[thirdparty/kernel/stable-queue.git] / releases / 5.0.19 / tipc-switch-order-of-device-registration-to-fix-a-crash.patch

From foo@baz Wed 22 May 2019 08:35:12 AM CEST
From: Junwei Hu <hujunwei4@huawei.com>
Date: Thu, 16 May 2019 10:51:15 +0800
Subject: tipc: switch order of device registration to fix a crash

From: Junwei Hu <hujunwei4@huawei.com>

[ Upstream commit 7e27e8d6130c5e88fac9ddec4249f7f2337fe7f8 ]

When tipc is loaded while many processes try to create a TIPC socket,
a crash occurs:
 PANIC: Unable to handle kernel paging request at virtual
 address "dfff20000000021d"
 pc : tipc_sk_create+0x374/0x1180 [tipc]
 lr : tipc_sk_create+0x374/0x1180 [tipc]
   Exception class = DABT (current EL), IL = 32 bits
 Call trace:
  tipc_sk_create+0x374/0x1180 [tipc]
  __sock_create+0x1cc/0x408
  __sys_socket+0xec/0x1f0
  __arm64_sys_socket+0x74/0xa8
 ...

This is due to race between sock_create and unfinished
register_pernet_device. tipc_sk_insert tries to do
"net_generic(net, tipc_net_id)".
but tipc_net_id is not initialized yet.

So switch the order of the two to close the race.

This can be reproduced with multiple processes doing socket(AF_TIPC, ...)
and one process doing module removal.

Fixes: a62fbccecd62 ("tipc: make subscriber server support net namespace")
Signed-off-by: Junwei Hu <hujunwei4@huawei.com>
Reported-by: Wang Wang <wangwang2@huawei.com>
Reviewed-by: Xiaogang Wang <wangxiaogang3@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/tipc/core.c |   14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

--- a/net/tipc/core.c
+++ b/net/tipc/core.c
@@ -129,10 +129,6 @@ static int __init tipc_init(void)
 	if (err)
 		goto out_netlink_compat;
 
-	err = tipc_socket_init();
-	if (err)
-		goto out_socket;
-
 	err = tipc_register_sysctl();
 	if (err)
 		goto out_sysctl;
@@ -141,6 +137,10 @@ static int __init tipc_init(void)
 	if (err)
 		goto out_pernet;
 
+	err = tipc_socket_init();
+	if (err)
+		goto out_socket;
+
 	err = tipc_bearer_setup();
 	if (err)
 		goto out_bearer;
@@ -148,12 +148,12 @@ static int __init tipc_init(void)
 	pr_info("Started in single node mode\n");
 	return 0;
 out_bearer:
+	tipc_socket_stop();
+out_socket:
 	unregister_pernet_subsys(&tipc_net_ops);
 out_pernet:
 	tipc_unregister_sysctl();
 out_sysctl:
-	tipc_socket_stop();
-out_socket:
 	tipc_netlink_compat_stop();
 out_netlink_compat:
 	tipc_netlink_stop();
@@ -165,10 +165,10 @@ out_netlink:
 static void __exit tipc_exit(void)
 {
 	tipc_bearer_cleanup();
+	tipc_socket_stop();
 	unregister_pernet_subsys(&tipc_net_ops);
 	tipc_netlink_stop();
 	tipc_netlink_compat_stop();
-	tipc_socket_stop();
 	tipc_unregister_sysctl();
 
 	pr_info("Deactivated\n");
Commit	Line	Data
b12f0636 GKH	1	From foo@baz Wed 22 May 2019 08:35:12 AM CEST
	2	From: Junwei Hu <hujunwei4@huawei.com>
	3	Date: Thu, 16 May 2019 10:51:15 +0800
	4	Subject: tipc: switch order of device registration to fix a crash
	5
	6	From: Junwei Hu <hujunwei4@huawei.com>
	7
	8	[ Upstream commit 7e27e8d6130c5e88fac9ddec4249f7f2337fe7f8 ]
	9
	10	When tipc is loaded while many processes try to create a TIPC socket,
	11	a crash occurs:
	12	PANIC: Unable to handle kernel paging request at virtual
	13	address "dfff20000000021d"
	14	pc : tipc_sk_create+0x374/0x1180 [tipc]
	15	lr : tipc_sk_create+0x374/0x1180 [tipc]
	16	Exception class = DABT (current EL), IL = 32 bits
	17	Call trace:
	18	tipc_sk_create+0x374/0x1180 [tipc]
	19	__sock_create+0x1cc/0x408
	20	__sys_socket+0xec/0x1f0
	21	__arm64_sys_socket+0x74/0xa8
	22	...
	23
	24	This is due to race between sock_create and unfinished
	25	register_pernet_device. tipc_sk_insert tries to do
	26	"net_generic(net, tipc_net_id)".
	27	but tipc_net_id is not initialized yet.
	28
	29	So switch the order of the two to close the race.
	30
	31	This can be reproduced with multiple processes doing socket(AF_TIPC, ...)
	32	and one process doing module removal.
	33
	34	Fixes: a62fbccecd62 ("tipc: make subscriber server support net namespace")
	35	Signed-off-by: Junwei Hu <hujunwei4@huawei.com>
	36	Reported-by: Wang Wang <wangwang2@huawei.com>
	37	Reviewed-by: Xiaogang Wang <wangxiaogang3@huawei.com>
	38	Signed-off-by: David S. Miller <davem@davemloft.net>
	39	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	40	---
	41	net/tipc/core.c \| 14 +++++++-------
	42	1 file changed, 7 insertions(+), 7 deletions(-)
	43
	44	--- a/net/tipc/core.c
	45	+++ b/net/tipc/core.c
	46	@@ -129,10 +129,6 @@ static int __init tipc_init(void)
	47	if (err)
	48	goto out_netlink_compat;
	49
	50	- err = tipc_socket_init();
	51	- if (err)
	52	- goto out_socket;
	53	-
	54	err = tipc_register_sysctl();
	55	if (err)
	56	goto out_sysctl;
	57	@@ -141,6 +137,10 @@ static int __init tipc_init(void)
	58	if (err)
	59	goto out_pernet;
	60
	61	+ err = tipc_socket_init();
	62	+ if (err)
	63	+ goto out_socket;
	64	+
65	err = tipc_bearer_setup();
66	if (err)
67	goto out_bearer;
68	@@ -148,12 +148,12 @@ static int __init tipc_init(void)
69	pr_info("Started in single node mode\n");
70	return 0;
71	out_bearer:
72	+ tipc_socket_stop();
73	+out_socket:
74	unregister_pernet_subsys(&tipc_net_ops);
75	out_pernet:
76	tipc_unregister_sysctl();
77	out_sysctl:
78	- tipc_socket_stop();
79	-out_socket:
80	tipc_netlink_compat_stop();
81	out_netlink_compat:
82	tipc_netlink_stop();
83	@@ -165,10 +165,10 @@ out_netlink:
84	static void __exit tipc_exit(void)
85	{
86	tipc_bearer_cleanup();
87	+ tipc_socket_stop();
88	unregister_pernet_subsys(&tipc_net_ops);
89	tipc_netlink_stop();
90	tipc_netlink_compat_stop();
91	- tipc_socket_stop();
92	tipc_unregister_sysctl();
93
94	pr_info("Deactivated\n");