[thirdparty/kernel/stable-queue.git] / releases / 4.11.9 / net-8021q-fix-one-possible-panic-caused-by-bug_on-in-free_netdev.patch

From foo@baz Thu Jun 29 18:58:00 CEST 2017
From: Gao Feng <gfree.wind@vip.163.com>
Date: Fri, 16 Jun 2017 15:00:02 +0800
Subject: net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev

From: Gao Feng <gfree.wind@vip.163.com>


[ Upstream commit 9745e362add89432d2c951272a99b0a5fe4348a9 ]

The register_vlan_device would invoke free_netdev directly, when
register_vlan_dev failed. It would trigger the BUG_ON in free_netdev
if the dev was already registered. In this case, the netdev would be
freed in netdev_run_todo later.

So add one condition check now. Only when dev is not registered, then
free it directly.

The following is the part coredump when netdev_upper_dev_link failed
in register_vlan_dev. I removed the lines which are too long.

[  411.237457] ------------[ cut here ]------------
[  411.237458] kernel BUG at net/core/dev.c:7998!
[  411.237484] invalid opcode: 0000 [#1] SMP
[  411.237705]  [last unloaded: 8021q]
[  411.237718] CPU: 1 PID: 12845 Comm: vconfig Tainted: G            E   4.12.0-rc5+ #6
[  411.237737] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
[  411.237764] task: ffff9cbeb6685580 task.stack: ffffa7d2807d8000
[  411.237782] RIP: 0010:free_netdev+0x116/0x120
[  411.237794] RSP: 0018:ffffa7d2807dbdb0 EFLAGS: 00010297
[  411.237808] RAX: 0000000000000002 RBX: ffff9cbeb6ba8fd8 RCX: 0000000000001878
[  411.237826] RDX: 0000000000000001 RSI: 0000000000000282 RDI: 0000000000000000
[  411.237844] RBP: ffffa7d2807dbdc8 R08: 0002986100029841 R09: 0002982100029801
[  411.237861] R10: 0004000100029980 R11: 0004000100029980 R12: ffff9cbeb6ba9000
[  411.238761] R13: ffff9cbeb6ba9060 R14: ffff9cbe60f1a000 R15: ffff9cbeb6ba9000
[  411.239518] FS:  00007fb690d81700(0000) GS:ffff9cbebb640000(0000) knlGS:0000000000000000
[  411.239949] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  411.240454] CR2: 00007f7115624000 CR3: 0000000077cdf000 CR4: 00000000003406e0
[  411.240936] Call Trace:
[  411.241462]  vlan_ioctl_handler+0x3f1/0x400 [8021q]
[  411.241910]  sock_ioctl+0x18b/0x2c0
[  411.242394]  do_vfs_ioctl+0xa1/0x5d0
[  411.242853]  ? sock_alloc_file+0xa6/0x130
[  411.243465]  SyS_ioctl+0x79/0x90
[  411.243900]  entry_SYSCALL_64_fastpath+0x1e/0xa9
[  411.244425] RIP: 0033:0x7fb69089a357
[  411.244863] RSP: 002b:00007ffcd04e0fc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
[  411.245445] RAX: ffffffffffffffda RBX: 00007ffcd04e2884 RCX: 00007fb69089a357
[  411.245903] RDX: 00007ffcd04e0fd0 RSI: 0000000000008983 RDI: 0000000000000003
[  411.246527] RBP: 00007ffcd04e0fd0 R08: 0000000000000000 R09: 1999999999999999
[  411.246976] R10: 000000000000053f R11: 0000000000000202 R12: 0000000000000004
[  411.247414] R13: 00007ffcd04e1128 R14: 00007ffcd04e2888 R15: 0000000000000001
[  411.249129] RIP: free_netdev+0x116/0x120 RSP: ffffa7d2807dbdb0

Signed-off-by: Gao Feng <gfree.wind@vip.163.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/8021q/vlan.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -277,7 +277,8 @@ static int register_vlan_device(struct n
 	return 0;
 
 out_free_newdev:
-	free_netdev(new_dev);
+	if (new_dev->reg_state == NETREG_UNINITIALIZED)
+		free_netdev(new_dev);
 	return err;
 }
Commit	Line	Data
97a4208b GKH	1	From foo@baz Thu Jun 29 18:58:00 CEST 2017
	2	From: Gao Feng <gfree.wind@vip.163.com>
	3	Date: Fri, 16 Jun 2017 15:00:02 +0800
	4	Subject: net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev
	5
	6	From: Gao Feng <gfree.wind@vip.163.com>
	7
	8
	9	[ Upstream commit 9745e362add89432d2c951272a99b0a5fe4348a9 ]
	10
	11	The register_vlan_device would invoke free_netdev directly, when
	12	register_vlan_dev failed. It would trigger the BUG_ON in free_netdev
	13	if the dev was already registered. In this case, the netdev would be
	14	freed in netdev_run_todo later.
	15
	16	So add one condition check now. Only when dev is not registered, then
	17	free it directly.
	18
	19	The following is the part coredump when netdev_upper_dev_link failed
	20	in register_vlan_dev. I removed the lines which are too long.
	21
	22	[ 411.237457] ------------[ cut here ]------------
	23	[ 411.237458] kernel BUG at net/core/dev.c:7998!
	24	[ 411.237484] invalid opcode: 0000 [#1] SMP
	25	[ 411.237705] [last unloaded: 8021q]
	26	[ 411.237718] CPU: 1 PID: 12845 Comm: vconfig Tainted: G E 4.12.0-rc5+ #6
	27	[ 411.237737] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
	28	[ 411.237764] task: ffff9cbeb6685580 task.stack: ffffa7d2807d8000
	29	[ 411.237782] RIP: 0010:free_netdev+0x116/0x120
	30	[ 411.237794] RSP: 0018:ffffa7d2807dbdb0 EFLAGS: 00010297
	31	[ 411.237808] RAX: 0000000000000002 RBX: ffff9cbeb6ba8fd8 RCX: 0000000000001878
	32	[ 411.237826] RDX: 0000000000000001 RSI: 0000000000000282 RDI: 0000000000000000
	33	[ 411.237844] RBP: ffffa7d2807dbdc8 R08: 0002986100029841 R09: 0002982100029801
	34	[ 411.237861] R10: 0004000100029980 R11: 0004000100029980 R12: ffff9cbeb6ba9000
	35	[ 411.238761] R13: ffff9cbeb6ba9060 R14: ffff9cbe60f1a000 R15: ffff9cbeb6ba9000
	36	[ 411.239518] FS: 00007fb690d81700(0000) GS:ffff9cbebb640000(0000) knlGS:0000000000000000
	37	[ 411.239949] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	38	[ 411.240454] CR2: 00007f7115624000 CR3: 0000000077cdf000 CR4: 00000000003406e0
	39	[ 411.240936] Call Trace:
	40	[ 411.241462] vlan_ioctl_handler+0x3f1/0x400 [8021q]
	41	[ 411.241910] sock_ioctl+0x18b/0x2c0
	42	[ 411.242394] do_vfs_ioctl+0xa1/0x5d0
	43	[ 411.242853] ? sock_alloc_file+0xa6/0x130
	44	[ 411.243465] SyS_ioctl+0x79/0x90
	45	[ 411.243900] entry_SYSCALL_64_fastpath+0x1e/0xa9
	46	[ 411.244425] RIP: 0033:0x7fb69089a357
	47	[ 411.244863] RSP: 002b:00007ffcd04e0fc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
	48	[ 411.245445] RAX: ffffffffffffffda RBX: 00007ffcd04e2884 RCX: 00007fb69089a357
	49	[ 411.245903] RDX: 00007ffcd04e0fd0 RSI: 0000000000008983 RDI: 0000000000000003
	50	[ 411.246527] RBP: 00007ffcd04e0fd0 R08: 0000000000000000 R09: 1999999999999999
	51	[ 411.246976] R10: 000000000000053f R11: 0000000000000202 R12: 0000000000000004
	52	[ 411.247414] R13: 00007ffcd04e1128 R14: 00007ffcd04e2888 R15: 0000000000000001
	53	[ 411.249129] RIP: free_netdev+0x116/0x120 RSP: ffffa7d2807dbdb0
	54
	55	Signed-off-by: Gao Feng <gfree.wind@vip.163.com>
	56	Signed-off-by: David S. Miller <davem@davemloft.net>
	57	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	58	---
	59	net/8021q/vlan.c \| 3 ++-
	60	1 file changed, 2 insertions(+), 1 deletion(-)
	61
	62	--- a/net/8021q/vlan.c
	63	+++ b/net/8021q/vlan.c
	64	@@ -277,7 +277,8 @@ static int register_vlan_device(struct n
65	return 0;
66
67	out_free_newdev:
68	- free_netdev(new_dev);
69	+ if (new_dev->reg_state == NETREG_UNINITIALIZED)
70	+ free_netdev(new_dev);
71	return err;
72	}
73