• Xin Long's avatar
    tipc: wait and exit until all work queues are done · 04c26faa
    Xin Long authored
    On some host, a crash could be triggered simply by repeating these
    commands several times:
    
      # modprobe tipc
      # tipc bearer enable media udp name UDP1 localip 127.0.0.1
      # rmmod tipc
    
      [] BUG: unable to handle kernel paging request at ffffffffc096bb00
      [] Workqueue: events 0xffffffffc096bb00
      [] Call Trace:
      []  ? process_one_work+0x1a7/0x360
      []  ? worker_thread+0x30/0x390
      []  ? create_worker+0x1a0/0x1a0
      []  ? kthread+0x116/0x130
      []  ? kthread_flush_work_fn+0x10/0x10
      []  ? ret_from_fork+0x35/0x40
    
    When removing the TIPC module, the UDP tunnel sock will be delayed to
    release in a work queue as sock_release() can't be done in rtnl_lock().
    If the work queue is schedule to run after the TIPC module is removed,
    kernel will crash as the work queue function cleanup_beareri() code no
    longer exists when trying to invoke it.
    
    To fix it, this patch introduce a member wq_count in tipc_net to track
    the numbers of work queues in schedule, and  wait and exit until all
    work queues are done in tipc_exit_net().
    
    Fixes: d0f91938 ("tipc: add ip/udp media type")
    Reported-by: default avatarShuang Li <shuali@redhat.com>
    Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
    Acked-by: default avatarJon Maloy <jmaloy@redhat.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    04c26faa
core.c 5.92 KB