From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Cong Wang <xiyou.wangcong@gmail.com>,
Johannes Berg <johannes.berg@intel.com>,
kernel test robot <lkp@intel.com>,
Sean Tranchetti <stranche@codeaurora.org>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 24/58] genetlink: remove genl_bind
Date: Mon, 20 Jul 2020 17:36:40 +0200 [thread overview]
Message-ID: <20200720152748.353346524@linuxfoundation.org> (raw)
In-Reply-To: <20200720152747.127988571@linuxfoundation.org>
From: Sean Tranchetti <stranche@codeaurora.org>
[ Upstream commit 1e82a62fec613844da9e558f3493540a5b7a7b67 ]
A potential deadlock can occur during registering or unregistering a
new generic netlink family between the main nl_table_lock and the
cb_lock where each thread wants the lock held by the other, as
demonstrated below.
1) Thread 1 is performing a netlink_bind() operation on a socket. As part
of this call, it will call netlink_lock_table(), incrementing the
nl_table_users count to 1.
2) Thread 2 is registering (or unregistering) a genl_family via the
genl_(un)register_family() API. The cb_lock semaphore will be taken for
writing.
3) Thread 1 will call genl_bind() as part of the bind operation to handle
subscribing to GENL multicast groups at the request of the user. It will
attempt to take the cb_lock semaphore for reading, but it will fail and
be scheduled away, waiting for Thread 2 to finish the write.
4) Thread 2 will call netlink_table_grab() during the (un)registration
call. However, as Thread 1 has incremented nl_table_users, it will not
be able to proceed, and both threads will be stuck waiting for the
other.
genl_bind() is a noop, unless a genl_family implements the mcast_bind()
function to handle setting up family-specific multicast operations. Since
no one in-tree uses this functionality as Cong pointed out, simply removing
the genl_bind() function will remove the possibility for deadlock, as there
is no attempt by Thread 1 above to take the cb_lock semaphore.
Fixes: c380d9a7afff ("genetlink: pass multicast bind/unbind to families")
Suggested-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Johannes Berg <johannes.berg@intel.com>
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/genetlink.h | 8 -------
net/netlink/genetlink.c | 52 ------------------------------------------------
2 files changed, 60 deletions(-)
--- a/include/net/genetlink.h
+++ b/include/net/genetlink.h
@@ -33,12 +33,6 @@ struct genl_info;
* do additional, common, filtering and return an error
* @post_doit: called after an operation's doit callback, it may
* undo operations done by pre_doit, for example release locks
- * @mcast_bind: a socket bound to the given multicast group (which
- * is given as the offset into the groups array)
- * @mcast_unbind: a socket was unbound from the given multicast group.
- * Note that unbind() will not be called symmetrically if the
- * generic netlink family is removed while there are still open
- * sockets.
* @attrbuf: buffer to store parsed attributes
* @family_list: family list
* @mcgrps: multicast groups used by this family (private)
@@ -61,8 +55,6 @@ struct genl_family {
void (*post_doit)(const struct genl_ops *ops,
struct sk_buff *skb,
struct genl_info *info);
- int (*mcast_bind)(struct net *net, int group);
- void (*mcast_unbind)(struct net *net, int group);
struct nlattr ** attrbuf; /* private */
const struct genl_ops * ops; /* private */
const struct genl_multicast_group *mcgrps; /* private */
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -1007,63 +1007,11 @@ static struct genl_multicast_group genl_
{ .name = "notify", },
};
-static int genl_bind(struct net *net, int group)
-{
- int i, err = -ENOENT;
-
- down_read(&cb_lock);
- for (i = 0; i < GENL_FAM_TAB_SIZE; i++) {
- struct genl_family *f;
-
- list_for_each_entry(f, genl_family_chain(i), family_list) {
- if (group >= f->mcgrp_offset &&
- group < f->mcgrp_offset + f->n_mcgrps) {
- int fam_grp = group - f->mcgrp_offset;
-
- if (!f->netnsok && net != &init_net)
- err = -ENOENT;
- else if (f->mcast_bind)
- err = f->mcast_bind(net, fam_grp);
- else
- err = 0;
- break;
- }
- }
- }
- up_read(&cb_lock);
-
- return err;
-}
-
-static void genl_unbind(struct net *net, int group)
-{
- int i;
-
- down_read(&cb_lock);
- for (i = 0; i < GENL_FAM_TAB_SIZE; i++) {
- struct genl_family *f;
-
- list_for_each_entry(f, genl_family_chain(i), family_list) {
- if (group >= f->mcgrp_offset &&
- group < f->mcgrp_offset + f->n_mcgrps) {
- int fam_grp = group - f->mcgrp_offset;
-
- if (f->mcast_unbind)
- f->mcast_unbind(net, fam_grp);
- break;
- }
- }
- }
- up_read(&cb_lock);
-}
-
static int __net_init genl_pernet_init(struct net *net)
{
struct netlink_kernel_cfg cfg = {
.input = genl_rcv,
.flags = NL_CFG_F_NONROOT_RECV,
- .bind = genl_bind,
- .unbind = genl_unbind,
};
/* we'll bump the group number right afterwards */
next prev parent reply other threads:[~2020-07-20 15:38 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-20 15:36 [PATCH 4.4 00/58] 4.4.231-rc1 review Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 01/58] KVM: s390: reduce number of IO pins to 1 Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 02/58] spi: spidev: fix a race between spidev_release and spidev_remove Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 03/58] spi: spidev: fix a potential use-after-free in spidev_release() Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 04/58] scsi: mptscsih: Fix read sense data size Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 05/58] net: cxgb4: fix return error value in t4_prep_fw Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 06/58] smsc95xx: check return value of smsc95xx_reset Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 07/58] smsc95xx: avoid memory leak in smsc95xx_bind Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 08/58] ALSA: compress: fix partial_drain completion state Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 09/58] arm64: kgdb: Fix single-step exception handling oops Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 10/58] ALSA: opl3: fix infoleak in opl3 Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 11/58] ALSA: hda - let hs_mic be picked ahead of hp_mic Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 12/58] ALSA: usb-audio: add quirk for MacroSilicon MS2109 Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 13/58] KVM: x86: bit 8 of non-leaf PDPEs is not reserved Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 14/58] Revert "ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb" Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 15/58] btrfs: fix fatal extent_buffer readahead vs releasepage race Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 16/58] drm/radeon: fix double free Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 17/58] ARC: entry: fix potential EFA clobber when TIF_SYSCALL_TRACE Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 18/58] ARC: elf: use right ELF_ARCH Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 19/58] bnxt_en: fix NULL dereference in case SR-IOV configuration fails Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 20/58] ipv4: fill fl4_icmp_{type,code} in ping_v4_sendmsg Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 21/58] l2tp: remove skb_dst_set() from l2tp_xmit_skb() Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 22/58] llc: make sure applications use ARPHRD_ETHER Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 23/58] net: Added pointer check for dst->ops->neigh_lookup in dst_neigh_lookup_skb Greg Kroah-Hartman
2020-07-20 15:36 ` Greg Kroah-Hartman [this message]
2020-07-20 15:36 ` [PATCH 4.4 25/58] tcp: make sure listeners dont initialize congestion-control state Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 26/58] tcp: md5: add missing memory barriers in tcp_md5_do_add()/tcp_md5_hash_key() Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 27/58] tcp: md5: refine tcp_md5_do_add()/tcp_md5_hash_key() barriers Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 28/58] tcp: md5: allow changing MD5 keys in all socket states Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 29/58] i2c: eg20t: Load module automatically if ID matches Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 30/58] Revert "usb/ehci-platform: Set PM runtime as active on resume" Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 31/58] Revert "usb/xhci-plat: " Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 32/58] Revert "usb/ohci-platform: Fix a warning when hibernating" Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 33/58] usb: gadget: udc: atmel: fix uninitialized read in debug printk Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 34/58] staging: comedi: verify array index is correct before using it Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 35/58] perf stat: Zero all the ena and run array slot stats for interval mode Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 36/58] mtd: rawnand: brcmnand: fix CS0 layout Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 37/58] HID: magicmouse: do not set up autorepeat Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 38/58] usb: core: Add a helper function to check the validity of EP type in URB Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 39/58] ALSA: line6: Perform sanity check for each URB creation Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 40/58] ALSA: usb-audio: Fix race against the error recovery URB submission Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 41/58] USB: c67x00: fix use after free in c67x00_giveback_urb Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 42/58] usb: chipidea: core: add wakeup support for extcon Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 43/58] usb: gadget: function: fix missing spinlock in f_uac1_legacy Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 44/58] USB: serial: iuu_phoenix: fix memory corruption Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 45/58] USB: serial: cypress_m8: enable Simply Automated UPB PIM Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 46/58] USB: serial: ch341: add new Product ID for CH340 Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 47/58] USB: serial: option: add GosunCn GM500 series Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 48/58] USB: serial: option: add Quectel EG95 LTE modem Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 49/58] virtio: virtio_console: add missing MODULE_DEVICE_TABLE() for rproc serial Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 50/58] fuse: Fix parameter for FS_IOC_{GET,SET}FLAGS Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 51/58] mei: bus: dont clean driver pointer Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 52/58] Input: i8042 - add Lenovo XiaoXin Air 12 to i8042 nomux list Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 53/58] uio_pdrv_genirq: fix use without device tree and no interrupt Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 54/58] MIPS: Fix build for LTS kernel caused by backporting lpj adjustment Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 55/58] hwmon: (emc2103) fix unable to change fan pwm1_enable attribute Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 56/58] dmaengine: fsl-edma: Fix NULL pointer exception in fsl_edma_tx_handler Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 57/58] misc: atmel-ssc: lock with mutex instead of spinlock Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 58/58] sched/fair: handle case of task_h_load() returning 0 Greg Kroah-Hartman
2020-07-20 23:54 ` [PATCH 4.4 00/58] 4.4.231-rc1 review Shuah Khan
2020-07-21 10:39 ` Naresh Kamboju
2020-07-21 11:57 ` Pavel Machek
2020-07-21 13:16 ` Thierry Reding
2020-07-21 16:36 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200720152748.353346524@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=johannes.berg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lkp@intel.com \
--cc=stable@vger.kernel.org \
--cc=stranche@codeaurora.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).