linux/net/ipv6
Hannes Frederic Sowa 905a6f96a1 ipv6: take rtnl_lock and mark mrt6 table as freed on namespace cleanup
Otherwise we end up dereferencing the already freed net->ipv6.mrt pointer
which leads to a panic (from Srivatsa S. Bhat):

BUG: unable to handle kernel paging request at ffff882018552020
IP: [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
PGD 290a067 PUD 207ffe0067 PMD 207ff1d067 PTE 8000002018552060
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
Modules linked in: ebtable_nat ebtables nfs fscache nf_conntrack_ipv4 nf_defrag_ipv4 ipt_REJECT xt_CHECKSUM iptable_mangle iptable_filter ip_tables nfsd lockd nfs_acl exportfs auth_rpcgss autofs4 sunrpc 8021q garp bridge stp llc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter
+ip6_tables ipv6 vfat fat vhost_net macvtap macvlan vhost tun kvm_intel kvm uinput iTCO_wdt iTCO_vendor_support cdc_ether usbnet mii microcode i2c_i801 i2c_core lpc_ich mfd_core shpchp ioatdma dca mlx4_core be2net wmi acpi_cpufreq mperf ext4 jbd2 mbcache dm_mirror dm_region_hash dm_log dm_mod
CPU: 0 PID: 7 Comm: kworker/u33:0 Not tainted 3.11.0-rc1-ea45e-a #4
Hardware name: IBM  -[8737R2A]-/00Y2738, BIOS -[B2E120RUS-1.20]- 11/30/2012
Workqueue: netns cleanup_net
task: ffff8810393641c0 ti: ffff881039366000 task.ti: ffff881039366000
RIP: 0010:[<ffffffffa0366b02>]  [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
RSP: 0018:ffff881039367bd8  EFLAGS: 00010286
RAX: ffff881039367fd8 RBX: ffff882018552000 RCX: dead000000200200
RDX: 0000000000000000 RSI: ffff881039367b68 RDI: ffff881039367b68
RBP: ffff881039367bf8 R08: ffff881039367b68 R09: 2222222222222222
R10: 2222222222222222 R11: 2222222222222222 R12: ffff882015a7a040
R13: ffff882014eb89c0 R14: ffff8820289e2800 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88103fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff882018552020 CR3: 0000000001c0b000 CR4: 00000000000407f0
Stack:
 ffff881039367c18 ffff882014eb89c0 ffff882015e28c00 0000000000000000
 ffff881039367c18 ffffffffa034d9d1 ffff8820289e2800 ffff882014eb89c0
 ffff881039367c58 ffffffff815bdecb ffffffff815bddf2 ffff882014eb89c0
Call Trace:
 [<ffffffffa034d9d1>] rawv6_close+0x21/0x40 [ipv6]
 [<ffffffff815bdecb>] inet_release+0xfb/0x220
 [<ffffffff815bddf2>] ? inet_release+0x22/0x220
 [<ffffffffa032686f>] inet6_release+0x3f/0x50 [ipv6]
 [<ffffffff8151c1d9>] sock_release+0x29/0xa0
 [<ffffffff81525520>] sk_release_kernel+0x30/0x70
 [<ffffffffa034f14b>] icmpv6_sk_exit+0x3b/0x80 [ipv6]
 [<ffffffff8152fff9>] ops_exit_list+0x39/0x60
 [<ffffffff815306fb>] cleanup_net+0xfb/0x1a0
 [<ffffffff81075e3a>] process_one_work+0x1da/0x610
 [<ffffffff81075dc9>] ? process_one_work+0x169/0x610
 [<ffffffff81076390>] worker_thread+0x120/0x3a0
 [<ffffffff81076270>] ? process_one_work+0x610/0x610
 [<ffffffff8107da2e>] kthread+0xee/0x100
 [<ffffffff8107d940>] ? __init_kthread_worker+0x70/0x70
 [<ffffffff8162a99c>] ret_from_fork+0x7c/0xb0
 [<ffffffff8107d940>] ? __init_kthread_worker+0x70/0x70
Code: 20 48 89 5d e8 4c 89 65 f0 4c 89 6d f8 66 66 66 66 90 4c 8b 67 30 49 89 fd e8 db 3c 1e e1 49 8b 9c 24 90 08 00 00 48 85 db 74 06 <4c> 39 6b 20 74 20 bb f3 ff ff ff e8 8e 3c 1e e1 89 d8 4c 8b 65
RIP  [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
 RSP <ffff881039367bd8>
CR2: ffff882018552020

Reported-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
Tested-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-07-24 17:02:13 -07:00
..
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-07-03 14:55:13 -07:00
addrconf_core.c ipv6: add include file to suppress sparse warnings 2013-06-25 02:44:05 -07:00
addrconf.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-07-03 14:55:13 -07:00
addrlabel.c rtnetlink: Remove passing of attributes into rtnl_doit functions 2013-03-22 10:31:16 -04:00
af_inet6.c net: ipv6: Add IPv6 support to the ping socket. 2013-05-25 21:07:49 -07:00
ah6.c net: Add skb_unclone() helper function. 2013-02-15 15:10:37 -05:00
anycast.c net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
datagram.c net: ipv6: Unify {raw,udp}6_sock_seq_show. 2013-06-04 12:56:14 -07:00
esp6.c ah6/esp6: set transport header correctly for IPsec tunnel mode. 2013-01-08 12:41:30 +01:00
exthdrs_core.c ipv6: Correct comparisons and calculations using skb->tail and skb-transport_header 2013-05-28 23:49:07 -07:00
exthdrs_offload.c ipv6: Pull IPv6 GSO registration out of the module 2012-11-15 17:39:24 -05:00
exthdrs.c ipv6: Store Router Alert option in IP6CB directly. 2013-01-13 20:17:14 -05:00
fib6_rules.c ipv6: introduce ip6_rt_put() 2012-11-03 14:59:05 -04:00
icmp.c net: Convert uses of typedef ctl_table to struct ctl_table 2013-06-13 02:36:09 -07:00
inet6_connection_sock.c ipv6: use newly introduced __ipv6_addr_needs_scope_id and ipv6_iface_scope_id 2013-03-08 12:29:22 -05:00
inet6_hashtables.c soreuseport: TCP/IPv6 implementation 2013-01-23 13:44:01 -05:00
ip6_checksum.c ipv6: move csum_ipv6_magic() and udp6_csum_init() into static library 2013-01-08 17:56:10 -08:00
ip6_fib.c ipv6: only static routes qualify for equal cost multipathing 2013-07-12 16:29:54 -07:00
ip6_flowlabel.c ipv6 flowlabel: add __rcu annotations 2013-03-07 16:33:10 -05:00
ip6_gre.c ipv6,gre: do not leak info to user-space 2013-05-11 17:40:14 -07:00
ip6_icmp.c ipv6: Kill ipv6 dependency of icmpv6_send(). 2013-04-29 13:54:36 -04:00
ip6_input.c ipv6: don't accept node local multicast traffic from the wire 2013-03-29 14:57:33 -04:00
ip6_offload.c MPLS: Add limited GSO support 2013-05-27 22:50:59 -07:00
ip6_offload.h ipv6: Pull IPv6 GSO registration out of the module 2012-11-15 17:39:24 -05:00
ip6_output.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-07-03 14:55:13 -07:00
ip6_tunnel.c GRE: Refactor GRE tunneling code. 2013-03-26 12:27:18 -04:00
ip6mr.c ipv6: take rtnl_lock and mark mrt6 table as freed on namespace cleanup 2013-07-24 17:02:13 -07:00
ipcomp6.c ipv6: Add redirect support to all protocol icmp error handlers. 2012-07-12 00:25:15 -07:00
ipv6_sockglue.c ipv6: rename datagram_send_ctl and datagram_recv_ctl 2013-01-31 13:53:08 -05:00
Kconfig Tunneling: use IP Tunnel stats APIs. 2013-03-26 12:27:19 -04:00
Makefile net: ipv6: Add IPv6 support to the ping socket. 2013-05-25 21:07:49 -07:00
mcast.c ipv6,mcast: always hold idev->lock before mca_lock 2013-07-01 23:39:21 -07:00
mip6.c ipv6: Correct comparisons and calculations using skb->tail and skb-transport_header 2013-05-28 23:49:07 -07:00
ndisc.c ndisc: bool initializations should use true and false 2013-07-16 12:13:31 -07:00
netfilter.c netfilter: add nf_ipv6_ops hook to fix xt_addrtype with IPv6 2013-05-23 11:58:55 +02:00
output_core.c ipv6: Correct comparisons and calculations using skb->tail and skb-transport_header 2013-05-28 23:49:07 -07:00
ping.c net: ipv6: fix wrong ping_v6_sendmsg return value 2013-07-03 17:42:05 -07:00
proc.c snmp6: remove IPSTATS_MIB_CSUMERRORS 2013-05-31 16:26:49 -07:00
protocol.c ipv6: Pull IPv6 GSO registration out of the module 2012-11-15 17:39:24 -05:00
raw.c net: ipv6: Unify {raw,udp}6_sock_seq_show. 2013-06-04 12:56:14 -07:00
reassembly.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-04-22 20:32:51 -04:00
route.c ipv6: fix route selection if kernel is not compiled with CONFIG_IPV6_ROUTER_PREF 2013-07-11 11:51:10 -07:00
sit.c sit: fix tunnel update via netlink 2013-07-04 14:55:47 -07:00
syncookies.c tcp: Remove TCPCT 2013-03-17 14:35:13 -04:00
sysctl_net_ipv6.c net: Convert uses of typedef ctl_table to struct ctl_table 2013-06-13 02:36:09 -07:00
tcp_ipv6.c net: rename ll methods to busy-poll 2013-07-10 17:08:27 -07:00
tcpv6_offload.c net: Remove code duplication between offload structures 2012-11-15 17:39:51 -05:00
tunnel6.c
udp_impl.h ipv6: do not clear pinet6 field 2013-05-11 16:26:38 -07:00
udp_offload.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-06-05 16:37:30 -07:00
udp.c net: rename ll methods to busy-poll 2013-07-10 17:08:27 -07:00
udplite.c ipv6: do not clear pinet6 field 2013-05-11 16:26:38 -07:00
xfrm6_input.c
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c xfrm: allow to avoid copying DSCP during encapsulation 2013-03-06 07:02:45 +01:00
xfrm6_output.c
xfrm6_policy.c xfrm6: release dev before returning error 2013-05-11 17:40:15 -07:00
xfrm6_state.c ipv6: use IS_ENABLED() 2012-11-01 12:41:35 -04:00
xfrm6_tunnel.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00