Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp755387pxp; Wed, 16 Mar 2022 16:20:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxSbm96+oxLgyZ8jRfryWDyxTTgxBAuYfU8KUYYPAosOG1VtuQOtnMRKuVi3sgXkoNVdCba X-Received: by 2002:a17:907:1c9a:b0:6d8:633c:be32 with SMTP id nb26-20020a1709071c9a00b006d8633cbe32mr1937781ejc.159.1647472848066; Wed, 16 Mar 2022 16:20:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647472848; cv=none; d=google.com; s=arc-20160816; b=KRg8wMasa2lILQ88gK9wOOdYnyq+nTwnA20dEGEUy4hUIH40WqGx02vN77d0PNosKD qK/nexJ430lwFHELdEtx0Lsh9NYK1YqorN4JwBZFaXVz2w05ssSJRiJnBgFXc1AAGf9J RgQy8WSRz8kGiS9nNR6/70k/12dCIXEeHS/bQiqcVrptD36AGqAyAz6o3jD/+Ew38d2d 76Xk/re6ttNszpwwaqgrbJNRwv/fUb/JU8LKR/alp9bf9zEZLJujS3u8dvzfM5atgpSD B3gfoYdWWKS/6WTg+v7eZnM6XeH5F0ccaLwmhi9cqUXE53OLCIFA3GSP/OVKT84B0Vd2 i7TA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=TdDufw6IbFGekIoDcGYJviGJtkatpJZSaaD4+llOEcI=; b=nqM9YuW6MS0IgqIo+Ds9ikaF/asyCVOtVI7ABzsSUgGEZyFXJUdE7ySN789OR6coex NEhMyI3PWNUoa3i3MKVIPRItUtR7P+kau+xoajROpSMCc1f0fZL0YOb+9H6Nnkzby+cF NKJLK5uVZ52T49yphVPVSQ70k8aTsi5WzCdPdNSADwmpkb+19QGG3yOGOfIsKbIqCHmm hIgjp+j1B7TPbn2bXZ5hEg7/MWEJDGQMwrD/qRLMKaVzSbw1J5du/oqguQjtdJYNWP7c /0l+Ikxc1FVqpx+74jiX7c3xn3kAHjBGhdCTUEEbuNuYy7YAIHq5ZsAnZiB1HeNPrmPp W+xA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=s0CnPijF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d6-20020a50e406000000b00418c2b5bf65si336109edm.583.2022.03.16.16.20.21; Wed, 16 Mar 2022 16:20:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=s0CnPijF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238484AbiCNMYQ (ORCPT + 99 others); Mon, 14 Mar 2022 08:24:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49562 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241282AbiCNMRH (ORCPT ); Mon, 14 Mar 2022 08:17:07 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4ACB33615B; Mon, 14 Mar 2022 05:12:14 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id BC08461315; Mon, 14 Mar 2022 12:12:13 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8DA05C340E9; Mon, 14 Mar 2022 12:12:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647259933; bh=RpuEEhblVS7oeVMwXLKhwEPjAiZgZESDzNGYsLkFL/c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=s0CnPijFfoTAiKbWCmO62hfc3OIn1pb8Mj2THxoKm/F/W6e+YXpYObygAx41vSLP0 6EPtBzTPTYvsl4/ztk6zI4Jyonj15Uh1kGxaJQsaCNHakgfZDzr1GwODSc9iHbS6fe RGP3xx6RN19MHdkc1UmvAl+DY0IRWyPT8iCRSnaw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Shuang Li , Jon Maloy , Tung Nguyen , "David S. Miller" , Sasha Levin Subject: [PATCH 5.16 012/121] tipc: fix kernel panic when enabling bearer Date: Mon, 14 Mar 2022 12:53:15 +0100 Message-Id: <20220314112744.468877112@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220314112744.120491875@linuxfoundation.org> References: <20220314112744.120491875@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-8.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Tung Nguyen [ Upstream commit be4977b847f5d5cedb64d50eaaf2218c3a55a3a3 ] When enabling a bearer on a node, a kernel panic is observed: [ 4.498085] RIP: 0010:tipc_mon_prep+0x4e/0x130 [tipc] ... [ 4.520030] Call Trace: [ 4.520689] [ 4.521236] tipc_link_build_proto_msg+0x375/0x750 [tipc] [ 4.522654] tipc_link_build_state_msg+0x48/0xc0 [tipc] [ 4.524034] __tipc_node_link_up+0xd7/0x290 [tipc] [ 4.525292] tipc_rcv+0x5da/0x730 [tipc] [ 4.526346] ? __netif_receive_skb_core+0xb7/0xfc0 [ 4.527601] tipc_l2_rcv_msg+0x5e/0x90 [tipc] [ 4.528737] __netif_receive_skb_list_core+0x20b/0x260 [ 4.530068] netif_receive_skb_list_internal+0x1bf/0x2e0 [ 4.531450] ? dev_gro_receive+0x4c2/0x680 [ 4.532512] napi_complete_done+0x6f/0x180 [ 4.533570] virtnet_poll+0x29c/0x42e [virtio_net] ... The node in question is receiving activate messages in another thread after changing bearer status to allow message sending/ receiving in current thread: thread 1 | thread 2 -------- | -------- | tipc_enable_bearer() | test_and_set_bit_lock() | tipc_bearer_xmit_skb() | | tipc_l2_rcv_msg() | tipc_rcv() | __tipc_node_link_up() | tipc_link_build_state_msg() | tipc_link_build_proto_msg() | tipc_mon_prep() | { | ... | // null-pointer dereference | u16 gen = mon->dom_gen; | ... | } // Not being executed yet | tipc_mon_create() | { | ... | // allocate | mon = kzalloc(); | ... | } | Monitoring pointer in thread 2 is dereferenced before monitoring data is allocated in thread 1. This causes kernel panic. This commit fixes it by allocating the monitoring data before enabling the bearer to receive messages. Fixes: 35c55c9877f8 ("tipc: add neighbor monitoring framework") Reported-by: Shuang Li Acked-by: Jon Maloy Signed-off-by: Tung Nguyen Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/tipc/bearer.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c index 60bc74b76adc..1cb5907d90d8 100644 --- a/net/tipc/bearer.c +++ b/net/tipc/bearer.c @@ -352,16 +352,18 @@ static int tipc_enable_bearer(struct net *net, const char *name, goto rejected; } - test_and_set_bit_lock(0, &b->up); - rcu_assign_pointer(tn->bearer_list[bearer_id], b); - if (skb) - tipc_bearer_xmit_skb(net, bearer_id, skb, &b->bcast_addr); - + /* Create monitoring data before accepting activate messages */ if (tipc_mon_create(net, bearer_id)) { bearer_disable(net, b); + kfree_skb(skb); return -ENOMEM; } + test_and_set_bit_lock(0, &b->up); + rcu_assign_pointer(tn->bearer_list[bearer_id], b); + if (skb) + tipc_bearer_xmit_skb(net, bearer_id, skb, &b->bcast_addr); + pr_info("Enabled bearer <%s>, priority %u\n", name, prio); return res; -- 2.34.1