[ 18/22] ipv6: take rtnl_lock and mark mrt6 table as freed on namespace cleanup

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	"Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com>,
	Hannes Frederic Sowa <hannes@stressinduktion.org>,
	"David S. Miller" <davem@davemloft.net>
Subject: [ 18/22] ipv6: take rtnl_lock and mark mrt6 table as freed on namespace cleanup
Date: Thu,  8 Aug 2013 18:41:34 -0700	[thread overview]
Message-ID: <20130809013953.201207019@linuxfoundation.org> (raw)
In-Reply-To: <20130809013949.226228694@linuxfoundation.org>

3.0-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hannes Frederic Sowa <hannes@stressinduktion.org>

[ Upstream commit 905a6f96a1b18e490a75f810d733ced93c39b0e5 ]

Otherwise we end up dereferencing the already freed net->ipv6.mrt pointer
which leads to a panic (from Srivatsa S. Bhat):

BUG: unable to handle kernel paging request at ffff882018552020
IP: [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
PGD 290a067 PUD 207ffe0067 PMD 207ff1d067 PTE 8000002018552060
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
Modules linked in: ebtable_nat ebtables nfs fscache nf_conntrack_ipv4 nf_defrag_ipv4 ipt_REJECT xt_CHECKSUM iptable_mangle iptable_filter ip_tables nfsd lockd nfs_acl exportfs auth_rpcgss autofs4 sunrpc 8021q garp bridge stp llc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter
+ip6_tables ipv6 vfat fat vhost_net macvtap macvlan vhost tun kvm_intel kvm uinput iTCO_wdt iTCO_vendor_support cdc_ether usbnet mii microcode i2c_i801 i2c_core lpc_ich mfd_core shpchp ioatdma dca mlx4_core be2net wmi acpi_cpufreq mperf ext4 jbd2 mbcache dm_mirror dm_region_hash dm_log dm_mod
CPU: 0 PID: 7 Comm: kworker/u33:0 Not tainted 3.11.0-rc1-ea45e-a #4
Hardware name: IBM  -[8737R2A]-/00Y2738, BIOS -[B2E120RUS-1.20]- 11/30/2012
Workqueue: netns cleanup_net
task: ffff8810393641c0 ti: ffff881039366000 task.ti: ffff881039366000
RIP: 0010:[<ffffffffa0366b02>]  [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
RSP: 0018:ffff881039367bd8  EFLAGS: 00010286
RAX: ffff881039367fd8 RBX: ffff882018552000 RCX: dead000000200200
RDX: 0000000000000000 RSI: ffff881039367b68 RDI: ffff881039367b68
RBP: ffff881039367bf8 R08: ffff881039367b68 R09: 2222222222222222
R10: 2222222222222222 R11: 2222222222222222 R12: ffff882015a7a040
R13: ffff882014eb89c0 R14: ffff8820289e2800 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88103fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff882018552020 CR3: 0000000001c0b000 CR4: 00000000000407f0
Stack:
 ffff881039367c18 ffff882014eb89c0 ffff882015e28c00 0000000000000000
 ffff881039367c18 ffffffffa034d9d1 ffff8820289e2800 ffff882014eb89c0
 ffff881039367c58 ffffffff815bdecb ffffffff815bddf2 ffff882014eb89c0
Call Trace:
 [<ffffffffa034d9d1>] rawv6_close+0x21/0x40 [ipv6]
 [<ffffffff815bdecb>] inet_release+0xfb/0x220
 [<ffffffff815bddf2>] ? inet_release+0x22/0x220
 [<ffffffffa032686f>] inet6_release+0x3f/0x50 [ipv6]
 [<ffffffff8151c1d9>] sock_release+0x29/0xa0
 [<ffffffff81525520>] sk_release_kernel+0x30/0x70
 [<ffffffffa034f14b>] icmpv6_sk_exit+0x3b/0x80 [ipv6]
 [<ffffffff8152fff9>] ops_exit_list+0x39/0x60
 [<ffffffff815306fb>] cleanup_net+0xfb/0x1a0
 [<ffffffff81075e3a>] process_one_work+0x1da/0x610
 [<ffffffff81075dc9>] ? process_one_work+0x169/0x610
 [<ffffffff81076390>] worker_thread+0x120/0x3a0
 [<ffffffff81076270>] ? process_one_work+0x610/0x610
 [<ffffffff8107da2e>] kthread+0xee/0x100
 [<ffffffff8107d940>] ? __init_kthread_worker+0x70/0x70
 [<ffffffff8162a99c>] ret_from_fork+0x7c/0xb0
 [<ffffffff8107d940>] ? __init_kthread_worker+0x70/0x70
Code: 20 48 89 5d e8 4c 89 65 f0 4c 89 6d f8 66 66 66 66 90 4c 8b 67 30 49 89 fd e8 db 3c 1e e1 49 8b 9c 24 90 08 00 00 48 85 db 74 06 <4c> 39 6b 20 74 20 bb f3 ff ff ff e8 8e 3c 1e e1 89 d8 4c 8b 65
RIP  [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
 RSP <ffff881039367bd8>
CR2: ffff882018552020

Reported-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
Tested-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/ip6mr.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -256,10 +256,12 @@ static void __net_exit ip6mr_rules_exit(
 {
 	struct mr6_table *mrt, *next;
 
+	rtnl_lock();
 	list_for_each_entry_safe(mrt, next, &net->ipv6.mr6_tables, list) {
 		list_del(&mrt->list);
 		ip6mr_free_table(mrt);
 	}
+	rtnl_unlock();
 	fib_rules_unregister(net->ipv6.mr6_rules_ops);
 }
 #else
@@ -286,7 +288,10 @@ static int __net_init ip6mr_rules_init(s
 
 static void __net_exit ip6mr_rules_exit(struct net *net)
 {
+	rtnl_lock();
 	ip6mr_free_table(net->ipv6.mrt6);
+	net->ipv6.mrt6 = NULL;
+	rtnl_unlock();
 }
 #endif

next prev parent reply	other threads:[~2013-08-09  1:42 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-08-09  1:41 [ 00/22] 3.0.90-stable review Greg Kroah-Hartman
2013-08-09  1:41 ` [ 01/22] serial/mxs-auart: fix race condition in interrupt handler Greg Kroah-Hartman
2013-08-09  1:41 ` [ 02/22] serial/mxs-auart: increase time to wait for transmitter to become idle Greg Kroah-Hartman
2013-08-09  1:41 ` [ 03/22] ath9k_htc: do some initial hardware configuration Greg Kroah-Hartman
2013-08-09  1:41 ` [ 04/22] nl80211: fix mgmt tx status and testmode reporting for netns Greg Kroah-Hartman
2013-08-09  1:41 ` [ 05/22] mac80211: fix duplicate retransmission detection Greg Kroah-Hartman
2013-08-09  1:41 ` [ 06/22] rt2x00: fix stop queue Greg Kroah-Hartman
2013-08-09  1:41 ` [ 07/22] mwifiex: Add missing endian conversion Greg Kroah-Hartman
2013-08-09  1:41 ` [ 08/22] ACPI / battery: Fix parsing _BIX return value Greg Kroah-Hartman
2013-08-09  1:41 ` [ 09/22] sched: Fix the broken sched_rr_get_interval() Greg Kroah-Hartman
2013-08-09  1:41 ` [ 10/22] fanotify: info leak in copy_event_to_user() Greg Kroah-Hartman
2013-08-09  1:41 ` [ 11/22] MAINTAINERS: fix up stable_kernel_rules.txt location Greg Kroah-Hartman
2013-08-09  1:41 ` [ 12/22] perf: Fix event group context move Greg Kroah-Hartman
2013-08-09  1:41 ` [ 13/22] x86, fpu: correct the asm constraints for fxsave, unbreak mxcsr.daz Greg Kroah-Hartman
2013-08-09  1:41 ` [ 14/22] perf: Use css_tryget() to avoid propping up css refcount Greg Kroah-Hartman
2013-08-09  1:41 ` [ 15/22] arcnet: cleanup sizeof parameter Greg Kroah-Hartman
2013-08-09  1:41 ` [ 16/22] sysctl net: Keep tcp_syn_retries inside the boundary Greg Kroah-Hartman
2013-08-09  1:41 ` [ 17/22] sctp: fully initialize sctp_outq in sctp_outq_init Greg Kroah-Hartman
2013-08-09  1:41 ` Greg Kroah-Hartman [this message]
2013-08-09  1:41 ` [ 19/22] usbnet: do not pretend to support SG/TSO Greg Kroah-Hartman
2013-08-09  1:41 ` [ 20/22] net_sched: Fix stack info leak in cbq_dump_wrr() Greg Kroah-Hartman
2013-08-09  1:41 ` [ 21/22] af_key: more info leaks in pfkey messages Greg Kroah-Hartman
2013-08-09  1:41 ` [ 22/22] net_sched: info leak in atm_tc_dump_class() Greg Kroah-Hartman
2013-08-09  3:42 ` [ 00/22] 3.0.90-stable review Guenter Roeck
2013-08-09  3:56   ` Greg Kroah-Hartman
2013-08-10 22:08 ` Shuah Khan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130809013953.201207019@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=hannes@stressinduktion.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=srivatsa.bhat@linux.vnet.ibm.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.