA4j/1E0GKNIqK+NU59CBJl+HFADNi++nAzJJ9xb+XkzKtgNvNQoGE9Uh507DXhofpkxEnIlFqINNbTMMyeYRCeYQg=;7:FtR79Np5+oqmymbn3Lt1mWfxa5Sd/MiGn/d6CrXfL4i8kiUziQvlc8ReGDxYy49vhb97NMsvFND1CugoIpNhmTxXrxF5dsbGHRjKbmvm1Co/hg8LxfPYHicwSEpfF+SW+Eo5k//YOjMT5YB8eGYSZbvhjex7UVzbmPO5NXkKvJs7Xyqx5PP6B+vHN9Yfzyw5F78yr2OvIpjBoZoHCbB1Riqm9prG5fgp9U+cbjipLeywfUjh8kN/895NF9vQjl1u
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 5cecb85d-1798-44d6-ba7f-08d536620f38
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(5600026)(4604075)(2017052603258);SRVR:AM4PR07MB1716;
x-ms-traffictypediagnostic: AM4PR07MB1716:
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=jon.maloy@ericsson.com; 
x-ld-processed: 92e84ceb-fbfd-47ab-be52-080c6b87953f,ExtAddr
x-microsoft-antispam-prvs: <AM4PR07MB1716CEEE6310F22BF2DACEA29A3A0@AM4PR07MB1716.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(37575265505322)(143289334528602)(9452136761055)(82608151540597)(42262312472803);
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(6040450)(2401047)(5005006)(8121501046)(3231022)(10201501046)(93006095)(93001095)(3002001)(6041248)(20161123555025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123558100)(20161123564025)(6072148)(201708071742011);SRVR:AM4PR07MB1716;BCL:0;PCL:0;RULEID:(100000803101)(100110400095);SRVR:AM4PR07MB1716;
x-forefront-prvs: 0505147DDB
x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(6009001)(39860400002)(346002)(376002)(366004)(199003)(13464003)(189002)(316002)(25786009)(3660700001)(105586002)(106356001)(53936002)(9686003)(6436002)(575784001)(81156014)(8676002)(81166006)(86362001)(305945005)(33656002)(101416001)(3846002)(55016002)(189998001)(110136005)(50986999)(74316002)(68736007)(6116002)(102836003)(76176999)(6246003)(54356999)(7736002)(229853002)(14454004)(2950100002)(8656006)(2501003)(6506006)(2201001)(2900100001)(8936002)(7696005)(478600001)(2906002)(5250100002)(97736004)(5660300001)(66066001)(3280700002)(99286004)(53546010);DIR:OUT;SFP:1101;SCL:1;SRVR:AM4PR07MB1716;H:AM4PR07MB1714.eurprd07.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 5cecb85d-1798-44d6-ba7f-08d536620f38
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Nov 2017 13:15:13.1457
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR07MB1716
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Se0hTYRjG/c75No/a4HPeXmeGDaU0nWZBI8Q0CBYhSFToEnPpwfuUTSUt
        YWIj3bCLiXdzXsEoqKV5x1KQTFBQlBqKWDPTkiQRjUzz7Bj03+99nu97eB94GVpcLZAwqeoc
        VqNWZUiFjrgmpvtCUKLKWxnSbAqW10/exfLpvnqhfNTkLu+cTJP3vPmAIwSKzo6PlKLftEEp
        5i1TlGLDfCQaKx3DktiM1DxWExye4JjyvGTaPtty5tay+Q/WofYgA3JggJyG14vfMcdiMoLA
        0BfB8zsE23OxBuTIYFJGw9ys3p4bxKSSgs2d+5gfFhFUjXXZvgvJcVipLEGc4UpGKSjanqc4
        w4VcAWN5KeLYlVyFT1tFAp5DYXVoRsgxJn7wpNK6rzOMiMRBe68nv0Y4bA1ZbTEO5Bz80i3Z
        YhBxh633z2w6TTzAYm2k+DoEWgcmaZ7dYOXzroDnozD5ovlA94apRiPiedgejINHeZZB16M1
        xK0AJAp26miuCpBWBDubPQf5ATBb1S3k3iASC+NLsbwcBtXGqoP4dOivXcI8F8DIVB3mc0w0
        lOn1BzmHYe9LJ36IZLX/VeA5EEz9P4U8n4D2pm80xyLiDGM1VmxC+Cly07Lam5nJoaEyVpOa
        qNVmqWVqNseM9u/lbefvkB60shw5jAiDpIdEWfHeSrFAlafNzxxGwNBSV5GHfF8SJanyC1hN
        1g1NbgarHUZeDJZ6iMYuipRikqzKYdNZNpvV/HMpxkGiQ8qW8cLczFnfx/cSIgtPXY6OqKTX
        LaI2nfPi4CuqrPmHJ75eEeiV1rwcPaDWtUXdNm11SSZ8THipdOWSv97pTkdk0vndVQMdZ41f
        aJ+3FOfa2xX3KtZbmvYCnRpmzHMBvn5r/i7X6hpijp3de+nz4GtqaGaVR4x5obHCd8JOUi7F
        2hTVyQBao1X9BQc4QdkrAwAA
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by nfs id vASDFP95016664

Acked.

///jon

> -----Original Message-----
> From: Tommi Rantala [mailto:tommi.t.rantala@nokia.com]
> Sent: Tuesday, November 28, 2017 07:53
> To: Jon Maloy <jon.maloy@ericsson.com>; Ying Xue
> <ying.xue@windriver.com>; David S. Miller <davem@davemloft.net>;
> netdev@vger.kernel.org; tipc-discussion@lists.sourceforge.net; linux-
> kernel@vger.kernel.org
> Cc: Tommi Rantala <tommi.t.rantala@nokia.com>
> Subject: [PATCH] tipc: call tipc_rcv() only if bearer is up in tipc_udp_recv()
> 
> Call tipc_rcv() only if bearer is up in tipc_udp_recv().
> Fixes a rare TIPC div-by-zero crash in tipc_node_calculate_timer():
> 
> We're enabling a bearer, but it's not yet up and fully initialized.
> At the same time we receive a discovery packet, and in tipc_udp_recv() we
> end up calling tipc_rcv() with the not-yet-initialized bearer, causing later a
> div-by-zero crash in tipc_node_calculate_timer().
> 
> [   12.590450] Own node address <1.1.1>, network identity 1
> [   12.668088] divide error: 0000 [#1] SMP
> [   12.676952] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.14.2-dirty #1
> [   12.679225] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.10.2-2.fc27 04/01/2014
> [   12.682095] task: ffff8c2a761edb80 task.stack: ffffa41cc0cac000
> [   12.684087] RIP: 0010:tipc_node_calculate_timer.isra.12+0x45/0x60 [tipc]
> [   12.686486] RSP: 0018:ffff8c2a7fc838a0 EFLAGS: 00010246
> [   12.688451] RAX: 0000000000000000 RBX: ffff8c2a5b382600 RCX:
> 0000000000000000
> [   12.691197] RDX: 0000000000000000 RSI: ffff8c2a5b382600 RDI:
> ffff8c2a5b382600
> [   12.693945] RBP: ffff8c2a7fc838b0 R08: 0000000000000001 R09:
> 0000000000000001
> [   12.696632] R10: 0000000000000000 R11: 0000000000000000 R12:
> ffff8c2a5d8949d8
> [   12.699491] R13: ffffffff95ede400 R14: 0000000000000000 R15:
> ffff8c2a5d894800
> [   12.702338] FS:  0000000000000000(0000) GS:ffff8c2a7fc80000(0000)
> knlGS:0000000000000000
> [   12.705099] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   12.706776] CR2: 0000000001bb9440 CR3: 00000000bd009001 CR4:
> 00000000003606e0
> [   12.708847] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
> 0000000000000000
> [   12.711016] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
> 0000000000000400
> [   12.712627] Call Trace:
> [   12.713390]  <IRQ>
> [   12.714011]  tipc_node_check_dest+0x2e8/0x350 [tipc]
> [   12.715286]  tipc_disc_rcv+0x14d/0x1d0 [tipc]
> [   12.716370]  tipc_rcv+0x8b0/0xd40 [tipc]
> [   12.717396]  ? minmax_running_min+0x2f/0x60
> [   12.718248]  ? dst_alloc+0x4c/0xa0
> [   12.718964]  ? tcp_ack+0xaf1/0x10b0
> [   12.719658]  ? tipc_udp_is_known_peer+0xa0/0xa0 [tipc]
> [   12.720634]  tipc_udp_recv+0x71/0x1d0 [tipc]
> [   12.721459]  ? dst_alloc+0x4c/0xa0
> [   12.722130]  udp_queue_rcv_skb+0x264/0x490
> [   12.722924]  __udp4_lib_rcv+0x21e/0x990
> [   12.723670]  ? ip_route_input_rcu+0x2dd/0xbf0
> [   12.724442]  ? tcp_v4_rcv+0x958/0xa40
> [   12.725039]  udp_rcv+0x1a/0x20
> [   12.725587]  ip_local_deliver_finish+0x97/0x1d0
> [   12.726323]  ip_local_deliver+0xaf/0xc0
> [   12.726959]  ? ip_route_input_noref+0x19/0x20
> [   12.727689]  ip_rcv_finish+0xdd/0x3b0
> [   12.728307]  ip_rcv+0x2ac/0x360
> [   12.728839]  __netif_receive_skb_core+0x6fb/0xa90
> [   12.729580]  ? udp4_gro_receive+0x1a7/0x2c0
> [   12.730274]  __netif_receive_skb+0x1d/0x60
> [   12.730953]  ? __netif_receive_skb+0x1d/0x60
> [   12.731637]  netif_receive_skb_internal+0x37/0xd0
> [   12.732371]  napi_gro_receive+0xc7/0xf0
> [   12.732920]  receive_buf+0x3c3/0xd40
> [   12.733441]  virtnet_poll+0xb1/0x250
> [   12.733944]  net_rx_action+0x23e/0x370
> [   12.734476]  __do_softirq+0xc5/0x2f8
> [   12.734922]  irq_exit+0xfa/0x100
> [   12.735315]  do_IRQ+0x4f/0xd0
> [   12.735680]  common_interrupt+0xa2/0xa2
> [   12.736126]  </IRQ>
> [   12.736416] RIP: 0010:native_safe_halt+0x6/0x10
> [   12.736925] RSP: 0018:ffffa41cc0cafe90 EFLAGS: 00000246 ORIG_RAX:
> ffffffffffffff4d
> [   12.737756] RAX: 0000000000000000 RBX: ffff8c2a761edb80 RCX:
> 0000000000000000
> [   12.738504] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
> 0000000000000000
> [   12.739258] RBP: ffffa41cc0cafe90 R08: 0000014b5b9795e5 R09:
> ffffa41cc12c7e88
> [   12.740118] R10: 0000000000000000 R11: 0000000000000000 R12:
> 0000000000000002
> [   12.740964] R13: ffff8c2a761edb80 R14: 0000000000000000 R15:
> 0000000000000000
> [   12.741831]  default_idle+0x2a/0x100
> [   12.742323]  arch_cpu_idle+0xf/0x20
> [   12.742796]  default_idle_call+0x28/0x40
> [   12.743312]  do_idle+0x179/0x1f0
> [   12.743761]  cpu_startup_entry+0x1d/0x20
> [   12.744291]  start_secondary+0x112/0x120
> [   12.744816]  secondary_startup_64+0xa5/0xa5
> [   12.745367] Code: b9 f4 01 00 00 48 89 c2 48 c1 ea 02 48 3d d3 07 00
> 00 48 0f 47 d1 49 8b 0c 24 48 39 d1 76 07 49 89 14 24 48 89 d1 31 d2 48
> 89 df <48> f7 f1 89 c6 e8 81 6e ff ff 5b 41 5c 5d c3 66 90 66 2e 0f 1f
> [   12.747527] RIP: tipc_node_calculate_timer.isra.12+0x45/0x60 [tipc] RSP:
> ffff8c2a7fc838a0
> [   12.748555] ---[ end trace 1399ab83390650fd ]---
> [   12.749296] Kernel panic - not syncing: Fatal exception in interrupt
> [   12.750123] Kernel Offset: 0x13200000 from 0xffffffff82000000
> (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
> [   12.751215] Rebooting in 60 seconds..
> 
> Fixes: c9b64d492b1f ("tipc: add replicast peer discovery")
> Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
> ---
>  net/tipc/udp_media.c | 29 +++++++----------------------
>  1 file changed, 7 insertions(+), 22 deletions(-)
> 
> diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c index
> ecca64fc6a6f..599e7be92024 100644
> --- a/net/tipc/udp_media.c
> +++ b/net/tipc/udp_media.c
> @@ -344,42 +344,27 @@ static int tipc_udp_recv(struct sock *sk, struct
> sk_buff *skb)
>  	struct udp_bearer *ub;
>  	struct tipc_bearer *b;
>  	struct tipc_msg *hdr;
> -	int err;
> 
>  	ub = rcu_dereference_sk_user_data(sk);
>  	if (!ub) {
>  		pr_err_ratelimited("Failed to get UDP bearer reference");
> -		goto out;
> +		kfree_skb(skb);
> +		return 0;
>  	}
>  	skb_pull(skb, sizeof(struct udphdr));
>  	hdr = buf_msg(skb);
> 
>  	rcu_read_lock();
>  	b = rcu_dereference_rtnl(ub->bearer);
> -	if (!b)
> -		goto rcu_out;
> -
> -	if (b && test_bit(0, &b->up)) {
> +	if (likely(b && test_bit(0, &b->up))) {
>  		tipc_rcv(sock_net(sk), skb, b);
> -		rcu_read_unlock();
> -		return 0;
> -	}
> -
> -	if (unlikely(msg_user(hdr) == LINK_CONFIG)) {
> -		err = tipc_udp_rcast_disc(b, skb);
> -		if (err)
> -			goto rcu_out;
> +	} else {
> +		if (unlikely(b && msg_user(hdr) == LINK_CONFIG))
> +			tipc_udp_rcast_disc(b, skb);
> +		kfree_skb(skb);
>  	}
> -
> -	tipc_rcv(sock_net(sk), skb, b);
>  	rcu_read_unlock();
>  	return 0;
> -
> -rcu_out:
> -	rcu_read_unlock();
> -out:
> -	kfree_skb(skb);
> -	return 0;
>  }
> 
>  static int enable_mcast(struct udp_bearer *ub, struct udp_media_addr
> *remote)
> --
> 2.14.3

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jon Maloy <jon.maloy@ericsson.com>
Subject: RE: [PATCH] tipc: call tipc_rcv() only if bearer is up in
 tipc_udp_recv()
Date: Tue, 28 Nov 2017 13:15:13 +0000
Message-ID: <AM4PR07MB17141EC1C8321C9B4D530EE69A3A0@AM4PR07MB1714.eurprd07.prod.outlook.com>
References: <20171128125315.25334-1-tommi.t.rantala@nokia.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
To: Tommi Rantala <tommi.t.rantala@nokia.com>,
        Ying Xue <ying.xue@windriver.com>,
        "David S. Miller" <davem@davemloft.net>,
        "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
        "tipc-discussion@lists.sourceforge.net"
        <tipc-discussion@lists.sourceforge.net>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Return-path: <linux-kernel-owner@vger.kernel.org>
In-Reply-To: <20171128125315.25334-1-tommi.t.rantala@nokia.com>
Content-Language: en-US
Sender: linux-kernel-owner@vger.kernel.org
List-Id: netdev.vger.kernel.org

Acked.

///jon

> -----Original Message-----
> From: Tommi Rantala [mailto:tommi.t.rantala@nokia.com]
> Sent: Tuesday, November 28, 2017 07:53
> To: Jon Maloy <jon.maloy@ericsson.com>; Ying Xue
> <ying.xue@windriver.com>; David S. Miller <davem@davemloft.net>;
> netdev@vger.kernel.org; tipc-discussion@lists.sourceforge.net; linux-
> kernel@vger.kernel.org
> Cc: Tommi Rantala <tommi.t.rantala@nokia.com>
> Subject: [PATCH] tipc: call tipc_rcv() only if bearer is up in tipc_udp_r=
ecv()
>=20
> Call tipc_rcv() only if bearer is up in tipc_udp_recv().
> Fixes a rare TIPC div-by-zero crash in tipc_node_calculate_timer():
>=20
> We're enabling a bearer, but it's not yet up and fully initialized.
> At the same time we receive a discovery packet, and in tipc_udp_recv() we
> end up calling tipc_rcv() with the not-yet-initialized bearer, causing la=
ter a
> div-by-zero crash in tipc_node_calculate_timer().
>=20
> [   12.590450] Own node address <1.1.1>, network identity 1
> [   12.668088] divide error: 0000 [#1] SMP
> [   12.676952] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.14.2-dirty #1
> [   12.679225] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIO=
S
> 1.10.2-2.fc27 04/01/2014
> [   12.682095] task: ffff8c2a761edb80 task.stack: ffffa41cc0cac000
> [   12.684087] RIP: 0010:tipc_node_calculate_timer.isra.12+0x45/0x60 [tip=
c]
> [   12.686486] RSP: 0018:ffff8c2a7fc838a0 EFLAGS: 00010246
> [   12.688451] RAX: 0000000000000000 RBX: ffff8c2a5b382600 RCX:
> 0000000000000000
> [   12.691197] RDX: 0000000000000000 RSI: ffff8c2a5b382600 RDI:
> ffff8c2a5b382600
> [   12.693945] RBP: ffff8c2a7fc838b0 R08: 0000000000000001 R09:
> 0000000000000001
> [   12.696632] R10: 0000000000000000 R11: 0000000000000000 R12:
> ffff8c2a5d8949d8
> [   12.699491] R13: ffffffff95ede400 R14: 0000000000000000 R15:
> ffff8c2a5d894800
> [   12.702338] FS:  0000000000000000(0000) GS:ffff8c2a7fc80000(0000)
> knlGS:0000000000000000
> [   12.705099] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   12.706776] CR2: 0000000001bb9440 CR3: 00000000bd009001 CR4:
> 00000000003606e0
> [   12.708847] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
> 0000000000000000
> [   12.711016] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
> 0000000000000400
> [   12.712627] Call Trace:
> [   12.713390]  <IRQ>
> [   12.714011]  tipc_node_check_dest+0x2e8/0x350 [tipc]
> [   12.715286]  tipc_disc_rcv+0x14d/0x1d0 [tipc]
> [   12.716370]  tipc_rcv+0x8b0/0xd40 [tipc]
> [   12.717396]  ? minmax_running_min+0x2f/0x60
> [   12.718248]  ? dst_alloc+0x4c/0xa0
> [   12.718964]  ? tcp_ack+0xaf1/0x10b0
> [   12.719658]  ? tipc_udp_is_known_peer+0xa0/0xa0 [tipc]
> [   12.720634]  tipc_udp_recv+0x71/0x1d0 [tipc]
> [   12.721459]  ? dst_alloc+0x4c/0xa0
> [   12.722130]  udp_queue_rcv_skb+0x264/0x490
> [   12.722924]  __udp4_lib_rcv+0x21e/0x990
> [   12.723670]  ? ip_route_input_rcu+0x2dd/0xbf0
> [   12.724442]  ? tcp_v4_rcv+0x958/0xa40
> [   12.725039]  udp_rcv+0x1a/0x20
> [   12.725587]  ip_local_deliver_finish+0x97/0x1d0
> [   12.726323]  ip_local_deliver+0xaf/0xc0
> [   12.726959]  ? ip_route_input_noref+0x19/0x20
> [   12.727689]  ip_rcv_finish+0xdd/0x3b0
> [   12.728307]  ip_rcv+0x2ac/0x360
> [   12.728839]  __netif_receive_skb_core+0x6fb/0xa90
> [   12.729580]  ? udp4_gro_receive+0x1a7/0x2c0
> [   12.730274]  __netif_receive_skb+0x1d/0x60
> [   12.730953]  ? __netif_receive_skb+0x1d/0x60
> [   12.731637]  netif_receive_skb_internal+0x37/0xd0
> [   12.732371]  napi_gro_receive+0xc7/0xf0
> [   12.732920]  receive_buf+0x3c3/0xd40
> [   12.733441]  virtnet_poll+0xb1/0x250
> [   12.733944]  net_rx_action+0x23e/0x370
> [   12.734476]  __do_softirq+0xc5/0x2f8
> [   12.734922]  irq_exit+0xfa/0x100
> [   12.735315]  do_IRQ+0x4f/0xd0
> [   12.735680]  common_interrupt+0xa2/0xa2
> [   12.736126]  </IRQ>
> [   12.736416] RIP: 0010:native_safe_halt+0x6/0x10
> [   12.736925] RSP: 0018:ffffa41cc0cafe90 EFLAGS: 00000246 ORIG_RAX:
> ffffffffffffff4d
> [   12.737756] RAX: 0000000000000000 RBX: ffff8c2a761edb80 RCX:
> 0000000000000000
> [   12.738504] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
> 0000000000000000
> [   12.739258] RBP: ffffa41cc0cafe90 R08: 0000014b5b9795e5 R09:
> ffffa41cc12c7e88
> [   12.740118] R10: 0000000000000000 R11: 0000000000000000 R12:
> 0000000000000002
> [   12.740964] R13: ffff8c2a761edb80 R14: 0000000000000000 R15:
> 0000000000000000
> [   12.741831]  default_idle+0x2a/0x100
> [   12.742323]  arch_cpu_idle+0xf/0x20
> [   12.742796]  default_idle_call+0x28/0x40
> [   12.743312]  do_idle+0x179/0x1f0
> [   12.743761]  cpu_startup_entry+0x1d/0x20
> [   12.744291]  start_secondary+0x112/0x120
> [   12.744816]  secondary_startup_64+0xa5/0xa5
> [   12.745367] Code: b9 f4 01 00 00 48 89 c2 48 c1 ea 02 48 3d d3 07 00
> 00 48 0f 47 d1 49 8b 0c 24 48 39 d1 76 07 49 89 14 24 48 89 d1 31 d2 48
> 89 df <48> f7 f1 89 c6 e8 81 6e ff ff 5b 41 5c 5d c3 66 90 66 2e 0f 1f
> [   12.747527] RIP: tipc_node_calculate_timer.isra.12+0x45/0x60 [tipc] RS=
P:
> ffff8c2a7fc838a0
> [   12.748555] ---[ end trace 1399ab83390650fd ]---
> [   12.749296] Kernel panic - not syncing: Fatal exception in interrupt
> [   12.750123] Kernel Offset: 0x13200000 from 0xffffffff82000000
> (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
> [   12.751215] Rebooting in 60 seconds..
>=20
> Fixes: c9b64d492b1f ("tipc: add replicast peer discovery")
> Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
> ---
>  net/tipc/udp_media.c | 29 +++++++----------------------
>  1 file changed, 7 insertions(+), 22 deletions(-)
>=20
> diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c index
> ecca64fc6a6f..599e7be92024 100644
> --- a/net/tipc/udp_media.c
> +++ b/net/tipc/udp_media.c
> @@ -344,42 +344,27 @@ static int tipc_udp_recv(struct sock *sk, struct
> sk_buff *skb)
>  	struct udp_bearer *ub;
>  	struct tipc_bearer *b;
>  	struct tipc_msg *hdr;
> -	int err;
>=20
>  	ub =3D rcu_dereference_sk_user_data(sk);
>  	if (!ub) {
>  		pr_err_ratelimited("Failed to get UDP bearer reference");
> -		goto out;
> +		kfree_skb(skb);
> +		return 0;
>  	}
>  	skb_pull(skb, sizeof(struct udphdr));
>  	hdr =3D buf_msg(skb);
>=20
>  	rcu_read_lock();
>  	b =3D rcu_dereference_rtnl(ub->bearer);
> -	if (!b)
> -		goto rcu_out;
> -
> -	if (b && test_bit(0, &b->up)) {
> +	if (likely(b && test_bit(0, &b->up))) {
>  		tipc_rcv(sock_net(sk), skb, b);
> -		rcu_read_unlock();
> -		return 0;
> -	}
> -
> -	if (unlikely(msg_user(hdr) =3D=3D LINK_CONFIG)) {
> -		err =3D tipc_udp_rcast_disc(b, skb);
> -		if (err)
> -			goto rcu_out;
> +	} else {
> +		if (unlikely(b && msg_user(hdr) =3D=3D LINK_CONFIG))
> +			tipc_udp_rcast_disc(b, skb);
> +		kfree_skb(skb);
>  	}
> -
> -	tipc_rcv(sock_net(sk), skb, b);
>  	rcu_read_unlock();
>  	return 0;
> -
> -rcu_out:
> -	rcu_read_unlock();
> -out:
> -	kfree_skb(skb);
> -	return 0;
>  }
>=20
>  static int enable_mcast(struct udp_bearer *ub, struct udp_media_addr
> *remote)
> --
> 2.14.3