• Taehee Yoo's avatar
    hsr: fix a race condition in node list insertion and deletion · 92a35678
    Taehee Yoo authored
    hsr nodes are protected by RCU and there is no write side lock.
    But node insertions and deletions could be being operated concurrently.
    So write side locking is needed.
    
    Test commands:
        ip netns add nst
        ip link add veth0 type veth peer name veth1
        ip link add veth2 type veth peer name veth3
        ip link set veth1 netns nst
        ip link set veth3 netns nst
        ip link set veth0 up
        ip link set veth2 up
        ip link add hsr0 type hsr slave1 veth0 slave2 veth2
        ip a a 192.168.100.1/24 dev hsr0
        ip link set hsr0 up
        ip netns exec nst ip link set veth1 up
        ip netns exec nst ip link set veth3 up
        ip netns exec nst ip link add hsr1 type hsr slave1 veth1 slave2 veth3
        ip netns exec nst ip a a 192.168.100.2/24 dev hsr1
        ip netns exec nst ip link set hsr1 up
    
        for i in {0..9}
        do
            for j in {0..9}
    	do
    	    for k in {0..9}
    	    do
    	        for l in {0..9}
    		do
    	        arping 192.168.100.2 -I hsr0 -s 00:01:3$i:4$j:5$k:6$l -c1 &
    		done
    	    done
    	done
        done
    
    Splat looks like:
    [  236.066091][ T3286] list_add corruption. next->prev should be prev (ffff8880a5940300), but was ffff8880a5940d0.
    [  236.069617][ T3286] ------------[ cut here ]------------
    [  236.070545][ T3286] kernel BUG at lib/list_debug.c:25!
    [  236.071391][ T3286] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
    [  236.072343][ T3286] CPU: 0 PID: 3286 Comm: arping Tainted: G        W         5.5.0-rc1+ #209
    [  236.073463][ T3286] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
    [  236.074695][ T3286] RIP: 0010:__list_add_valid+0x74/0xd0
    [  236.075499][ T3286] Code: 48 39 da 75 27 48 39 f5 74 36 48 39 dd 74 31 48 83 c4 08 b8 01 00 00 00 5b 5d c3 48 b
    [  236.078277][ T3286] RSP: 0018:ffff8880aaa97648 EFLAGS: 00010286
    [  236.086991][ T3286] RAX: 0000000000000075 RBX: ffff8880d4624c20 RCX: 0000000000000000
    [  236.088000][ T3286] RDX: 0000000000000075 RSI: 0000000000000008 RDI: ffffed1015552ebf
    [  236.098897][ T3286] RBP: ffff88809b53d200 R08: ffffed101b3c04f9 R09: ffffed101b3c04f9
    [  236.099960][ T3286] R10: 00000000308769a1 R11: ffffed101b3c04f8 R12: ffff8880d4624c28
    [  236.100974][ T3286] R13: ffff8880d4624c20 R14: 0000000040310100 R15: ffff8880ce17ee02
    [  236.138967][ T3286] FS:  00007f23479fa680(0000) GS:ffff8880d9c00000(0000) knlGS:0000000000000000
    [  236.144852][ T3286] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  236.145720][ T3286] CR2: 00007f4a14bab210 CR3: 00000000a61c6001 CR4: 00000000000606f0
    [  236.146776][ T3286] Call Trace:
    [  236.147222][ T3286]  hsr_add_node+0x314/0x490 [hsr]
    [  236.153633][ T3286]  hsr_forward_skb+0x2b6/0x1bc0 [hsr]
    [  236.154362][ T3286]  ? rcu_read_lock_sched_held+0x90/0xc0
    [  236.155091][ T3286]  ? rcu_read_lock_bh_held+0xa0/0xa0
    [  236.156607][ T3286]  hsr_dev_xmit+0x70/0xd0 [hsr]
    [  236.157254][ T3286]  dev_hard_start_xmit+0x160/0x740
    [  236.157941][ T3286]  __dev_queue_xmit+0x1961/0x2e10
    [  236.158565][ T3286]  ? netdev_core_pick_tx+0x2e0/0x2e0
    [ ... ]
    
    Reported-by: syzbot+3924327f9ad5f4d2b343@syzkaller.appspotmail.com
    Fixes: f421436a ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
    Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    92a35678
hsr_device.c 12.3 KB