Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp507927pxu; Fri, 4 Dec 2020 08:31:10 -0800 (PST) X-Google-Smtp-Source: ABdhPJyqpS5OhKOJv9f4V8Yi3IcQeSBq3lojLWv0gFTZStKbX3KGqSfYnINMY8plIqK7h8X03Uwi X-Received: by 2002:aa7:cc19:: with SMTP id q25mr8233593edt.290.1607099470389; Fri, 04 Dec 2020 08:31:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607099470; cv=none; d=google.com; s=arc-20160816; b=Ag1ANfcXEfIXUemdFTi5yoCxgPFd8U7wr2BFOCMBMKClhOuSJs1ndEAsz2SkUSHaAW WuFm28Xuby/G0eZ92hQezaNUCUwmGV9xzBiInz5x4bZWXbCO6BsnJtY3d5ONXuGogpGb dc06GPsJpGdyGyHQQm3NdseTN8zII2u8toRJOMj7lFULce+eV+3j8E2SRDTPoj/xnvIL EpgPO5/8qf+vsVfOW+VsC+PQfiFJ9QGLN/VIyD8kQW1pryOkpn0A+l9SbbsifRHxvZVB h9lhqhPbqU3p+wibNOwZ9Hs0sQXLvsneH1TWdyv7lxNP0b/p7k1cbyPPYjg9PDVXrJ6K 6FnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id; bh=ByX3iybnI2vcB+/w+gWh/2VXqHo0ZAue8eOYSt9kYc8=; b=WoE0dDAD3wJm9GGy2voXwCaBMMQFKCq9mgLF28A+pel+1MsbNKSw1CQIg8+rkNCJtC UEMk7HuKVzEMJscaZj+cP8PybS20Y2HaQ49xGFGecO9fCA7rYLeDNm1/AOfPXgK+s2OC hMaPl6iRdg91DqpdGdj4IDDnyDTn8qR9/IaziXGSABUh2ydX/Fa1sQvw/YRJCTTqaaCU QyM+B591Qzh2Vz0+2Tmv7UNoL0rz0PXwXG+QDf+bByI+4qwmfdkSRutaTmrHf1eB+y90 ECGyQZeR9abEWLUDKDY5nCNiiTlHuOijJx626iJM7pN0zkMsgIw5JQH5AtUXNOikdHFU iwCw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 39si3213009edr.374.2020.12.04.08.30.32; Fri, 04 Dec 2020 08:31:10 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729787AbgLDQ1Q (ORCPT + 99 others); Fri, 4 Dec 2020 11:27:16 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55654 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726928AbgLDQ1Q (ORCPT ); Fri, 4 Dec 2020 11:27:16 -0500 Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 370F9C0613D1; Fri, 4 Dec 2020 08:26:36 -0800 (PST) Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94) (envelope-from ) id 1klDue-002Wk7-0s; Fri, 04 Dec 2020 17:26:28 +0100 Message-ID: Subject: Re: [PATCH net] mac80211: mesh: fix mesh_pathtbl_init() error path From: Johannes Berg To: Eric Dumazet , "David S . Miller" , Jakub Kicinski Cc: netdev , Eric Dumazet , syzbot , linux-wireless@vger.kernel.org Date: Fri, 04 Dec 2020 17:26:27 +0100 In-Reply-To: <20201204162428.2583119-1-eric.dumazet@gmail.com> (sfid-20201204_172435_837291_23D69393) References: <20201204162428.2583119-1-eric.dumazet@gmail.com> (sfid-20201204_172435_837291_23D69393) Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.36.5 (3.36.5-1.fc32) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-malware-bazaar: not-scanned Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On Fri, 2020-12-04 at 08:24 -0800, Eric Dumazet wrote: > From: Eric Dumazet > > If tbl_mpp can not be allocated, we call mesh_table_free(tbl_path) > while tbl_path rhashtable has not yet been initialized, which causes > panics. Thanks Eric! I was going to ask how you ran into this ... > Reported-by: syzbot Until I saw this - but doesn't syzbot normally want a "syzbot+somehashid@..." as the reported-by? > --- a/net/mac80211/mesh_pathtbl.c > +++ b/net/mac80211/mesh_pathtbl.c > @@ -60,6 +60,7 @@ static struct mesh_table *mesh_table_alloc(void) > atomic_set(&newtbl->entries, 0); > spin_lock_init(&newtbl->gates_lock); > spin_lock_init(&newtbl->walk_lock); > + rhashtable_init(&newtbl->rhead, &mesh_rht_params); > > return newtbl; > } > @@ -773,9 +774,6 @@ int mesh_pathtbl_init(struct ieee80211_sub_if_data *sdata) > goto free_path; > } > > - rhashtable_init(&tbl_path->rhead, &mesh_rht_params); > - rhashtable_init(&tbl_mpp->rhead, &mesh_rht_params); > Hmm. There were two calls, now there's only one? Is that a bug, or am I missing something? johannes