leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
be4977b847
linux/net/tipc
History
Tung Nguyen be4977b847 tipc: fix kernel panic when enabling bearer 
When enabling a bearer on a node, a kernel panic is observed:

[    4.498085] RIP: 0010:tipc_mon_prep+0x4e/0x130 [tipc]
...
[    4.520030] Call Trace:
[    4.520689]  <IRQ>
[    4.521236]  tipc_link_build_proto_msg+0x375/0x750 [tipc]
[    4.522654]  tipc_link_build_state_msg+0x48/0xc0 [tipc]
[    4.524034]  __tipc_node_link_up+0xd7/0x290 [tipc]
[    4.525292]  tipc_rcv+0x5da/0x730 [tipc]
[    4.526346]  ? __netif_receive_skb_core+0xb7/0xfc0
[    4.527601]  tipc_l2_rcv_msg+0x5e/0x90 [tipc]
[    4.528737]  __netif_receive_skb_list_core+0x20b/0x260
[    4.530068]  netif_receive_skb_list_internal+0x1bf/0x2e0
[    4.531450]  ? dev_gro_receive+0x4c2/0x680
[    4.532512]  napi_complete_done+0x6f/0x180
[    4.533570]  virtnet_poll+0x29c/0x42e [virtio_net]
...

The node in question is receiving activate messages in another
thread after changing bearer status to allow message sending/
receiving in current thread:

         thread 1           |              thread 2
         --------           |              --------
                            |
tipc_enable_bearer()        |
  test_and_set_bit_lock()   |
    tipc_bearer_xmit_skb()  |
                            | tipc_l2_rcv_msg()
                            |   tipc_rcv()
                            |     __tipc_node_link_up()
                            |       tipc_link_build_state_msg()
                            |         tipc_link_build_proto_msg()
                            |           tipc_mon_prep()
                            |           {
                            |             ...
                            |             // null-pointer dereference
                            |             u16 gen = mon->dom_gen;
                            |             ...
                            |           }
  // Not being executed yet |
  tipc_mon_create()         |
  {                         |
    ...                     |
    // allocate             |
    mon = kzalloc();        |
    ...                     |
  }                         |

Monitoring pointer in thread 2 is dereferenced before monitoring data
is allocated in thread 1. This causes kernel panic.

This commit fixes it by allocating the monitoring data before enabling
the bearer to receive messages.

Fixes: 35c55c9877 ("tipc: add neighbor monitoring framework")
Reported-by: Shuang Li <shuali@redhat.com>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2022-03-04 13:19:13 +00:00
..
addr.c tipc: introduce new unified address type for internal use 2021-03-17 11:51:04 -07:00
addr.h tipc: introduce new unified address type for internal use 2021-03-17 11:51:04 -07:00
bcast.c net: tipc: fix FB_MTU eat two pages 2021-06-28 13:31:57 -07:00
bcast.h
bearer.c tipc: fix kernel panic when enabling bearer 2022-03-04 13:19:13 +00:00
bearer.h tipc: constify dev_addr passing 2021-10-13 09:40:46 -07:00
core.c tipc: simplify the finalize work queue 2021-05-18 13:22:09 -07:00
core.h tipc: simplify the finalize work queue 2021-05-18 13:22:09 -07:00
crypto.c tipc: fix a bit overflow in tipc_crypto_key_rcv() 2022-02-13 12:12:25 +00:00
crypto.h net/tipc: fix tipc header files for kernel-doc 2020-12-01 15:37:41 -08:00
diag.c
discover.c tipc: simplify the finalize work queue 2021-05-18 13:22:09 -07:00
discover.h
eth_media.c tipc: constify dev_addr passing 2021-10-13 09:40:46 -07:00
group.c tipc: update address terminology in code 2020-11-27 17:34:01 -08:00
group.h tipc: update address terminology in code 2020-11-27 17:34:01 -08:00
ib_media.c tipc: constify dev_addr passing 2021-10-13 09:40:46 -07:00
Kconfig
link.c tipc: improve size validations for received domain records 2022-02-10 05:37:44 -08:00
link.h tipc: simplify the finalize work queue 2021-05-18 13:22:09 -07:00
Makefile
monitor.c tipc: improve size validations for received domain records 2022-02-10 05:37:44 -08:00
monitor.h
msg.c net: tipc: replace align() with ALIGN in msg.c 2021-06-28 13:31:57 -07:00
msg.h net: tipc: fix FB_MTU eat two pages 2021-06-28 13:31:57 -07:00
name_distr.c tipc: rate limit warning for received illegal binding update 2022-02-09 12:48:22 +00:00
name_distr.h net/tipc: fix tipc header files for kernel-doc 2020-12-01 15:37:41 -08:00
name_table.c tipc: Fix end of loop tests for list_for_each_entry() 2022-02-23 12:35:40 +00:00
name_table.h tipc: simplify handling of lookup scope during multicast message reception 2021-06-03 14:06:39 -07:00
net.c tipc: simplify the finalize work queue 2021-05-18 13:22:09 -07:00
net.h
netlink_compat.c tipc: convert dest node's address to network order 2021-03-11 18:06:54 -08:00
netlink.c
netlink.h
node.c tipc: fix wrong notification node addresses 2022-02-16 20:44:40 -08:00
node.h
socket.c tipc: Fix end of loop tests for list_for_each_entry() 2022-02-23 12:35:40 +00:00
socket.h tipc: add stricter control of reserved service types 2020-10-30 08:19:18 -07:00
subscr.c tipc:subscr.c: fix a spelling mistake 2021-06-10 13:48:43 -07:00
subscr.h tipc: fix htmldoc and smatch warnings 2021-03-29 16:28:50 -07:00
sysctl.c
topsrv.c tipc: update address terminology in code 2020-11-27 17:34:01 -08:00
topsrv.h
trace.c net/tipc: fix various kernel-doc warnings 2020-12-01 15:37:46 -08:00
trace.h
udp_media.c tipc: wait and exit until all work queues are done 2021-05-17 14:07:48 -07:00
udp_media.h