Tung Nguyen
be4977b847
tipc: fix kernel panic when enabling bearer ...
When enabling a bearer on a node, a kernel panic is observed:
[ 4.498085] RIP: 0010:tipc_mon_prep+0x4e/0x130 [tipc]
...
[ 4.520030] Call Trace:
[ 4.520689] <IRQ>
[ 4.521236] tipc_link_build_proto_msg+0x375/0x750 [tipc]
[ 4.522654] tipc_link_build_state_msg+0x48/0xc0 [tipc]
[ 4.524034] __tipc_node_link_up+0xd7/0x290 [tipc]
[ 4.525292] tipc_rcv+0x5da/0x730 [tipc]
[ 4.526346] ? __netif_receive_skb_core+0xb7/0xfc0
[ 4.527601] tipc_l2_rcv_msg+0x5e/0x90 [tipc]
[ 4.528737] __netif_receive_skb_list_core+0x20b/0x260
[ 4.530068] netif_receive_skb_list_internal+0x1bf/0x2e0
[ 4.531450] ? dev_gro_receive+0x4c2/0x680
[ 4.532512] napi_complete_done+0x6f/0x180
[ 4.533570] virtnet_poll+0x29c/0x42e [virtio_net]
...
The node in question is receiving activate messages in another
thread after changing bearer status to allow message sending/
receiving in current thread:
thread 1 | thread 2
-------- | --------
|
tipc_enable_bearer() |
test_and_set_bit_lock() |
tipc_bearer_xmit_skb() |
| tipc_l2_rcv_msg()
| tipc_rcv()
| __tipc_node_link_up()
| tipc_link_build_state_msg()
| tipc_link_build_proto_msg()
| tipc_mon_prep()
| {
| ...
| // null-pointer dereference
| u16 gen = mon->dom_gen;
| ...
| }
// Not being executed yet |
tipc_mon_create() |
{ |
... |
// allocate |
mon = kzalloc(); |
... |
} |
Monitoring pointer in thread 2 is dereferenced before monitoring data
is allocated in thread 1. This causes kernel panic.
This commit fixes it by allocating the monitoring data before enabling
the bearer to receive messages.
Fixes: 35c55c9877f8 ("tipc: add neighbor monitoring framework")
Reported-by: Shuang Li <shuali@redhat.com>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2022-03-04 13:19:13 +00:00
2021-03-17 11:51:04 -07:00
2021-03-17 11:51:04 -07:00
2021-06-28 13:31:57 -07:00
2020-06-17 08:53:34 -07:00
2022-03-04 13:19:13 +00:00
2021-10-13 09:40:46 -07:00
2021-05-18 13:22:09 -07:00
2021-05-18 13:22:09 -07:00
2022-02-13 12:12:25 +00:00
2020-12-01 15:37:41 -08:00
2018-08-29 18:04:54 -07:00
2021-05-18 13:22:09 -07:00
2018-03-23 13:12:17 -04:00
2021-10-13 09:40:46 -07:00
2020-11-27 17:34:01 -08:00
2020-11-27 17:34:01 -08:00
2021-10-13 09:40:46 -07:00
2020-08-16 21:04:55 -07:00
2022-02-10 05:37:44 -08:00
2021-05-18 13:22:09 -07:00
2020-01-08 12:38:54 -08:00
2022-02-10 05:37:44 -08:00
2019-11-12 19:45:45 -08:00
2021-06-28 13:31:57 -07:00
2021-06-28 13:31:57 -07:00
2022-02-09 12:48:22 +00:00
2020-12-01 15:37:41 -08:00
2022-02-23 12:35:40 +00:00
2021-06-03 14:06:39 -07:00
2021-05-18 13:22:09 -07:00
2020-09-07 12:08:53 -07:00
2021-03-11 18:06:54 -08:00
2020-09-18 13:58:37 -07:00
2019-10-06 15:44:47 +02:00
2022-02-16 20:44:40 -08:00
2020-09-18 13:58:37 -07:00
2022-02-23 12:35:40 +00:00
2020-10-30 08:19:18 -07:00
2021-06-10 13:48:43 -07:00
2021-03-29 16:28:50 -07:00
2020-09-18 13:58:37 -07:00
2020-11-27 17:34:01 -08:00
2018-02-16 15:26:34 -05:00
2020-12-01 15:37:46 -08:00
2020-05-26 15:16:52 -07:00
2021-05-17 14:07:48 -07:00
2018-04-20 11:04:05 -04:00
be4977b847