[ 20/25] ipv6: take rtnl_lock and mark mrt6 table as freed on namespace cleanup

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	"Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com>,
	Hannes Frederic Sowa <hannes@stressinduktion.org>,
	"David S. Miller" <davem@davemloft.net>
Subject: [ 20/25] ipv6: take rtnl_lock and mark mrt6 table as freed on namespace cleanup
Date: Thu,  8 Aug 2013 18:41:56 -0700	[thread overview]
Message-ID: <20130809013653.593027526@linuxfoundation.org> (raw)
In-Reply-To: <20130809013649.057678051@linuxfoundation.org>

3.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hannes Frederic Sowa <hannes@stressinduktion.org>

[ Upstream commit 905a6f96a1b18e490a75f810d733ced93c39b0e5 ]

Otherwise we end up dereferencing the already freed net->ipv6.mrt pointer
which leads to a panic (from Srivatsa S. Bhat):

BUG: unable to handle kernel paging request at ffff882018552020
IP: [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
PGD 290a067 PUD 207ffe0067 PMD 207ff1d067 PTE 8000002018552060
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
Modules linked in: ebtable_nat ebtables nfs fscache nf_conntrack_ipv4 nf_defrag_ipv4 ipt_REJECT xt_CHECKSUM iptable_mangle iptable_filter ip_tables nfsd lockd nfs_acl exportfs auth_rpcgss autofs4 sunrpc 8021q garp bridge stp llc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter
+ip6_tables ipv6 vfat fat vhost_net macvtap macvlan vhost tun kvm_intel kvm uinput iTCO_wdt iTCO_vendor_support cdc_ether usbnet mii microcode i2c_i801 i2c_core lpc_ich mfd_core shpchp ioatdma dca mlx4_core be2net wmi acpi_cpufreq mperf ext4 jbd2 mbcache dm_mirror dm_region_hash dm_log dm_mod
CPU: 0 PID: 7 Comm: kworker/u33:0 Not tainted 3.11.0-rc1-ea45e-a #4
Hardware name: IBM  -[8737R2A]-/00Y2738, BIOS -[B2E120RUS-1.20]- 11/30/2012
Workqueue: netns cleanup_net
task: ffff8810393641c0 ti: ffff881039366000 task.ti: ffff881039366000
RIP: 0010:[<ffffffffa0366b02>]  [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
RSP: 0018:ffff881039367bd8  EFLAGS: 00010286
RAX: ffff881039367fd8 RBX: ffff882018552000 RCX: dead000000200200
RDX: 0000000000000000 RSI: ffff881039367b68 RDI: ffff881039367b68
RBP: ffff881039367bf8 R08: ffff881039367b68 R09: 2222222222222222
R10: 2222222222222222 R11: 2222222222222222 R12: ffff882015a7a040
R13: ffff882014eb89c0 R14: ffff8820289e2800 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88103fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff882018552020 CR3: 0000000001c0b000 CR4: 00000000000407f0
Stack:
 ffff881039367c18 ffff882014eb89c0 ffff882015e28c00 0000000000000000
 ffff881039367c18 ffffffffa034d9d1 ffff8820289e2800 ffff882014eb89c0
 ffff881039367c58 ffffffff815bdecb ffffffff815bddf2 ffff882014eb89c0
Call Trace:
 [<ffffffffa034d9d1>] rawv6_close+0x21/0x40 [ipv6]
 [<ffffffff815bdecb>] inet_release+0xfb/0x220
 [<ffffffff815bddf2>] ? inet_release+0x22/0x220
 [<ffffffffa032686f>] inet6_release+0x3f/0x50 [ipv6]
 [<ffffffff8151c1d9>] sock_release+0x29/0xa0
 [<ffffffff81525520>] sk_release_kernel+0x30/0x70
 [<ffffffffa034f14b>] icmpv6_sk_exit+0x3b/0x80 [ipv6]
 [<ffffffff8152fff9>] ops_exit_list+0x39/0x60
 [<ffffffff815306fb>] cleanup_net+0xfb/0x1a0
 [<ffffffff81075e3a>] process_one_work+0x1da/0x610
 [<ffffffff81075dc9>] ? process_one_work+0x169/0x610
 [<ffffffff81076390>] worker_thread+0x120/0x3a0
 [<ffffffff81076270>] ? process_one_work+0x610/0x610
 [<ffffffff8107da2e>] kthread+0xee/0x100
 [<ffffffff8107d940>] ? __init_kthread_worker+0x70/0x70
 [<ffffffff8162a99c>] ret_from_fork+0x7c/0xb0
 [<ffffffff8107d940>] ? __init_kthread_worker+0x70/0x70
Code: 20 48 89 5d e8 4c 89 65 f0 4c 89 6d f8 66 66 66 66 90 4c 8b 67 30 49 89 fd e8 db 3c 1e e1 49 8b 9c 24 90 08 00 00 48 85 db 74 06 <4c> 39 6b 20 74 20 bb f3 ff ff ff e8 8e 3c 1e e1 89 d8 4c 8b 65
RIP  [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
 RSP <ffff881039367bd8>
CR2: ffff882018552020

Reported-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
Tested-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/ip6mr.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -256,10 +256,12 @@ static void __net_exit ip6mr_rules_exit(
 {
 	struct mr6_table *mrt, *next;
 
+	rtnl_lock();
 	list_for_each_entry_safe(mrt, next, &net->ipv6.mr6_tables, list) {
 		list_del(&mrt->list);
 		ip6mr_free_table(mrt);
 	}
+	rtnl_unlock();
 	fib_rules_unregister(net->ipv6.mr6_rules_ops);
 }
 #else
@@ -286,7 +288,10 @@ static int __net_init ip6mr_rules_init(s
 
 static void __net_exit ip6mr_rules_exit(struct net *net)
 {
+	rtnl_lock();
 	ip6mr_free_table(net->ipv6.mrt6);
+	net->ipv6.mrt6 = NULL;
+	rtnl_unlock();
 }
 #endif

next prev parent reply	other threads:[~2013-08-09  1:52 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-08-09  1:41 [ 00/25] 3.4.57-stable review Greg Kroah-Hartman
2013-08-09  1:41 ` [ 01/25] ALSA: compress: fix the return value for SNDRV_COMPRESS_VERSION Greg Kroah-Hartman
2013-08-09  1:41 ` [ 02/25] serial/mxs-auart: fix race condition in interrupt handler Greg Kroah-Hartman
2013-08-09  1:41 ` [ 03/25] serial/mxs-auart: increase time to wait for transmitter to become idle Greg Kroah-Hartman
2013-08-09  1:41 ` [ 04/25] ath9k_htc: do some initial hardware configuration Greg Kroah-Hartman
2013-08-09  1:41 ` [ 05/25] nl80211: fix mgmt tx status and testmode reporting for netns Greg Kroah-Hartman
2013-08-09  1:41 ` [ 06/25] mac80211: fix duplicate retransmission detection Greg Kroah-Hartman
2013-08-09  1:41 ` [ 07/25] ixgbe: Fix Tx Hang issue with lldpad on 82598EB Greg Kroah-Hartman
2013-08-09  1:41 ` [ 08/25] rt2x00: fix stop queue Greg Kroah-Hartman
2013-08-09  1:41 ` [ 09/25] mwifiex: Add missing endian conversion Greg Kroah-Hartman
2013-08-09  1:41 ` [ 10/25] ACPI / battery: Fix parsing _BIX return value Greg Kroah-Hartman
2013-08-09  1:41 ` [ 11/25] sched: Fix the broken sched_rr_get_interval() Greg Kroah-Hartman
2013-08-09  1:41 ` [ 12/25] fanotify: info leak in copy_event_to_user() Greg Kroah-Hartman
2013-08-09  1:41 ` [ 13/25] perf: Fix event group context move Greg Kroah-Hartman
2013-08-09  1:41 ` [ 14/25] x86, fpu: correct the asm constraints for fxsave, unbreak mxcsr.daz Greg Kroah-Hartman
2013-08-09  1:41 ` [ 15/25] drm/i915: quirk no PCH_PWM_ENABLE for Dell XPS13 backlight Greg Kroah-Hartman
2013-08-09  1:41 ` [ 16/25] perf: Use css_tryget() to avoid propping up css refcount Greg Kroah-Hartman
2013-08-09  1:41 ` [ 17/25] arcnet: cleanup sizeof parameter Greg Kroah-Hartman
2013-08-09  1:41 ` [ 18/25] sysctl net: Keep tcp_syn_retries inside the boundary Greg Kroah-Hartman
2013-08-09  1:41 ` [ 19/25] sctp: fully initialize sctp_outq in sctp_outq_init Greg Kroah-Hartman
2013-08-09  1:41 ` Greg Kroah-Hartman [this message]
2013-08-09  1:41 ` [ 21/25] usbnet: do not pretend to support SG/TSO Greg Kroah-Hartman
2013-08-09  1:41 ` [ 22/25] net_sched: Fix stack info leak in cbq_dump_wrr() Greg Kroah-Hartman
2013-08-09  1:41 ` [ 23/25] af_key: more info leaks in pfkey messages Greg Kroah-Hartman
2013-08-09  1:42 ` [ 24/25] net_sched: info leak in atm_tc_dump_class() Greg Kroah-Hartman
2013-08-09  1:42 ` [ 25/25] 8139cp: Add dma_mapping_error checking Greg Kroah-Hartman
2013-08-09  4:34 ` [ 00/25] 3.4.57-stable review Guenter Roeck
2013-08-10 22:08 ` Shuah Khan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130809013653.593027526@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=hannes@stressinduktion.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=srivatsa.bhat@linux.vnet.ibm.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox