korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-09-22 12:44:11 +08:00
Code Issues Packages Projects Releases Wiki Activity
969afb4347
linux/net
History
James Chapman c1b2e36b87 l2tp: flush workqueue before draining it 
syzbot exposes a race where a net used by l2tp is removed while an
existing pppol2tp socket is closed. In l2tp_pre_exit_net, l2tp queues
TUNNEL_DELETE work items to close each tunnel in the net. When these
are run, new SESSION_DELETE work items are queued to delete each
session in the tunnel. This all happens in drain_workqueue. However,
drain_workqueue allows only new work items if they are queued by other
work items which are already in the queue. If pppol2tp_release runs
after drain_workqueue has started, it may queue a SESSION_DELETE work
item, which results in the warning below in drain_workqueue.

Address this by flushing the workqueue before drain_workqueue such
that all queued TUNNEL_DELETE work items run before drain_workqueue is
started. This will queue SESSION_DELETE work items for each session in
the tunnel, hence pppol2tp_release or other API requests won't queue
SESSION_DELETE requests once drain_workqueue is started.

  WARNING: CPU: 1 PID: 5467 at kernel/workqueue.c:2259 __queue_work+0xcd3/0xf50 kernel/workqueue.c:2258
  Modules linked in:
  CPU: 1 UID: 0 PID: 5467 Comm: syz.3.43 Not tainted 6.11.0-rc1-syzkaller-00247-g3608d6aca5e7 #0
  Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
  RIP: 0010:__queue_work+0xcd3/0xf50 kernel/workqueue.c:2258
  Code: ff e8 11 84 36 00 90 0f 0b 90 e9 1e fd ff ff e8 03 84 36 00 eb 13 e8 fc 83 36 00 eb 0c e8 f5 83 36 00 eb 05 e8 ee 83 36 00 90 <0f> 0b 90 48 83 c4 60 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc
  RSP: 0018:ffffc90004607b48 EFLAGS: 00010093
  RAX: ffffffff815ce274 RBX: ffff8880661fda00 RCX: ffff8880661fda00
  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
  RBP: 0000000000000000 R08: ffffffff815cd6d4 R09: 0000000000000000
  R10: ffffc90004607c20 R11: fffff520008c0f85 R12: ffff88802ac33800
  R13: ffff88802ac339c0 R14: dffffc0000000000 R15: 0000000000000008
  FS:  00005555713eb500(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000008 CR3: 000000001eda6000 CR4: 00000000003506f0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
   <TASK>
   queue_work_on+0x1c2/0x380 kernel/workqueue.c:2392
   pppol2tp_release+0x163/0x230 net/l2tp/l2tp_ppp.c:445
   __sock_release net/socket.c:659 [inline]
   sock_close+0xbc/0x240 net/socket.c:1421
   __fput+0x24a/0x8a0 fs/file_table.c:422
   task_work_run+0x24f/0x310 kernel/task_work.c:228
   resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
   exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
   exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
   __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
   syscall_exit_to_user_mode+0x168/0x370 kernel/entry/common.c:218
   do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
   entry_SYSCALL_64_after_hwframe+0x77/0x7f
  RIP: 0033:0x7f061e9779f9
  Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
  RSP: 002b:00007ffff1c1fce8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
  RAX: 0000000000000000 RBX: 000000000001017d RCX: 00007f061e9779f9
  RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
  RBP: 00007ffff1c1fdc0 R08: 0000000000000001 R09: 00007ffff1c1ffcf
  R10: 00007f061e800000 R11: 0000000000000246 R12: 0000000000000032
  R13: 00007ffff1c1fde0 R14: 00007ffff1c1fe00 R15: ffffffffffffffff
  </TASK>

Fixes: fc7ec7f554 ("l2tp: delete sessions using work queue")
Reported-by: syzbot+0e85b10481d2f5478053@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0e85b10481d2f5478053
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: Tom Parkin <tparkin@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2024-08-11 04:38:50 +01:00
..
6lowpan
9p Two fixes headed to stable trees: 2024-05-29 09:25:15 -07:00
802
8021q net: Add struct kernel_ethtool_ts_info 2024-07-15 08:02:26 -07:00
appletalk Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-05-09 10:01:01 -07:00
atm atm: clean up a put_user() calls 2024-06-14 19:08:50 -07:00
ax25 ax25: Replace kfree() in ax25_dev_free() with ax25_dev_put() 2024-06-01 15:49:42 -07:00
batman-adv Revert "batman-adv: prefer kfree_rcu() over call_rcu() with free-only callbacks" 2024-06-12 20:18:00 +02:00
bluetooth Bluetooth: hci_sync: avoid dup filtering when passive scanning with adv monitor 2024-08-07 16:36:01 -04:00
bpf bpf-next-for-netdev 2024-07-09 17:01:46 +02:00
bridge net: bridge: mcast: wait for previous gc cycles when removing port 2024-08-05 16:33:56 -07:00
caif net: caif: remove unused structs 2024-06-05 10:18:06 +01:00
can Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-06-27 12:14:11 -07:00
ceph libceph: fix crush_choose_firstn() kernel-doc warnings 2024-07-11 16:33:07 +02:00
core Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-08-08 14:04:17 -07:00
dcb
dccp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-06-27 12:14:11 -07:00
devlink devlink: Constify the 'table_ops' parameter of devl_dpipe_table_register() 2024-06-05 10:24:57 +01:00
dns_resolver
dsa Merge branch 'net-make-timestamping-selectable' 2024-07-15 08:02:30 -07:00
ethernet netkit: Fix pkt_type override upon netkit pass verdict 2024-05-25 10:48:57 -07:00
ethtool ethtool: refactor checking max channels 2024-08-09 21:52:13 -07:00
handshake net/handshake: remove redundant assignment to variable ret 2024-04-16 17:14:55 -07:00
hsr net: hsr: cosmetic: Remove extra white space 2024-06-19 17:32:57 -07:00
ieee802154 bpf-next-for-netdev 2024-05-28 07:27:29 -07:00
ife
ipv4 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-08-08 14:04:17 -07:00
ipv6 ipv6: udp: constify 'struct net' parameter of socket lookups 2024-08-05 16:27:26 -07:00
iucv net/iucv: fix use after free in iucv_sock_close() 2024-07-30 15:01:50 +02:00
kcm net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function 2024-03-11 09:53:22 +00:00
key
l2tp l2tp: flush workqueue before draining it 2024-08-11 04:38:50 +01:00
l3mdev
lapb
llc llc: Constify struct llc_sap_state_trans 2024-07-15 08:51:19 -07:00
mac80211 wifi: mac80211: use monitor sdata with driver only if desired 2024-07-26 12:30:49 +02:00
mac802154 net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD() 2024-06-03 11:20:56 +02:00
mctp net: mctp: Consistent peer address handling in ioctl tag allocation 2024-08-01 18:04:12 -07:00
mpls sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
mptcp mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set 2024-08-01 18:24:49 -07:00
ncsi net/ncsi: Fix the multi thread manner of NCSI driver 2024-06-01 16:21:44 -07:00
netfilter A lot of networking people were at a conference last week, busy 2024-07-25 13:32:25 -07:00
netlabel netlabel: fix RCU annotation for IPv4 options on socket creation 2024-05-13 14:58:12 -07:00
netlink net: netlink: remove the cb_mutex "injection" from netlink core 2024-06-10 13:15:40 +01:00
netrom netrom: Fix a memory leak in nr_heartbeat_expiry() 2024-06-17 13:06:23 +01:00
nfc Quite smaller than usual. Notably it includes the fix for the unix 2024-05-23 12:49:37 -07:00
nsh nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment(). 2024-04-26 12:20:01 +02:00
openvswitch net: openvswitch: store sampling probability in cb. 2024-07-05 17:45:47 -07:00
packet Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-07-15 13:19:17 -07:00
phonet sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
psample net: psample: fix flag being set in wrong skb 2024-07-11 18:11:31 -07:00
qrtr net: qrtr: ns: Ignore ENODEV failures in ns 2024-06-14 13:17:21 +02:00
rds net: rds: add option for GCOV profiling 2024-08-09 13:18:46 +01:00
rfkill net: rfkill: Correct return value in invalid parameter case 2024-06-26 10:49:01 +02:00
rose net: change proto and proto_ops accept type 2024-05-13 18:19:09 -06:00
rxrpc rxrpc: Remove unused function declarations 2024-08-02 17:17:34 -07:00
sched sched: act_ct: take care of padding in struct zones_ht_key 2024-07-26 11:22:57 +01:00
sctp sctp: Fix null-ptr-deref in reuseport_add_sock(). 2024-08-02 16:25:06 -07:00
smc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-08-08 14:04:17 -07:00
strparser
sunrpc sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
switchdev net: bridge: switchdev: Improve error message for port_obj_add/del functions 2024-05-08 12:19:12 +01:00
tipc tipc: guard against string buffer overrun 2024-08-02 17:16:09 -07:00
tls net: tls: Pass union tls_crypto_context pointer to memzero_explicit 2024-07-09 11:14:47 -07:00
unix af_unix: Disable MSG_OOB handling for sockets in sockmap/sockhash 2024-07-17 22:49:00 +02:00
vmw_vsock vsock/virtio: add SIOCOUTQ support for all virtio based transports 2024-08-02 09:20:28 +01:00
wireless wifi: cfg80211: correct S1G beacon length calculation 2024-07-26 12:32:47 +02:00
x25 net: change proto and proto_ops accept type 2024-05-13 18:19:09 -06:00
xdp xsk: Require XDP_UMEM_TX_METADATA_LEN to actuate tx_metadata_len 2024-07-25 11:57:27 +02:00
xfrm Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-07-15 13:19:17 -07:00
compat.c
devres.c
Kconfig ethtool: provide customized dim profile management 2024-06-25 17:15:06 -07:00
Kconfig.debug
Makefile
socket.c net: Split a __sys_listen helper for io_uring 2024-06-19 07:57:21 -06:00
sysctl_net.c sysctl: Remove check for sentinel element in ctl_table arrays 2024-06-13 10:50:52 +02:00