linux/net
Patrick McHardy 2bec5a369e ipv6: fib: fix crash when changing large fib while dumping it
When the fib size exceeds what can be dumped in a single skb, the
dump is suspended and resumed once the last skb has been received
by userspace. When the fib is changed while the dump is suspended,
the walker might contain stale pointers, causing a crash when the
dump is resumed.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
IP: [<ffffffffa01bce04>] fib6_walk_continue+0xbb/0x124 [ipv6]
PGD 5347a067 PUD 65c7067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
...
RIP: 0010:[<ffffffffa01bce04>]
[<ffffffffa01bce04>] fib6_walk_continue+0xbb/0x124 [ipv6]
...
Call Trace:
 [<ffffffff8104aca3>] ? mutex_spin_on_owner+0x59/0x71
 [<ffffffffa01bd105>] inet6_dump_fib+0x11b/0x1b9 [ipv6]
 [<ffffffff81371af4>] netlink_dump+0x5b/0x19e
 [<ffffffff8134f288>] ? consume_skb+0x28/0x2a
 [<ffffffff81373b69>] netlink_recvmsg+0x1ab/0x2c6
 [<ffffffff81372781>] ? netlink_unicast+0xfa/0x151
 [<ffffffff813483e0>] __sock_recvmsg+0x6d/0x79
 [<ffffffff81348a53>] sock_recvmsg+0xca/0xe3
 [<ffffffff81066d4b>] ? autoremove_wake_function+0x0/0x38
 [<ffffffff811ed1f8>] ? radix_tree_lookup_slot+0xe/0x10
 [<ffffffff810b3ed7>] ? find_get_page+0x90/0xa5
 [<ffffffff810b5dc5>] ? filemap_fault+0x201/0x34f
 [<ffffffff810ef152>] ? fget_light+0x2f/0xac
 [<ffffffff813519e7>] ? verify_iovec+0x4f/0x94
 [<ffffffff81349a65>] sys_recvmsg+0x14d/0x223

Store the serial number when beginning to walk the fib and reload
pointers when continuing to walk after a change occured. Similar
to other dumping functions, this might cause unrelated entries to
be missed when entries are deleted.

Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-02-12 12:06:35 -08:00
..
9p 9p connect fixes 2009-12-16 12:16:41 -05:00
802
8021q net: maintain namespace isolation between vlan and real device 2010-02-03 20:20:32 -08:00
appletalk net: appletalk: use seq_hlist_foo() helpers 2010-02-10 11:12:09 -08:00
atm net: atm: use seq_list_foo() helpers 2010-02-10 12:31:10 -08:00
ax25 net: ax25: use seq_hlist_foo() helpers 2010-02-10 11:12:09 -08:00
bluetooth net: use netdev_mc_count and netdev_mc_empty when appropriate 2010-02-12 11:38:58 -08:00
bridge bridge: Remove unused age_list 2010-02-04 20:28:48 -08:00
can can: deny filterlist access on non-CAN interfaces 2010-02-02 07:21:34 -08:00
core net: use netdev_mc_count and netdev_mc_empty when appropriate 2010-02-12 11:38:58 -08:00
dcb net: Move && and || to end of previous line 2009-11-29 16:55:45 -08:00
dccp dccp: allow probing of CCID-array length 2010-02-12 11:47:00 -08:00
decnet Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2009-12-08 07:55:01 -08:00
dsa
econet net: use net_eq to compare nets 2009-11-25 15:14:13 -08:00
ethernet llc: use dev_hard_header 2009-12-26 20:38:23 -08:00
ieee802154 net: use net_eq to compare nets 2009-11-25 15:14:13 -08:00
ipv4 Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-02-09 11:44:44 -08:00
ipv6 ipv6: fib: fix crash when changing large fib while dumping it 2010-02-12 12:06:35 -08:00
ipx net: ipx: use seq_list_foo() helpers 2010-02-10 12:31:10 -08:00
irda net: use netdev_mc_count and netdev_mc_empty when appropriate 2010-02-12 11:38:58 -08:00
iucv const: constify remaining dev_pm_ops 2009-12-15 08:53:25 -08:00
key net: af_key: use seq_hlist_foo() helpers 2010-02-10 11:12:10 -08:00
lapb
llc llc: fix SAP reference counting w.r.t. socket handling 2009-12-26 20:47:23 -08:00
mac80211 net: use netdev_mc_count and netdev_mc_empty when appropriate 2010-02-12 11:38:58 -08:00
netfilter netfilter: nf_conntrack: fix hash resizing with namespaces 2010-02-08 11:18:07 -08:00
netlabel Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-12-09 19:43:33 -08:00
netlink Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-02-03 19:38:22 -08:00
netrom net: netrom: use seq_hlist_foo() helpers 2010-02-10 11:12:08 -08:00
packet net: packet: use seq_hlist_foo() helpers 2010-02-10 11:12:08 -08:00
phonet net: spread __net_init, __net_exit 2010-01-17 19:16:02 -08:00
rds net/rds: remove uses of NIPQUAD, use %pI4 2010-02-03 20:16:48 -08:00
rfkill net/rfkill/core.c: work around gcc-4.0.2 silliness 2009-12-07 16:51:23 -05:00
rose net: rose: use seq_hlist_foo() helpers 2010-02-10 11:12:08 -08:00
rxrpc net: use net_eq to compare nets 2009-11-25 15:14:13 -08:00
sched Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-02-09 11:44:44 -08:00
sctp net: constify MIB name tables 2010-01-23 01:21:27 -08:00
sunrpc Merge branch 'bugfixes' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6 2010-01-08 13:55:14 -08:00
tipc tipc: Clean up configuration file 2010-01-19 14:23:57 -08:00
unix net: spread __net_init, __net_exit 2010-01-17 19:16:02 -08:00
wanrouter
wimax Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-12-09 19:43:33 -08:00
wireless Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 2010-02-04 08:58:14 -08:00
x25 net: x25: use seq_list_foo() helpers 2010-02-10 11:12:10 -08:00
xfrm Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-01-28 06:12:38 -08:00
compat.c net: use compat helper functions in compat_sys_recvmmsg 2009-12-11 15:07:57 -08:00
Kconfig
Makefile
nonet.c
socket.c fs: no games with DCACHE_UNHASHED 2009-12-17 10:51:40 -05:00
sysctl_net.c net: spread __net_init, __net_exit 2010-01-17 19:16:02 -08:00
TUNABLE