From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Ying Xue <ying.xue@windriver.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.9 22/98] tipc: fix a race condition of releasing subscriber object
Date: Thu, 25 Oct 2018 10:13:07 -0400 [thread overview]
Message-ID: <20181025141423.213774-22-sashal@kernel.org> (raw)
In-Reply-To: <20181025141423.213774-1-sashal@kernel.org>
From: Ying Xue <ying.xue@windriver.com>
[ Upstream commit fd849b7c41f0fabfe783d0691a63c5518e8ebc99 ]
No matter whether a request is inserted into workqueue as a work item
to cancel a subscription or to delete a subscription's subscriber
asynchronously, the work items may be executed in different workers.
As a result, it doesn't mean that one request which is raised prior to
another request is definitely handled before the latter. By contrast,
if the latter request is executed before the former request, below
error may happen:
[ 656.183644] BUG: spinlock bad magic on CPU#0, kworker/u8:0/12117
[ 656.184487] general protection fault: 0000 [#1] SMP
[ 656.185160] Modules linked in: tipc ip6_udp_tunnel udp_tunnel 9pnet_virtio 9p 9pnet virtio_net virtio_pci virtio_ring virtio [last unloaded: ip6_udp_tunnel]
[ 656.187003] CPU: 0 PID: 12117 Comm: kworker/u8:0 Not tainted 4.11.0-rc7+ #6
[ 656.187920] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 656.188690] Workqueue: tipc_rcv tipc_recv_work [tipc]
[ 656.189371] task: ffff88003f5cec40 task.stack: ffffc90004448000
[ 656.190157] RIP: 0010:spin_bug+0xdd/0xf0
[ 656.190678] RSP: 0018:ffffc9000444bcb8 EFLAGS: 00010202
[ 656.191375] RAX: 0000000000000034 RBX: ffff88003f8d1388 RCX: 0000000000000000
[ 656.192321] RDX: ffff88003ba13708 RSI: ffff88003ba0cd08 RDI: ffff88003ba0cd08
[ 656.193265] RBP: ffffc9000444bcd0 R08: 0000000000000030 R09: 000000006b6b6b6b
[ 656.194208] R10: ffff8800bde3e000 R11: 00000000000001b4 R12: 6b6b6b6b6b6b6b6b
[ 656.195157] R13: ffffffff81a3ca64 R14: ffff88003f8d1388 R15: ffff88003f8d13a0
[ 656.196101] FS: 0000000000000000(0000) GS:ffff88003ba00000(0000) knlGS:0000000000000000
[ 656.197172] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 656.197935] CR2: 00007f0b3d2e6000 CR3: 000000003ef9e000 CR4: 00000000000006f0
[ 656.198873] Call Trace:
[ 656.199210] do_raw_spin_lock+0x66/0xa0
[ 656.199735] _raw_spin_lock_bh+0x19/0x20
[ 656.200258] tipc_subscrb_subscrp_delete+0x28/0xf0 [tipc]
[ 656.200990] tipc_subscrb_rcv_cb+0x45/0x260 [tipc]
[ 656.201632] tipc_receive_from_sock+0xaf/0x100 [tipc]
[ 656.202299] tipc_recv_work+0x2b/0x60 [tipc]
[ 656.202872] process_one_work+0x157/0x420
[ 656.203404] worker_thread+0x69/0x4c0
[ 656.203898] kthread+0x138/0x170
[ 656.204328] ? process_one_work+0x420/0x420
[ 656.204889] ? kthread_create_on_node+0x40/0x40
[ 656.205527] ret_from_fork+0x29/0x40
[ 656.206012] Code: 48 8b 0c 25 00 c5 00 00 48 c7 c7 f0 24 a3 81 48 81 c1 f0 05 00 00 65 8b 15 61 ef f5 7e e8 9a 4c 09 00 4d 85 e4 44 8b 4b 08 74 92 <45> 8b 84 24 40 04 00 00 49 8d 8c 24 f0 05 00 00 eb 8d 90 0f 1f
[ 656.208504] RIP: spin_bug+0xdd/0xf0 RSP: ffffc9000444bcb8
[ 656.209798] ---[ end trace e2a800e6eb0770be ]---
In above scenario, the request of deleting subscriber was performed
earlier than the request of canceling a subscription although the
latter was issued before the former, which means tipc_subscrb_delete()
was called before tipc_subscrp_cancel(). As a result, when
tipc_subscrb_subscrp_delete() called by tipc_subscrp_cancel() was
executed to cancel a subscription, the subscription's subscriber
refcnt had been decreased to 1. After tipc_subscrp_delete() where
the subscriber was freed because its refcnt was decremented to zero,
but the subscriber's lock had to be released, as a consequence, panic
happened.
By contrast, if we increase subscriber's refcnt before
tipc_subscrb_subscrp_delete() is called in tipc_subscrp_cancel(),
the panic issue can be avoided.
Fixes: d094c4d5f5c7 ("tipc: add subscription refcount to avoid invalid delete")
Reported-by: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
Signed-off-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/subscr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/tipc/subscr.c b/net/tipc/subscr.c
index 271cd66e4b3b..c2646446e157 100644
--- a/net/tipc/subscr.c
+++ b/net/tipc/subscr.c
@@ -256,7 +256,9 @@ static void tipc_subscrp_delete(struct tipc_subscription *sub)
static void tipc_subscrp_cancel(struct tipc_subscr *s,
struct tipc_subscriber *subscriber)
{
+ tipc_subscrb_get(subscriber);
tipc_subscrb_subscrp_delete(subscriber, s);
+ tipc_subscrb_put(subscriber);
}
static struct tipc_subscription *tipc_subscrp_create(struct net *net,
--
2.17.1
next prev parent reply other threads:[~2018-10-25 14:15 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-25 14:12 [PATCH AUTOSEL 4.9 01/98] perf symbols: Fix memory corruption because of zero length symbols Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 02/98] mm/memory_hotplug.c: fix overflow in test_pages_in_a_zone() Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 03/98] MIPS: microMIPS: Fix decoding of swsp16 instruction Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 04/98] MIPS: Handle non word sized instructions when examining frame Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 05/98] scsi: aacraid: Fix typo in blink status Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 06/98] f2fs: fix multiple f2fs_add_link() having same name for inline dentry Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 07/98] igb: Remove superfluous reset to PHY and page 0 selection Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 08/98] ACPI: sysfs: Make ACPI GPE mask kernel parameter cover all GPEs Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 09/98] PCI: Disable MSI for HiSilicon Hip06/Hip07 only in Root Port mode Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 10/98] i2c: bcm2835: Avoid possible NULL ptr dereference Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 11/98] efi/fb: Correct PCI_STD_RESOURCE_END usage Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 12/98] ipv6: set rt6i_protocol properly in the route when it is installed Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 13/98] platform/x86: acer-wmi: setup accelerometer when ACPI device was found Sasha Levin
2018-10-25 14:12 ` [PATCH AUTOSEL 4.9 14/98] IB/ipoib: Do not warn if IPoIB debugfs doesn't exist Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 15/98] IB/core: Fix the validations of a multicast LID in attach or detach operations Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 16/98] orangefs: off by ones in xattr size checks Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 17/98] rxe: Fix a sleep-in-atomic bug in post_one_send Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 18/98] nvme-pci: fix CMB sysfs file removal in reset path Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 19/98] net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as well Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 20/98] net/mlx5: Fix command completion after timeout access invalid structure Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 21/98] tipc: Fix tipc_sk_reinit handling of -EAGAIN Sasha Levin
2018-10-25 14:13 ` Sasha Levin [this message]
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 23/98] bnxt_en: Don't use rtnl lock to protect link change logic in workqueue Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 24/98] ath10k: fix NAPI enable/disable symmetry for AHB interface Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 25/98] ARM: dts: bcm283x: Reserve first page for firmware Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 26/98] btrfs: fiemap: Cache and merge fiemap extent before submit it to user Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 27/98] ata: sata_rcar: Handle return value of clk_prepare_enable Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 28/98] reset: hi6220: Set module license so that it can be loaded Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 29/98] ASoC: Intel: Skylake: Fix to parse consecutive string tkns in manifest Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 30/98] arch/sparc: increase CONFIG_NODES_SHIFT on SPARC64 to 5 Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 31/98] mac80211: fix TX aggregation start/stop callback race Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 32/98] libata: fix error checking in in ata_parse_force_one() Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 33/98] ARM: dts: imx6ul-14x14-evk: Add ksz8081 phy properties Sasha Levin
2018-10-29 14:07 ` Leonard Crestez
2018-10-29 18:46 ` Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 34/98] net: ethernet: stmmac: Fix altr_tse_pcs SGMII Initialization Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 35/98] qlcnic: Fix tunnel offload for 82xx adapters Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 36/98] x86/cpu/cyrix: Add alternative Device ID of Geode GX1 SoC Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 37/98] ARM: 8677/1: boot/compressed: fix decompressor header layout for v7-M Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 38/98] gpu: ipu-v3: Fix CSI selection for VDIC Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 39/98] elevator: fix truncation of icq_cache_name Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 40/98] net: stmmac: ensure jumbo_frm error return is correctly checked for -ve value Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 41/98] Btrfs: clear EXTENT_DEFRAG bits in finish_ordered_io Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 42/98] ufs: we need to sync inode before freeing it Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 43/98] net/mlx5e: Fix fixpoint divide exception in mlx5e_am_stats_compare Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 44/98] ip6_tunnel: Correct tos value in collect_md mode Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 45/98] net/mlx5: Fix driver load error flow when firmware is stuck Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 46/98] perf evsel: Fix probing of precise_ip level for default cycles event Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 47/98] perf probe: Fix probe definition for inlined functions Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 48/98] net/mlx5: Fix health work queue spin lock to IRQ safe Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 49/98] usb: renesas_usbhs: gadget: fix spin_lock_init() for &uep->lock Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 50/98] usb: renesas_usbhs: gadget: fix unused-but-set-variable warning Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 51/98] usb: dwc3: omap: remove IRQ_NOAUTOEN used with shared irq Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 52/98] clk: samsung: Fix m2m scaler clock on Exynos542x Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 53/98] ptr_ring: fix up after recent ptr_ring changes Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 54/98] staging: wilc1000: Fix problem with wrong vif index Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 55/98] rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 56/98] iio: adc: Revert "axp288: Drop bogus AXP288_ADC_TS_PIN_CTRL register modifications" Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 57/98] qed: Warn PTT usage by wrong hw-function Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 58/98] ocfs2: fix deadlock caused by recursive locking in xattr Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 59/98] net: cdc_ncm: GetNtbFormat endian fix Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 60/98] sctp: use right member as the param of list_for_each_entry Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 61/98] ALSA: hda - No loopback on ALC299 codec Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 62/98] x86/power: Fix some ordering bugs in __restore_processor_context() Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 63/98] ath10k: convert warning about non-existent OTP board id to debug message Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 64/98] ipv6: fix cleanup ordering for ip6_mr failure Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 65/98] IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 66/98] IB/rxe: put the pool on allocation failure Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 67/98] nbd: only set MSG_MORE when we have more to send Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 68/98] mm/frame_vector.c: release a semaphore in 'get_vaddr_frames()' Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 69/98] IB/mlx5: Avoid passing an invalid QP type to firmware Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 70/98] scsi: qla2xxx: Avoid double completion of abort command Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 71/98] drm: bochs: Don't remove uninitialized fbdev framebuffer Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 72/98] i40e: avoid NVM acquire deadlock during NVM update Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 73/98] Revert "IB/ipoib: Update broadcast object if PKey value was changed in index 0" Sasha Levin
2018-10-25 14:13 ` [PATCH AUTOSEL 4.9 74/98] Btrfs: incremental send, fix invalid memory access Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 75/98] drm/msm: Fix possible null dereference on failure of get_pages() Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 76/98] ARM: tegra: Fix ULPI regression on Tegra20 Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 77/98] module: fix DEBUG_SET_MODULE_RONX typo Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 78/98] iio: pressure: zpa2326: Remove always-true check which confuses gcc Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 79/98] l2tp: remove configurable payload offset Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 80/98] macsec: fix memory leaks when skb_to_sgvec fails Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 81/98] perf/core: Fix locking for children siblings group read Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 82/98] cifs: Use ULL suffix for 64-bit constant Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 83/98] futex: futex_wake_op, do not fail on invalid op Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 84/98] ALSA: hda - Fix incorrect usage of IS_REACHABLE() Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 85/98] test_bpf: Fix testing with CONFIG_BPF_JIT_ALWAYS_ON=y on other arches Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 86/98] xen-netfront: Update features after registering netdev Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 87/98] sparc64: Fix regression in pmdp_invalidate() Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 88/98] xen-netfront: Fix mismatched rtnl_unlock Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 89/98] enic: do not overwrite error code Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 90/98] bonding: ratelimit failed speed/duplex update warning Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 91/98] tty: serial: pl011: add ttyAMA for matching pl011 console Sasha Levin
2018-10-25 15:17 ` Sudeep Holla
2018-10-29 13:39 ` Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 92/98] nvmet: fix space padding in serial number Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 93/98] iio: buffer: fix the function signature to match implementation Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 94/98] x86/paravirt: Fix some warning messages Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 95/98] IB/mlx4: Fix an error handling path in 'mlx4_ib_rereg_user_mr()' Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 96/98] libertas: call into generic suspend code before turning off power Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 97/98] xhci: Fix USB3 NULL pointer dereference at logical disconnect Sasha Levin
2018-10-25 14:14 ` [PATCH AUTOSEL 4.9 98/98] perf tests: Fix indexing when invoking subtests Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181025141423.213774-22-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=ying.xue@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).