iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
WANG Cong e252b3d1a1 route: fix a use-after-free 
This patch fixes the following crash:

 general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.2.0-rc7+ #166
 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
 task: ffff88010656d280 ti: ffff880106570000 task.ti: ffff880106570000
 RIP: 0010:[<ffffffff8182f91b>]  [<ffffffff8182f91b>] dst_destroy+0xa6/0xef
 RSP: 0018:ffff880107603e38  EFLAGS: 00010202
 RAX: 0000000000000001 RBX: ffff8800d225a000 RCX: ffffffff82250fd0
 RDX: 0000000000000001 RSI: ffffffff82250fd0 RDI: 6b6b6b6b6b6b6b6b
 RBP: ffff880107603e58 R08: 0000000000000001 R09: 0000000000000001
 R10: 000000000000b530 R11: ffff880107609000 R12: 0000000000000000
 R13: ffffffff82343c40 R14: 0000000000000000 R15: ffffffff8182fb4f
 FS:  0000000000000000(0000) GS:ffff880107600000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
 CR2: 00007fcabd9d3000 CR3: 00000000d7279000 CR4: 00000000000006e0
 Stack:
  ffffffff82250fd0 ffff8801077d6f00 ffffffff82253c40 ffff8800d225a000
  ffff880107603e68 ffffffff8182fb5d ffff880107603f08 ffffffff810d795e
  ffffffff810d7648 ffff880106574000 ffff88010656d280 ffff88010656d280
 Call Trace:
  <IRQ>
  [<ffffffff8182fb5d>] dst_destroy_rcu+0xe/0x1d
  [<ffffffff810d795e>] rcu_process_callbacks+0x618/0x7eb
  [<ffffffff810d7648>] ? rcu_process_callbacks+0x302/0x7eb
  [<ffffffff8182fb4f>] ? dst_gc_task+0x1eb/0x1eb
  [<ffffffff8107e11b>] __do_softirq+0x178/0x39f
  [<ffffffff8107e52e>] irq_exit+0x41/0x95
  [<ffffffff81a4f215>] smp_apic_timer_interrupt+0x34/0x40
  [<ffffffff81a4d5cd>] apic_timer_interrupt+0x6d/0x80
  <EOI>
  [<ffffffff8100b968>] ? default_idle+0x21/0x32
  [<ffffffff8100b966>] ? default_idle+0x1f/0x32
  [<ffffffff8100bf19>] arch_cpu_idle+0xf/0x11
  [<ffffffff810b0bc7>] default_idle_call+0x1f/0x21
  [<ffffffff810b0dce>] cpu_startup_entry+0x1ad/0x273
  [<ffffffff8102fe67>] start_secondary+0x135/0x156

dst is freed right before lwtstate_put(), this is not correct...

Fixes: 61adedf3e3f1 ("route: move lwtunnel state to dst_entry")
Acked-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Cong Wang <cwang@twopensource.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-08-25 14:29:19 -07:00
..
6lowpan
6lowpan: move module_init into core functionality
2015-08-11 22:05:36 +02:00
9p
virtio/vhost: fixes for 4.2
2015-07-23 13:07:04 -07:00
802
net: Kill dev_rebuild_header
2015-03-02 16:43:41 -05:00
8021q
net: 8021q: convert to using IFF_NO_QUEUE
2015-08-18 11:55:06 -07:00
appletalk
net: Pass kern from net_proto_family.create to sk_alloc
2015-05-11 10:50:17 -04:00
atm
br2684: Remove unnecessary formatting macros b1 and bs
2015-07-31 15:25:52 -07:00
ax25
NET: AX.25: Stop heartbeat timer on disconnect.
2015-07-15 15:59:58 -07:00
batman-adv
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2015-08-21 11:44:04 -07:00
bluetooth
Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next
2015-08-17 15:41:21 -07:00
bridge
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2015-08-21 11:44:04 -07:00
caif
net: caif: convert to using IFF_NO_QUEUE
2015-08-18 11:55:07 -07:00
can
can: replace timestamp as unique skb attribute
2015-07-12 21:13:22 +02:00
ceph
libceph: treat sockaddr_storage with uninitialized family as blank
2015-07-09 20:30:34 +03:00
core
route: fix a use-after-free
2015-08-25 14:29:19 -07:00
dcb
net/dcb: Add IEEE QCN attribute
2015-03-06 21:50:02 -05:00
dccp
tcp: fix recv with flags MSG_WAITALL | MSG_PEEK
2015-07-27 01:06:53 -07:00
decnet
net: Pass kern from net_proto_family.create to sk_alloc
2015-05-11 10:50:17 -04:00
dns_resolver
dsa
net: dsa: Allow multi hop routes to be expressed
2015-08-18 14:17:21 -07:00
ethernet
net: ethernet: Fix double word "the the" in eth.c
2015-08-09 22:53:00 -07:00
hsr
net: hsr: convert to using IFF_NO_QUEUE
2015-08-18 11:55:07 -07:00
ieee802154
net: 6lowpan: convert to using IFF_NO_QUEUE
2015-08-18 11:55:06 -07:00
ipv4
ah4: Fix error return in ah_input().
2015-08-25 13:38:50 -07:00
ipv6
ah6: fix error return code
2015-08-25 13:37:31 -07:00
ipx
net: Pass kern from net_proto_family.create to sk_alloc
2015-05-11 10:50:17 -04:00
irda
irda: use msecs_to_jiffies for conversion to jiffies
2015-05-25 17:46:21 -04:00
iucv
net: Pass kern from net_proto_family.create to sk_alloc
2015-05-11 10:50:17 -04:00
key
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2015-06-24 16:49:49 -07:00
l2tp
net: Modify sk_alloc to not reference count the netns of kernel sockets.
2015-05-11 10:50:18 -04:00
lapb
llc
tcp: fix recv with flags MSG_WAITALL | MSG_PEEK
2015-07-27 01:06:53 -07:00
mac80211
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2015-08-21 11:44:04 -07:00
mac802154
ieee802154: add ack request default handling
2015-08-10 20:43:06 +02:00
mpls
lwt: Add cfg argument to build_state
2015-08-24 10:34:40 -07:00
netfilter
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2015-08-21 06:09:05 +02:00
netlabel
netlink: implement nla_put_in_addr and nla_put_in6_addr
2015-03-31 13:58:35 -04:00
netlink
netlink: make sure -EBUSY won't escape from netlink_insert
2015-08-10 10:59:10 -07:00
netrom
netfilter: Remove spurios included of netfilter.h
2015-06-18 21:14:32 +02:00
nfc
nfc: netlink: Add capability to reply to vendor_cmd with data
2015-08-20 22:00:11 +02:00
openvswitch
route: move lwtunnel state to dst_entry
2015-08-20 15:42:36 -07:00
packet
packet: add extended BPF fanout mode
2015-08-17 14:22:48 -07:00
phonet
net: Pass kern from net_proto_family.create to sk_alloc
2015-05-11 10:50:17 -04:00
rds
RDS: check for valid cm_id before initiating connection
2015-08-25 13:35:31 -07:00
rfkill
Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next
2015-08-17 15:41:21 -07:00
rose
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2015-06-24 02:58:51 -07:00
rxrpc
net: Pass kern from net_proto_family.create to sk_alloc
2015-05-11 10:50:17 -04:00
sched
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2015-08-21 06:09:05 +02:00
sctp
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2015-07-31 23:52:20 -07:00
sunrpc
NFS client bugfixes for Linux 4.2
2015-07-28 09:37:44 -07:00
switchdev
net: switchdev: support static FDB addresses
2015-08-11 12:03:19 -07:00
tipc
tipc: fix stale link problem during synchronization
2015-08-23 16:14:45 -07:00
unix
net/unix: support SCM_SECURITY for stream sockets
2015-06-10 22:49:20 -07:00
vmw_vsock
net: Pass kern from net_proto_family.create to sk_alloc
2015-05-11 10:50:17 -04:00
wimax
net:wimax: Fix doucble word "the the" in networking.xml
2015-08-09 22:43:52 -07:00
wireless
nl80211: Allow setting multicast rate on OCB interfaces
2015-08-14 17:49:48 +02:00
x25
net: Pass kern from net_proto_family.create to sk_alloc
2015-05-11 10:50:17 -04:00
xfrm
xfrm: Add oif to dst lookups
2015-08-11 12:41:35 +02:00
compat.c
net: switch importing msghdr from userland to {compat_,}import_iovec()
2015-04-09 00:02:26 -04:00
Kconfig
lwtunnel: infrastructure for handling light weight tunnels like mpls
2015-07-21 10:39:03 -07:00
Makefile
mpls: Refactor how the mpls module is built
2015-03-04 00:26:06 -05:00
socket.c
net: Add a struct net parameter to sock_create_kern
2015-05-11 10:50:17 -04:00
sysctl_net.c