Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2697267pxj;
        Mon, 31 May 2021 08:30:09 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzv2wIMk/E+vSiT9FwO5SKEYmWLXXMq9tGHTCNXjDYHfOnC+yJsiZ7TJGd3e2RS38x0A042
X-Received: by 2002:aa7:dc4f:: with SMTP id g15mr7601080edu.277.1622475008973;
        Mon, 31 May 2021 08:30:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1622475008; cv=none;
        d=google.com; s=arc-20160816;
        b=DMFnqNoDibrHgJCzp1rgGlb3J7VJLIneDUhnYkJPZJTm99EbxRmeBBNp1jX4R7HqYD
         ZWLAVgTNSTlfvtHIeklIUPPTiWjYIY9YPx+NbFxR2yTaZ12ZNXNsuEJC2E1BPYPt3Sz/
         Dswi2rUFYOev8Dh5ImaDCYZ0ytXt7tsV0tkALf2hE5rTJLoZQcCCwiip9TmtuqNDAhOd
         ++3Rjwg8XgymhwpuGJjUQrTzjvj7dpEcHQPH3HBIBpd3a4B/gMqrYgKuul/TtCD0DGMg
         Ji78rtTUFi3pp4LPSncnTnUCxGggABMXFGQdCItt6ttoElMebMLBWaHNzcRfhfnN1Bo+
         IrDA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=A0Vm1Uc1zh2UMgtzeS9oflDJ5ZR0qMcirVS/46rGqGI=;
        b=COT1hyVffTMozMLGJdR00n+2Yo2IKnIaf89ZxGn7E1R1ysQ+YjYskQ6eSFDe7Vz9HW
         pwKCaZFDI+u/anG1i5l/8Vk3N9YfU9T5mfFqhdcIZsDii6OXoCIEPCKkz/uU/qnl5PeC
         AvhA2A9pT1q4M5qRCc1crzKjuvOiF67v8F548me3oYmz5aqPRpjHdfI+iZ/A5RdIOIwk
         KmjbFDnKwna1DFDgiPqcty2Q/6Abw8a0pDo0cooU/deWuO9fBGJfhblobBKl0zd7GRRV
         3FbGFZCRhXdNVkMFoULTjXOSmagmYfHlVYqJTPM2Z+E1QocEQuNAdvTHi+MyGIxbGYFu
         h32A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=m1ZEvdQn;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id g3si8686108edv.12.2021.05.31.08.29.46;
        Mon, 31 May 2021 08:30:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=m1ZEvdQn;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234858AbhEaP36 (ORCPT <rfc822;luke.ovalle@gmail.com>
        + 99 others); Mon, 31 May 2021 11:29:58 -0400
Received: from mail.kernel.org ([198.145.29.99]:43916 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S233475AbhEaOTI (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 31 May 2021 10:19:08 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 0EB19619AC;
        Mon, 31 May 2021 13:44:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1622468661;
        bh=83hgqXB9c02SMS7hFiF02T7zD6l8Ptsb4vG8PVf3AIE=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=m1ZEvdQnlpAm2aiSSa464oOu0hSHr0F66A2yGI+J1UDbHSqwBYBQhqS344bjJqcRG
         fWcrTRa28Q+lFl16KK7FA7svvT7wiS2sB1Ku9fTt7WAVAfJgg7VIp9Pv7cVCfwXm6S
         kkjYJWuOYxhE3JNM+TyZ/iZ59viWdJ9XM6eA9AT8=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Shuang Li <shuali@redhat.com>,
        Xin Long <lucien.xin@gmail.com>, Jon Maloy <jmaloy@redhat.com>,
        "David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.4 076/177] tipc: wait and exit until all work queues are done
Date:   Mon, 31 May 2021 15:13:53 +0200
Message-Id: <20210531130650.520391414@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210531130647.887605866@linuxfoundation.org>
References: <20210531130647.887605866@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Xin Long <lucien.xin@gmail.com>

commit 04c26faa51d1e2fe71cf13c45791f5174c37f986 upstream.

On some host, a crash could be triggered simply by repeating these
commands several times:

  # modprobe tipc
  # tipc bearer enable media udp name UDP1 localip 127.0.0.1
  # rmmod tipc

  [] BUG: unable to handle kernel paging request at ffffffffc096bb00
  [] Workqueue: events 0xffffffffc096bb00
  [] Call Trace:
  []  ? process_one_work+0x1a7/0x360
  []  ? worker_thread+0x30/0x390
  []  ? create_worker+0x1a0/0x1a0
  []  ? kthread+0x116/0x130
  []  ? kthread_flush_work_fn+0x10/0x10
  []  ? ret_from_fork+0x35/0x40

When removing the TIPC module, the UDP tunnel sock will be delayed to
release in a work queue as sock_release() can't be done in rtnl_lock().
If the work queue is schedule to run after the TIPC module is removed,
kernel will crash as the work queue function cleanup_beareri() code no
longer exists when trying to invoke it.

To fix it, this patch introduce a member wq_count in tipc_net to track
the numbers of work queues in schedule, and  wait and exit until all
work queues are done in tipc_exit_net().

Fixes: d0f91938bede ("tipc: add ip/udp media type")
Reported-by: Shuang Li <shuali@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/tipc/core.c      |    3 +++
 net/tipc/core.h      |    2 ++
 net/tipc/udp_media.c |    2 ++
 3 files changed, 7 insertions(+)

--- a/net/tipc/core.c
+++ b/net/tipc/core.c
@@ -107,6 +107,9 @@ static void __net_exit tipc_exit_net(str
 	tipc_bcast_stop(net);
 	tipc_nametbl_stop(net);
 	tipc_sk_rht_destroy(net);
+
+	while (atomic_read(&tn->wq_count))
+		cond_resched();
 }
 
 static struct pernet_operations tipc_net_ops = {
--- a/net/tipc/core.h
+++ b/net/tipc/core.h
@@ -143,6 +143,8 @@ struct tipc_net {
 
 	/* Work item for net finalize */
 	struct tipc_net_work final_work;
+	/* The numbers of work queues in schedule */
+	atomic_t wq_count;
 };
 
 static inline struct tipc_net *tipc_net(struct net *net)
--- a/net/tipc/udp_media.c
+++ b/net/tipc/udp_media.c
@@ -802,6 +802,7 @@ static void cleanup_bearer(struct work_s
 		kfree_rcu(rcast, rcu);
 	}
 
+	atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count);
 	dst_cache_destroy(&ub->rcast.dst_cache);
 	udp_tunnel_sock_release(ub->ubsock);
 	synchronize_net();
@@ -822,6 +823,7 @@ static void tipc_udp_disable(struct tipc
 	RCU_INIT_POINTER(ub->bearer, NULL);
 
 	/* sock_release need to be done outside of rtnl lock */
+	atomic_inc(&tipc_net(sock_net(ub->ubsock->sk))->wq_count);
 	INIT_WORK(&ub->work, cleanup_bearer);
 	schedule_work(&ub->work);
 }