releases/3.4.57/ipv6-take-rtnl_lock-and-mark-mrt6-table-as-freed-on-namespace-cleanup.patch

   1 From 92c0c8831ae20201cf1019d88d3e355f38586795 Mon Sep 17 00:00:00 2001
   2 From: Hannes Frederic Sowa <hannes@stressinduktion.org>
   3 Date: Mon, 22 Jul 2013 23:45:53 +0200
   4 Subject: ipv6: take rtnl_lock and mark mrt6 table as freed on namespace cleanup
   5
   6 From: Hannes Frederic Sowa <hannes@stressinduktion.org>
   7
   8 [ Upstream commit 905a6f96a1b18e490a75f810d733ced93c39b0e5 ]
   9
  10 Otherwise we end up dereferencing the already freed net->ipv6.mrt pointer
  11 which leads to a panic (from Srivatsa S. Bhat):
  12
  13 BUG: unable to handle kernel paging request at ffff882018552020
  14 IP: [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
  15 PGD 290a067 PUD 207ffe0067 PMD 207ff1d067 PTE 8000002018552060
  16 Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
  17 Modules linked in: ebtable_nat ebtables nfs fscache nf_conntrack_ipv4 nf_defrag_ipv4 ipt_REJECT xt_CHECKSUM iptable_mangle iptable_filter ip_tables nfsd lockd nfs_acl exportfs auth_rpcgss autofs4 sunrpc 8021q garp bridge stp llc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter
  18 +ip6_tables ipv6 vfat fat vhost_net macvtap macvlan vhost tun kvm_intel kvm uinput iTCO_wdt iTCO_vendor_support cdc_ether usbnet mii microcode i2c_i801 i2c_core lpc_ich mfd_core shpchp ioatdma dca mlx4_core be2net wmi acpi_cpufreq mperf ext4 jbd2 mbcache dm_mirror dm_region_hash dm_log dm_mod
  19 CPU: 0 PID: 7 Comm: kworker/u33:0 Not tainted 3.11.0-rc1-ea45e-a #4
  20 Hardware name: IBM  -[8737R2A]-/00Y2738, BIOS -[B2E120RUS-1.20]- 11/30/2012
  21 Workqueue: netns cleanup_net
  22 task: ffff8810393641c0 ti: ffff881039366000 task.ti: ffff881039366000
  23 RIP: 0010:[<ffffffffa0366b02>]  [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
  24 RSP: 0018:ffff881039367bd8  EFLAGS: 00010286
  25 RAX: ffff881039367fd8 RBX: ffff882018552000 RCX: dead000000200200
  26 RDX: 0000000000000000 RSI: ffff881039367b68 RDI: ffff881039367b68
  27 RBP: ffff881039367bf8 R08: ffff881039367b68 R09: 2222222222222222
  28 R10: 2222222222222222 R11: 2222222222222222 R12: ffff882015a7a040
  29 R13: ffff882014eb89c0 R14: ffff8820289e2800 R15: 0000000000000000
  30 FS:  0000000000000000(0000) GS:ffff88103fc00000(0000) knlGS:0000000000000000
  31 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  32 CR2: ffff882018552020 CR3: 0000000001c0b000 CR4: 00000000000407f0
  33 Stack:
  34  ffff881039367c18 ffff882014eb89c0 ffff882015e28c00 0000000000000000
  35  ffff881039367c18 ffffffffa034d9d1 ffff8820289e2800 ffff882014eb89c0
  36  ffff881039367c58 ffffffff815bdecb ffffffff815bddf2 ffff882014eb89c0
  37 Call Trace:
  38  [<ffffffffa034d9d1>] rawv6_close+0x21/0x40 [ipv6]
  39  [<ffffffff815bdecb>] inet_release+0xfb/0x220
  40  [<ffffffff815bddf2>] ? inet_release+0x22/0x220
  41  [<ffffffffa032686f>] inet6_release+0x3f/0x50 [ipv6]
  42  [<ffffffff8151c1d9>] sock_release+0x29/0xa0
  43  [<ffffffff81525520>] sk_release_kernel+0x30/0x70
  44  [<ffffffffa034f14b>] icmpv6_sk_exit+0x3b/0x80 [ipv6]
  45  [<ffffffff8152fff9>] ops_exit_list+0x39/0x60
  46  [<ffffffff815306fb>] cleanup_net+0xfb/0x1a0
  47  [<ffffffff81075e3a>] process_one_work+0x1da/0x610
  48  [<ffffffff81075dc9>] ? process_one_work+0x169/0x610
  49  [<ffffffff81076390>] worker_thread+0x120/0x3a0
  50  [<ffffffff81076270>] ? process_one_work+0x610/0x610
  51  [<ffffffff8107da2e>] kthread+0xee/0x100
  52  [<ffffffff8107d940>] ? __init_kthread_worker+0x70/0x70
  53  [<ffffffff8162a99c>] ret_from_fork+0x7c/0xb0
  54  [<ffffffff8107d940>] ? __init_kthread_worker+0x70/0x70
  55 Code: 20 48 89 5d e8 4c 89 65 f0 4c 89 6d f8 66 66 66 66 90 4c 8b 67 30 49 89 fd e8 db 3c 1e e1 49 8b 9c 24 90 08 00 00 48 85 db 74 06 <4c> 39 6b 20 74 20 bb f3 ff ff ff e8 8e 3c 1e e1 89 d8 4c 8b 65
  56 RIP  [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
  57  RSP <ffff881039367bd8>
  58 CR2: ffff882018552020
  59
  60 Reported-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
  61 Tested-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
  62 Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
  63 Signed-off-by: David S. Miller <davem@davemloft.net>
  64 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  65 ---
  66  net/ipv6/ip6mr.c |    5 +++++
  67  1 file changed, 5 insertions(+)
  68
  69 --- a/net/ipv6/ip6mr.c
  70 +++ b/net/ipv6/ip6mr.c
  71 @@ -256,10 +256,12 @@ static void __net_exit ip6mr_rules_exit(
  72  {
  73         struct mr6_table *mrt, *next;
  74
  75 +       rtnl_lock();
  76         list_for_each_entry_safe(mrt, next, &net->ipv6.mr6_tables, list) {
  77                 list_del(&mrt->list);
  78                 ip6mr_free_table(mrt);
  79         }
  80 +       rtnl_unlock();
  81         fib_rules_unregister(net->ipv6.mr6_rules_ops);
  82  }
  83  #else
  84 @@ -286,7 +288,10 @@ static int __net_init ip6mr_rules_init(s
  85
  86  static void __net_exit ip6mr_rules_exit(struct net *net)
  87  {
  88 +       rtnl_lock();
  89         ip6mr_free_table(net->ipv6.mrt6);
  90 +       net->ipv6.mrt6 = NULL;
  91 +       rtnl_unlock();
  92  }
  93  #endif
  94