From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Haishuang Yan <yanhaishuang@cmss.chinamobile.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.18 32/35] ip_vti: fix a null pointer deferrence when create vti fallback tunnel
Date: Tue, 21 Aug 2018 08:20:58 +0200 [thread overview]
Message-ID: <20180821055021.350226830@linuxfoundation.org> (raw)
In-Reply-To: <20180821055019.954904905@linuxfoundation.org>
4.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
[ Upstream commit cd1aa9c2c665cafbd05b83507d3f1096f3912aa4 ]
After set fb_tunnels_only_for_init_net to 1, the itn->fb_tunnel_dev will
be NULL and will cause following crash:
[ 2742.849298] BUG: unable to handle kernel NULL pointer dereference at 0000000000000941
[ 2742.851380] PGD 800000042c21a067 P4D 800000042c21a067 PUD 42aaed067 PMD 0
[ 2742.852818] Oops: 0002 [#1] SMP PTI
[ 2742.853570] CPU: 7 PID: 2484 Comm: unshare Kdump: loaded Not tainted 4.18.0-rc8+ #2
[ 2742.855163] Hardware name: Fedora Project OpenStack Nova, BIOS seabios-1.7.5-11.el7 04/01/2014
[ 2742.856970] RIP: 0010:vti_init_net+0x3a/0x50 [ip_vti]
[ 2742.858034] Code: 90 83 c0 48 c7 c2 20 a1 83 c0 48 89 fb e8 6e 3b f6 ff 85 c0 75 22 8b 0d f4 19 00 00 48 8b 93 00 14 00 00 48 8b 14 ca 48 8b 12 <c6> 82 41 09 00 00 04 c6 82 38 09 00 00 45 5b c3 66 0f 1f 44 00 00
[ 2742.861940] RSP: 0018:ffff9be28207fde0 EFLAGS: 00010246
[ 2742.863044] RAX: 0000000000000000 RBX: ffff8a71ebed4980 RCX: 0000000000000013
[ 2742.864540] RDX: 0000000000000000 RSI: 0000000000000013 RDI: ffff8a71ebed4980
[ 2742.866020] RBP: ffff8a71ea717000 R08: ffffffffc083903c R09: ffff8a71ea717000
[ 2742.867505] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8a71ebed4980
[ 2742.868987] R13: 0000000000000013 R14: ffff8a71ea5b49c0 R15: 0000000000000000
[ 2742.870473] FS: 00007f02266c9740(0000) GS:ffff8a71ffdc0000(0000) knlGS:0000000000000000
[ 2742.872143] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2742.873340] CR2: 0000000000000941 CR3: 000000042bc20006 CR4: 00000000001606e0
[ 2742.874821] Call Trace:
[ 2742.875358] ops_init+0x38/0xf0
[ 2742.876078] setup_net+0xd9/0x1f0
[ 2742.876789] copy_net_ns+0xb7/0x130
[ 2742.877538] create_new_namespaces+0x11a/0x1d0
[ 2742.878525] unshare_nsproxy_namespaces+0x55/0xa0
[ 2742.879526] ksys_unshare+0x1a7/0x330
[ 2742.880313] __x64_sys_unshare+0xe/0x20
[ 2742.881131] do_syscall_64+0x5b/0x180
[ 2742.881933] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Reproduce:
echo 1 > /proc/sys/net/core/fb_tunnels_only_for_init_net
modprobe ip_vti
unshare -n
Fixes: 79134e6ce2c9 ("net: do not create fallback tunnels for non-default namespaces")
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ip_vti.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -438,7 +438,8 @@ static int __net_init vti_init_net(struc
if (err)
return err;
itn = net_generic(net, vti_net_id);
- vti_fb_tunnel_init(itn->fb_tunnel_dev);
+ if (itn->fb_tunnel_dev)
+ vti_fb_tunnel_init(itn->fb_tunnel_dev);
return 0;
}
next prev parent reply other threads:[~2018-08-21 6:23 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-21 6:20 [PATCH 4.18 00/35] 4.18.4-stable review Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 01/35] l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 02/35] net_sched: fix NULL pointer dereference when delete tcindex filter Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 03/35] net_sched: Fix missing res info when create new tc_index filter Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 04/35] r8169: dont use MSI-X on RTL8168g Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 05/35] ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 06/35] ALSA: hda - Turn CX8200 into D3 as well upon reboot Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 07/35] ALSA: vx222: Fix invalid endian conversions Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 08/35] ALSA: virmidi: Fix too long output trigger loop Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 09/35] ALSA: cs5535audio: Fix invalid endian conversion Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 10/35] ALSA: dice: fix wrong copy to rx parameters for Alesis iO26 Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 11/35] ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 12/35] ALSA: memalloc: Dont exceed over the requested size Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 13/35] ALSA: vxpocket: Fix invalid endian conversions Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 14/35] ALSA: seq: Fix poll() error return Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 16/35] USB: serial: sierra: fix potential deadlock at close Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 17/35] USB: serial: pl2303: add a new device id for ATEN Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 18/35] USB: option: add support for DW5821e Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 19/35] ACPI / PM: save NVS memory for ASUS 1025C laptop Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 20/35] tty: serial: 8250: Revert NXP SC16C2552 workaround Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 21/35] serial: 8250_exar: Read INT0 from slave device, too Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 22/35] serial: 8250_dw: always set baud rate in dw8250_set_termios Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 23/35] serial: 8250_dw: Add ACPI support for uart on Broadcom SoC Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 24/35] uio: fix wrong return value from uio_mmap() Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 25/35] misc: sram: fix resource leaks in probe error path Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 26/35] Revert "uio: use request_threaded_irq instead" Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 27/35] Bluetooth: avoid killing an already killed socket Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 28/35] isdn: Disable IIOCDBGVAR Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 29/35] net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd() Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 30/35] hv/netvsc: Fix NULL dereference at single queue mode fallback Greg Kroah-Hartman
2018-08-21 6:20 ` [PATCH 4.18 31/35] r8169: dont use MSI-X on RTL8106e Greg Kroah-Hartman
2018-08-21 6:20 ` Greg Kroah-Hartman [this message]
2018-08-21 6:20 ` [PATCH 4.18 33/35] net: ethernet: mvneta: Fix napi structure mixup on armada 3700 Greg Kroah-Hartman
2018-08-21 6:21 ` [PATCH 4.18 34/35] net: mvneta: fix mvneta_config_rss " Greg Kroah-Hartman
2018-08-21 6:21 ` [PATCH 4.18 35/35] cls_matchall: fix tcf_unbind_filter missing Greg Kroah-Hartman
2018-08-21 14:59 ` [PATCH 4.18 00/35] 4.18.4-stable review Guenter Roeck
2018-08-21 20:02 ` Greg Kroah-Hartman
2018-08-21 18:03 ` Naresh Kamboju
2018-08-21 20:03 ` Greg Kroah-Hartman
2018-08-21 19:43 ` Shuah Khan
2018-08-21 20:03 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180821055021.350226830@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=yanhaishuang@cmss.chinamobile.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.