iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Taehee Yoo dddfb252f6 tipc: fix ordering of tipc module init and exit routine 
[ Upstream commit 9cf1cd8ee3ee09ef2859017df2058e2f53c5347f ]

In order to set/get/dump, the tipc uses the generic netlink
infrastructure. So, when tipc module is inserted, init function
calls genl_register_family().
After genl_register_family(), set/get/dump commands are immediately
allowed and these callbacks internally use the net_generic.
net_generic is allocated by register_pernet_device() but this
is called after genl_register_family() in the __init function.
So, these callbacks would use un-initialized net_generic.

Test commands:
    #SHELL1
    while :
    do
        modprobe tipc
        modprobe -rv tipc
    done

    #SHELL2
    while :
    do
        tipc link list
    done

Splat looks like:
[   59.616322][ T2788] kasan: CONFIG_KASAN_INLINE enabled
[   59.617234][ T2788] kasan: GPF could be caused by NULL-ptr deref or user memory access
[   59.618398][ T2788] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[   59.619389][ T2788] CPU: 3 PID: 2788 Comm: tipc Not tainted 5.4.0+ #194
[   59.620231][ T2788] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[   59.621428][ T2788] RIP: 0010:tipc_bcast_get_broadcast_mode+0x131/0x310 [tipc]
[   59.622379][ T2788] Code: c7 c6 ef 8b 38 c0 65 ff 0d 84 83 c9 3f e8 d7 a5 f2 e3 48 8d bb 38 11 00 00 48 b8 00 00 00 00
[   59.622550][ T2780] NET: Registered protocol family 30
[   59.624627][ T2788] RSP: 0018:ffff88804b09f578 EFLAGS: 00010202
[   59.624630][ T2788] RAX: dffffc0000000000 RBX: 0000000000000011 RCX: 000000008bc66907
[   59.624631][ T2788] RDX: 0000000000000229 RSI: 000000004b3cf4cc RDI: 0000000000001149
[   59.624633][ T2788] RBP: ffff88804b09f588 R08: 0000000000000003 R09: fffffbfff4fb3df1
[   59.624635][ T2788] R10: fffffbfff50318f8 R11: ffff888066cadc18 R12: ffffffffa6cc2f40
[   59.624637][ T2788] R13: 1ffff11009613eba R14: ffff8880662e9328 R15: ffff8880662e9328
[   59.624639][ T2788] FS:  00007f57d8f7b740(0000) GS:ffff88806cc00000(0000) knlGS:0000000000000000
[   59.624645][ T2788] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   59.625875][ T2780] tipc: Started in single node mode
[   59.626128][ T2788] CR2: 00007f57d887a8c0 CR3: 000000004b140002 CR4: 00000000000606e0
[   59.633991][ T2788] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   59.635195][ T2788] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   59.636478][ T2788] Call Trace:
[   59.637025][ T2788]  tipc_nl_add_bc_link+0x179/0x1470 [tipc]
[   59.638219][ T2788]  ? lock_downgrade+0x6e0/0x6e0
[   59.638923][ T2788]  ? __tipc_nl_add_link+0xf90/0xf90 [tipc]
[   59.639533][ T2788]  ? tipc_nl_node_dump_link+0x318/0xa50 [tipc]
[   59.640160][ T2788]  ? mutex_lock_io_nested+0x1380/0x1380
[   59.640746][ T2788]  tipc_nl_node_dump_link+0x4fd/0xa50 [tipc]
[   59.641356][ T2788]  ? tipc_nl_node_reset_link_stats+0x340/0x340 [tipc]
[   59.642088][ T2788]  ? __skb_ext_del+0x270/0x270
[   59.642594][ T2788]  genl_lock_dumpit+0x85/0xb0
[   59.643050][ T2788]  netlink_dump+0x49c/0xed0
[   59.643529][ T2788]  ? __netlink_sendskb+0xc0/0xc0
[   59.644044][ T2788]  ? __netlink_dump_start+0x190/0x800
[   59.644617][ T2788]  ? __mutex_unlock_slowpath+0xd0/0x670
[   59.645177][ T2788]  __netlink_dump_start+0x5a0/0x800
[   59.645692][ T2788]  genl_rcv_msg+0xa75/0xe90
[   59.646144][ T2788]  ? __lock_acquire+0xdfe/0x3de0
[   59.646692][ T2788]  ? genl_family_rcv_msg_attrs_parse+0x320/0x320
[   59.647340][ T2788]  ? genl_lock_dumpit+0xb0/0xb0
[   59.647821][ T2788]  ? genl_unlock+0x20/0x20
[   59.648290][ T2788]  ? genl_parallel_done+0xe0/0xe0
[   59.648787][ T2788]  ? find_held_lock+0x39/0x1d0
[   59.649276][ T2788]  ? genl_rcv+0x15/0x40
[   59.649722][ T2788]  ? lock_contended+0xcd0/0xcd0
[   59.650296][ T2788]  netlink_rcv_skb+0x121/0x350
[   59.650828][ T2788]  ? genl_family_rcv_msg_attrs_parse+0x320/0x320
[   59.651491][ T2788]  ? netlink_ack+0x940/0x940
[   59.651953][ T2788]  ? lock_acquire+0x164/0x3b0
[   59.652449][ T2788]  genl_rcv+0x24/0x40
[   59.652841][ T2788]  netlink_unicast+0x421/0x600
[ ... ]

Fixes: 7e4369057806 ("tipc: fix a slab object leak")
Fixes: a62fbccecd62 ("tipc: make subscriber server support net namespace")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-12-21 10:42:24 +01:00
..
6lowpan
6lowpan: iphc: reset mac_header after decompress to fix panic
2018-10-03 17:01:42 -07:00
9p
9p/virtio: Add cleanup path in p9_virtio_init
2019-08-04 09:33:28 +02:00
802
8021q
vlan: disable SIOCSHWTSTAMP in container
2019-05-16 19:43:46 +02:00
appletalk
appletalk: Set error code if register_snap_client failed
2019-12-21 10:41:45 +01:00
atm
net: atm: Fix potential Spectre v1 vulnerabilities
2019-04-27 09:34:40 +02:00
ax25
ax25: enforce CAP_NET_RAW for raw sockets
2019-10-05 12:30:15 +02:00
batman-adv
batman-adv: Only read OGM2 tvlv_len after buffer len check
2019-09-21 07:14:14 +02:00
bluetooth
Bluetooth: L2CAP: Detect if remote is not able to use the whole MPS
2019-11-25 09:53:00 +01:00
bridge
net: bridge: deny dev_set_mac_address() when unregistering
2019-12-21 10:42:22 +01:00
caif
caif: reduce stack size with KASAN
2019-05-08 07:19:07 +02:00
can
can: purge socket error queue on sock destruct
2019-07-10 09:55:33 +02:00
ceph
libceph: use kbasename() and kill ceph_file_part()
2019-08-11 12:22:15 +02:00
core
net: fix possible overflow in __sk_mem_raise_allocated()
2019-12-05 15:35:13 +01:00
dcb
net: dcb: For wild-card lookups, use priority -1, not 0
2018-09-19 22:47:15 +02:00
dccp
inet: stop leaking jiffies on the wire
2019-11-10 11:23:29 +01:00
decnet
decnet: fix DN_IFREQ_SIZE
2019-12-05 15:35:12 +01:00
dns_resolver
KEYS: DNS: fix parsing multiple options
2018-07-22 14:27:39 +02:00
dsa
net: dsa: fix switch tree list
2019-11-10 11:23:26 +01:00
ethernet
net: introduce device min_header_len
2017-02-18 15:11:43 +01:00
hsr
net/hsr: fix possible crash in add_timer()
2019-03-19 13:14:08 +01:00
ieee802154
ieee802154: enforce CAP_NET_RAW for raw sockets
2019-10-05 12:30:15 +02:00
ipv4
tcp: md5: fix potential overestimation of TCP option space
2019-12-21 10:42:23 +01:00
ipv6
Revert "net: sit: fix memory leak in sit_init_net()"
2019-10-29 09:15:26 +01:00
ipx
ipx: call ipxitf_put() in ioctl error path
2017-05-25 15:44:41 +02:00
irda
irda: Only insert new objects into the global database via setsockopt
2018-09-15 09:43:01 +02:00
iucv
net/iucv: Free memory obtained by kzalloc
2018-03-31 18:11:34 +02:00
kcm
kcm: switch order of device registration to fix a crash
2019-04-17 08:36:44 +02:00
key
xfrm: clean up xfrm protocol checks
2019-09-16 08:19:32 +02:00
l2tp
l2tp: don't use l2tp_tunnel_find() in l2tp_ip and l2tp_ip6
2019-11-28 18:29:03 +01:00
l3mdev
net: ipv6: Remove l3mdev_get_saddr6
2016-09-10 23:12:53 -07:00
lapb
lapb: fixed leak of control-blocks.
2019-06-22 08:17:22 +02:00
llc
llc: avoid blocking in llc_sap_close()
2019-11-25 09:52:18 +01:00
mac80211
mac80211: fix station inactive_time shortly after boot
2019-12-05 15:34:11 +01:00
mac802154
net: mac802154: tx: expand tailroom if necessary
2018-09-09 20:01:19 +02:00
mpls
mpls, nospec: Sanitize array index in mpls_label_ok()
2018-03-11 16:21:34 +01:00
ncsi
net/ncsi: Improve HNCDSC AEN handler
2016-10-20 11:23:08 -04:00
netfilter
ipvs: move old_secure_tcp into struct netns_ipvs
2019-11-12 19:15:57 +01:00
netlabel
netlabel: fix out-of-bounds memory accesses
2019-03-13 14:04:53 -07:00
netlink
netlink: Don't shift on 64 for ngroups
2018-08-09 12:17:59 +02:00
netrom
netrom: hold sock when setting skb->destructor
2019-08-04 09:33:35 +02:00
nfc
nfc: netlink: fix double device reference drop
2019-11-12 19:15:39 +01:00
openvswitch
openvswitch: support asymmetric conntrack
2019-12-21 10:42:23 +01:00
packet
net/packet: fix race in tpacket_snd()
2019-08-25 10:51:51 +02:00
phonet
phonet: fix building with clang
2019-03-23 13:19:44 +01:00
qrtr
net: qrtr: Stop rx_worker before freeing node
2019-10-05 12:30:13 +02:00
rds
net/rds: Fix error handling in rds_ib_add_one()
2019-10-07 18:53:23 +02:00
rfkill
rfkill: gpio: fix memory leak in probe error path
2018-05-16 10:08:43 +02:00
rose
net: rose: fix a possible stack overflow
2019-04-03 06:24:14 +02:00
rxrpc
rxrpc: Fix send on a connected, but unbound socket
2019-08-04 09:33:34 +02:00
sched
net: sched: fix tc -s class show no bstats on class with nolock subqueues
2019-12-05 15:35:30 +01:00
sctp
sctp: cache netns in sctp_ep_common
2019-12-05 15:35:29 +01:00
strparser
strparser: Fix incorrect strp->need_bytes value.
2018-04-29 11:32:02 +02:00
sunrpc
sunrpc: fix crash when cache_head become valid before update
2019-12-21 10:42:19 +01:00
switchdev
switchdev: Execute bridge ndos only for bridge ports
2016-10-19 10:58:04 -04:00
tipc
tipc: fix ordering of tipc module init and exit routine
2019-12-21 10:42:24 +01:00
unix
net: fix warning in af_unix
2019-11-28 18:28:28 +01:00
vmw_vsock
VSOCK: bind to random port for VMADDR_PORT_ANY
2019-12-05 15:34:26 +01:00
wimax
wireless
nl80211: Fix a GET_KEY reply attribute
2019-11-25 09:53:23 +01:00
x25
net/x25: fix null_x25_address handling
2019-12-21 10:41:14 +01:00
xfrm
xfrm: clean up xfrm protocol checks
2019-09-16 08:19:32 +02:00
compat.c
sock: Make sock->sk_stamp thread-safe
2019-01-09 16:16:41 +01:00
Kconfig
Makefile
socket.c
bpf: get rid of pure_initcall dependency to enable jits
2019-08-25 10:51:40 +02:00
sysctl_net.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
2016-10-06 09:52:23 -07:00