Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp892696pxp; Wed, 16 Mar 2022 20:24:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxzjaGDf4d03gh2uhv27YQvSD8cbdfHJfnPOwaku3V3Sxy3Vn8R1TLGPLVgtav5QBGQu8n/ X-Received: by 2002:a63:eb4a:0:b0:382:8e7:9023 with SMTP id b10-20020a63eb4a000000b0038208e79023mr242838pgk.308.1647487474304; Wed, 16 Mar 2022 20:24:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647487474; cv=none; d=google.com; s=arc-20160816; b=UN/J+ZYqJd7rZIdryKBBGRmtOaCWaFek9qE5ZU3GmUjxyOUdyi9OWjzGCQJqpTUizJ g1DJNzpQGa2Y94U+jmkJVFumQ28AmTBSJgI3AWBfHXRTgqt0qpkVsRKLBD+XODSTOq2m xMOJ9rJ3/1hwWULZNJGzYxW8XvNxDrF5wczym90wzMn2ZT4dHkpXITxBuHmej51P0PIR xArs5qzwk5yHcaKLpJynjQjiJjSFNc+1tsTQvvWN3jLBVpuNv1sPVTy0ydZbfLJj4jY8 x5QoshqpmYEiPxruV2VDERr3Kuw/4gCLpGsi2W5Tibym/+DHbh3V/gGkYwXiKNMIflTU 5XLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=N2sxAWUifla8Iq3QTS5SWc7s+UuNQ2QpB2Z+HgeW1OM=; b=tF5hD9qRgX3euOTWP/3nVmdtf6DX7vBNqC+iYAIl8KsPS/f6hB3nO+SFEXsYB/ko87 He5sFy6rG35ajw2S3JOaDh6m7n0FLFRNrpzm7++7r1MgJoFoVQUc0XB8zPOyOjOZotfh ZaM3t4vFb9qEiccH1IsGQTUIMwl+HuK3GZNtDczXW+4zynSXNzXAtbps0VceoFwce87N 4Il2s11qO45cgRX6B/exrfibZC5CTgQUK55MDmLwD2hklX65xKPFtpqTcbTq05VLMHTh KNP6I7c7qb5PsTqPiZppyQtXnCyEqldBt3JaG9gnqzFfDR42ARRWGndd1aG+DpSyR8XC ZqXw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=p3SH04pE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id l4-20020a633e04000000b003816043efedsi948930pga.482.2022.03.16.20.24.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Mar 2022 20:24:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=p3SH04pE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 150382E691; Wed, 16 Mar 2022 20:24:07 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240915AbiCNMLr (ORCPT + 99 others); Mon, 14 Mar 2022 08:11:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58254 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240968AbiCNMIK (ORCPT ); Mon, 14 Mar 2022 08:08:10 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 013652AE02; Mon, 14 Mar 2022 05:04:12 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 45D1D6130D; Mon, 14 Mar 2022 12:04:12 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 20DD0C340E9; Mon, 14 Mar 2022 12:04:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647259451; bh=bqsgv4wYRlRAXFN2jwy/To0VbWXSYoahODxLG/Pqnl0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=p3SH04pEZK0e+deVykMjji5sJ7xu/ZK+fgy//QqpUgt+kqOVUgtveDv6sFjYPLYra ss+hUYAhFxbFaNxYoJvi2sPKWAgkkDGjUz8Ly30MqUqr2inwaPaZR+jjm/EstijnFY oHc0/4XuJvu97STG/Rk839hy0arp0sIT7GEQcj0k= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Shuang Li , Jon Maloy , Tung Nguyen , "David S. Miller" , Sasha Levin Subject: [PATCH 5.15 010/110] tipc: fix kernel panic when enabling bearer Date: Mon, 14 Mar 2022 12:53:12 +0100 Message-Id: <20220314112743.320738039@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220314112743.029192918@linuxfoundation.org> References: <20220314112743.029192918@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Tung Nguyen [ Upstream commit be4977b847f5d5cedb64d50eaaf2218c3a55a3a3 ] When enabling a bearer on a node, a kernel panic is observed: [ 4.498085] RIP: 0010:tipc_mon_prep+0x4e/0x130 [tipc] ... [ 4.520030] Call Trace: [ 4.520689] [ 4.521236] tipc_link_build_proto_msg+0x375/0x750 [tipc] [ 4.522654] tipc_link_build_state_msg+0x48/0xc0 [tipc] [ 4.524034] __tipc_node_link_up+0xd7/0x290 [tipc] [ 4.525292] tipc_rcv+0x5da/0x730 [tipc] [ 4.526346] ? __netif_receive_skb_core+0xb7/0xfc0 [ 4.527601] tipc_l2_rcv_msg+0x5e/0x90 [tipc] [ 4.528737] __netif_receive_skb_list_core+0x20b/0x260 [ 4.530068] netif_receive_skb_list_internal+0x1bf/0x2e0 [ 4.531450] ? dev_gro_receive+0x4c2/0x680 [ 4.532512] napi_complete_done+0x6f/0x180 [ 4.533570] virtnet_poll+0x29c/0x42e [virtio_net] ... The node in question is receiving activate messages in another thread after changing bearer status to allow message sending/ receiving in current thread: thread 1 | thread 2 -------- | -------- | tipc_enable_bearer() | test_and_set_bit_lock() | tipc_bearer_xmit_skb() | | tipc_l2_rcv_msg() | tipc_rcv() | __tipc_node_link_up() | tipc_link_build_state_msg() | tipc_link_build_proto_msg() | tipc_mon_prep() | { | ... | // null-pointer dereference | u16 gen = mon->dom_gen; | ... | } // Not being executed yet | tipc_mon_create() | { | ... | // allocate | mon = kzalloc(); | ... | } | Monitoring pointer in thread 2 is dereferenced before monitoring data is allocated in thread 1. This causes kernel panic. This commit fixes it by allocating the monitoring data before enabling the bearer to receive messages. Fixes: 35c55c9877f8 ("tipc: add neighbor monitoring framework") Reported-by: Shuang Li Acked-by: Jon Maloy Signed-off-by: Tung Nguyen Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/tipc/bearer.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c index 443f8e5b9477..36b466cfd9e1 100644 --- a/net/tipc/bearer.c +++ b/net/tipc/bearer.c @@ -352,16 +352,18 @@ static int tipc_enable_bearer(struct net *net, const char *name, goto rejected; } - test_and_set_bit_lock(0, &b->up); - rcu_assign_pointer(tn->bearer_list[bearer_id], b); - if (skb) - tipc_bearer_xmit_skb(net, bearer_id, skb, &b->bcast_addr); - + /* Create monitoring data before accepting activate messages */ if (tipc_mon_create(net, bearer_id)) { bearer_disable(net, b); + kfree_skb(skb); return -ENOMEM; } + test_and_set_bit_lock(0, &b->up); + rcu_assign_pointer(tn->bearer_list[bearer_id], b); + if (skb) + tipc_bearer_xmit_skb(net, bearer_id, skb, &b->bcast_addr); + pr_info("Enabled bearer <%s>, priority %u\n", name, prio); return res; -- 2.34.1