Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp279773ybi; Wed, 29 May 2019 21:16:24 -0700 (PDT) X-Google-Smtp-Source: APXvYqx0mQNYXbZfcoS7+DRbu3+3ItM65aw8AKqb8qrhdkJ4HfWTvXcwN5UYckH34piLNIdHr2// X-Received: by 2002:a17:902:9a84:: with SMTP id w4mr1852539plp.241.1559189784618; Wed, 29 May 2019 21:16:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559189784; cv=none; d=google.com; s=arc-20160816; b=vPHLAitMOUeKL2KtIF5RD9yaWPP69SgMFchMv5623jM5UXoxx0fcz6NVRRd8C2yMJ0 uWgg+mTJONt8ks63fBrYLt6NbyEY3b3gLugfHc/kD7kap3Iu1eDblQ/lIhxiFXEw/EE4 G+cDz0YA1ZxZmUfwIwr5i5sa2Kt3+2KK55FEVTz70oQAXCFZX1LYfV+lMHIZA5+LHQD0 SgVE9vnGEvFlp7PwFnJXRjh5V2UeoLKKrvMYq/0PuibfYlZH075PVWjfGMadAD7nPJJT LCQmoWK+S0oZdBLMbjDcce9QTd+OHRIjWJhlY44Pkt9pCPC0kZTMof0iBep/pB6I7ciR Z1dg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=0LazvKT1pELRRnnkY2g+UF6YUA8/JwSkmdiGc6K/88c=; b=SaOEzf+9/gNBMtXzrks2hC4LpQM4mCf7u7B/i+WVHhf/S6mTXd9S3lpNTGjSNd2BrV BroQ6JYBJ/GDJlfOK7fUhsjTrVdYgSFLciF1Q4bpRkQxmrxuhs6lyd05EROM5OWrcIQS 3MSqdt+ZM+SPpJUhp0Q9x4vDdh7Nos0HrsfbHM/xRezeCvWElTw54mKnKSsVPARw9ATZ 0JU4Phi2L5SUIC/SpNATUOgHzX+XtBBossphpAQdLxn4iEMXdzXuZTUyU8zJESwzFI6R 7DGyGDeiGREZWNoRysnPszj0/v5OVn/CzToy5Tryt+ACNoJpwjJ0Xenw7ME9sYWb8lkE 1HfA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=WkWEuPW4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e36si2071629plb.180.2019.05.29.21.16.09; Wed, 29 May 2019 21:16:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=WkWEuPW4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729368AbfE3EN7 (ORCPT + 99 others); Thu, 30 May 2019 00:13:59 -0400 Received: from mail.kernel.org ([198.145.29.99]:42094 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729680AbfE3DQT (ORCPT ); Wed, 29 May 2019 23:16:19 -0400 Received: from localhost (ip67-88-213-2.z213-88-67.customer.algx.net [67.88.213.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 15FD9245AC; Thu, 30 May 2019 03:16:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1559186178; bh=RT0tYOBGtFPrk7BvjGfyTCjylJQwaV7fJV6WSo/yeko=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WkWEuPW49B1MEFzgBCf1RqT2AFSHMpZz+S+XlWS28E1PK+bhDUWVtNnDZCpvk/VtU 89F9wzD+RHBdS9XCQhM7dlywZz3g5KF35rsfRPSxIWwJzDGawyVeaYhVbDRYTFLIyo +dtfFcCR9yRAgQGDNb3VgYBBV6c0admx3IO3x3oo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+83f2d54ec6b7e417e13f@syzkaller.appspotmail.com, syzbot+050927a651272b145a5d@syzkaller.appspotmail.com, syzbot+979ffc89b87309b1b94b@syzkaller.appspotmail.com, syzbot+f9f3f388440283da2965@syzkaller.appspotmail.com, =?UTF-8?q?Linus=20L=C3=BCssing?= , Sven Eckelmann , Simon Wunderlich Subject: [PATCH 4.19 040/276] batman-adv: mcast: fix multicast tt/tvlv worker locking Date: Wed, 29 May 2019 20:03:18 -0700 Message-Id: <20190530030526.868517114@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190530030523.133519668@linuxfoundation.org> References: <20190530030523.133519668@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Linus Lüssing commit a3c7cd0cdf1107f891aff847ad481e34df727055 upstream. Syzbot has reported some issues with the locking assumptions made for the multicast tt/tvlv worker: It was able to trigger the WARN_ON() in batadv_mcast_mla_tt_retract() and batadv_mcast_mla_tt_add(). While hard/not reproduceable for us so far it seems that the delayed_work_pending() we use might not be quite safe from reordering. Therefore this patch adds an explicit, new spinlock to protect the update of the mla_list and flags in bat_priv and then removes the WARN_ON(delayed_work_pending()). Reported-by: syzbot+83f2d54ec6b7e417e13f@syzkaller.appspotmail.com Reported-by: syzbot+050927a651272b145a5d@syzkaller.appspotmail.com Reported-by: syzbot+979ffc89b87309b1b94b@syzkaller.appspotmail.com Reported-by: syzbot+f9f3f388440283da2965@syzkaller.appspotmail.com Fixes: cbebd363b2e9 ("batman-adv: Use own timer for multicast TT and TVLV updates") Signed-off-by: Linus Lüssing Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich Signed-off-by: Greg Kroah-Hartman --- net/batman-adv/main.c | 1 + net/batman-adv/multicast.c | 11 +++-------- net/batman-adv/types.h | 5 +++++ 3 files changed, 9 insertions(+), 8 deletions(-) --- a/net/batman-adv/main.c +++ b/net/batman-adv/main.c @@ -160,6 +160,7 @@ int batadv_mesh_init(struct net_device * spin_lock_init(&bat_priv->tt.commit_lock); spin_lock_init(&bat_priv->gw.list_lock); #ifdef CONFIG_BATMAN_ADV_MCAST + spin_lock_init(&bat_priv->mcast.mla_lock); spin_lock_init(&bat_priv->mcast.want_lists_lock); #endif spin_lock_init(&bat_priv->tvlv.container_list_lock); --- a/net/batman-adv/multicast.c +++ b/net/batman-adv/multicast.c @@ -325,8 +325,6 @@ static void batadv_mcast_mla_list_free(s * translation table except the ones listed in the given mcast_list. * * If mcast_list is NULL then all are retracted. - * - * Do not call outside of the mcast worker! (or cancel mcast worker first) */ static void batadv_mcast_mla_tt_retract(struct batadv_priv *bat_priv, struct hlist_head *mcast_list) @@ -334,8 +332,6 @@ static void batadv_mcast_mla_tt_retract( struct batadv_hw_addr *mcast_entry; struct hlist_node *tmp; - WARN_ON(delayed_work_pending(&bat_priv->mcast.work)); - hlist_for_each_entry_safe(mcast_entry, tmp, &bat_priv->mcast.mla_list, list) { if (mcast_list && @@ -359,8 +355,6 @@ static void batadv_mcast_mla_tt_retract( * * Adds multicast listener announcements from the given mcast_list to the * translation table if they have not been added yet. - * - * Do not call outside of the mcast worker! (or cancel mcast worker first) */ static void batadv_mcast_mla_tt_add(struct batadv_priv *bat_priv, struct hlist_head *mcast_list) @@ -368,8 +362,6 @@ static void batadv_mcast_mla_tt_add(stru struct batadv_hw_addr *mcast_entry; struct hlist_node *tmp; - WARN_ON(delayed_work_pending(&bat_priv->mcast.work)); - if (!mcast_list) return; @@ -658,7 +650,10 @@ static void batadv_mcast_mla_update(stru priv_mcast = container_of(delayed_work, struct batadv_priv_mcast, work); bat_priv = container_of(priv_mcast, struct batadv_priv, mcast); + spin_lock(&bat_priv->mcast.mla_lock); __batadv_mcast_mla_update(bat_priv); + spin_unlock(&bat_priv->mcast.mla_lock); + batadv_mcast_start_timer(bat_priv); } --- a/net/batman-adv/types.h +++ b/net/batman-adv/types.h @@ -1216,6 +1216,11 @@ struct batadv_priv_mcast { unsigned char bridged:1; /** + * @mla_lock: a lock protecting mla_list and mla_flags + */ + spinlock_t mla_lock; + + /** * @num_want_all_unsnoopables: number of nodes wanting unsnoopable IP * traffic */