Patch "tipc: fix a potential deadlock on &tx->lock" has been added to the 6.5-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    tipc: fix a potential deadlock on &tx->lock

to the 6.5-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tipc-fix-a-potential-deadlock-on-tx-lock.patch
and it can be found in the queue-6.5 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 19521237f120a5a168bdb01514f35b44ac1af8d4
Author: Chengfeng Ye <dg573847474@xxxxxxxxx>
Date:   Wed Sep 27 18:14:14 2023 +0000

    tipc: fix a potential deadlock on &tx->lock
    
    [ Upstream commit 08e50cf071847323414df0835109b6f3560d44f5 ]
    
    It seems that tipc_crypto_key_revoke() could be be invoked by
    wokequeue tipc_crypto_work_rx() under process context and
    timer/rx callback under softirq context, thus the lock acquisition
    on &tx->lock seems better use spin_lock_bh() to prevent possible
    deadlock.
    
    This flaw was found by an experimental static analysis tool I am
    developing for irq-related deadlock.
    
    tipc_crypto_work_rx() <workqueue>
    --> tipc_crypto_key_distr()
    --> tipc_bcast_xmit()
    --> tipc_bcbase_xmit()
    --> tipc_bearer_bc_xmit()
    --> tipc_crypto_xmit()
    --> tipc_ehdr_build()
    --> tipc_crypto_key_revoke()
    --> spin_lock(&tx->lock)
    <timer interrupt>
       --> tipc_disc_timeout()
       --> tipc_bearer_xmit_skb()
       --> tipc_crypto_xmit()
       --> tipc_ehdr_build()
       --> tipc_crypto_key_revoke()
       --> spin_lock(&tx->lock) <deadlock here>
    
    Signed-off-by: Chengfeng Ye <dg573847474@xxxxxxxxx>
    Reviewed-by: Jacob Keller <jacob.e.keller@xxxxxxxxx>
    Acked-by: Jon Maloy <jmaloy@xxxxxxxxxx>
    Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
    Link: https://lore.kernel.org/r/20230927181414.59928-1-dg573847474@xxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
index 302fd749c4249..43c3f1c971b8f 100644
--- a/net/tipc/crypto.c
+++ b/net/tipc/crypto.c
@@ -1441,14 +1441,14 @@ static int tipc_crypto_key_revoke(struct net *net, u8 tx_key)
 	struct tipc_crypto *tx = tipc_net(net)->crypto_tx;
 	struct tipc_key key;
 
-	spin_lock(&tx->lock);
+	spin_lock_bh(&tx->lock);
 	key = tx->key;
 	WARN_ON(!key.active || tx_key != key.active);
 
 	/* Free the active key */
 	tipc_crypto_key_set_state(tx, key.passive, 0, key.pending);
 	tipc_crypto_key_detach(tx->aead[key.active], &tx->lock);
-	spin_unlock(&tx->lock);
+	spin_unlock_bh(&tx->lock);
 
 	pr_warn("%s: key is revoked\n", tx->name);
 	return -EKEYREVOKED;



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux