mirror of
https://github.com/FEX-Emu/linux.git
synced 2025-01-03 07:41:40 +00:00
2bec5a369e
When the fib size exceeds what can be dumped in a single skb, the dump is suspended and resumed once the last skb has been received by userspace. When the fib is changed while the dump is suspended, the walker might contain stale pointers, causing a crash when the dump is resumed. BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 IP: [<ffffffffa01bce04>] fib6_walk_continue+0xbb/0x124 [ipv6] PGD 5347a067 PUD 65c7067 PMD 0 Oops: 0000 [#1] PREEMPT SMP ... RIP: 0010:[<ffffffffa01bce04>] [<ffffffffa01bce04>] fib6_walk_continue+0xbb/0x124 [ipv6] ... Call Trace: [<ffffffff8104aca3>] ? mutex_spin_on_owner+0x59/0x71 [<ffffffffa01bd105>] inet6_dump_fib+0x11b/0x1b9 [ipv6] [<ffffffff81371af4>] netlink_dump+0x5b/0x19e [<ffffffff8134f288>] ? consume_skb+0x28/0x2a [<ffffffff81373b69>] netlink_recvmsg+0x1ab/0x2c6 [<ffffffff81372781>] ? netlink_unicast+0xfa/0x151 [<ffffffff813483e0>] __sock_recvmsg+0x6d/0x79 [<ffffffff81348a53>] sock_recvmsg+0xca/0xe3 [<ffffffff81066d4b>] ? autoremove_wake_function+0x0/0x38 [<ffffffff811ed1f8>] ? radix_tree_lookup_slot+0xe/0x10 [<ffffffff810b3ed7>] ? find_get_page+0x90/0xa5 [<ffffffff810b5dc5>] ? filemap_fault+0x201/0x34f [<ffffffff810ef152>] ? fget_light+0x2f/0xac [<ffffffff813519e7>] ? verify_iovec+0x4f/0x94 [<ffffffff81349a65>] sys_recvmsg+0x14d/0x223 Store the serial number when beginning to walk the fib and reload pointers when continuing to walk after a change occured. Similar to other dumping functions, this might cause unrelated entries to be missed when entries are deleted. Tested-by: Ben Greear <greearb@candelatech.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|---|---|---|
| .. | ||
| 9p | ||
| bluetooth | ||
| irda | ||
| iucv | ||
| netfilter | ||
| netns | ||
| phonet | ||
| sctp | ||
| tc_act | ||
| tipc | ||
| act_api.h | ||
| addrconf.h | ||
| af_ieee802154.h | ||
| af_rxrpc.h | ||
| af_unix.h | ||
| ah.h | ||
| arp.h | ||
| atmclip.h | ||
| ax25.h | ||
| ax88796.h | ||
| cfg80211.h | ||
| checksum.h | ||
| cipso_ipv4.h | ||
| compat.h | ||
| datalink.h | ||
| dcbnl.h | ||
| dn_dev.h | ||
| dn_fib.h | ||
| dn_neigh.h | ||
| dn_nsp.h | ||
| dn_route.h | ||
| dn.h | ||
| dsa.h | ||
| dsfield.h | ||
| dst_ops.h | ||
| dst.h | ||
| esp.h | ||
| ethoc.h | ||
| fib_rules.h | ||
| flow.h | ||
| garp.h | ||
| gen_stats.h | ||
| genetlink.h | ||
| icmp.h | ||
| ieee80211_radiotap.h | ||
| ieee802154_netdev.h | ||
| ieee802154.h | ||
| if_inet6.h | ||
| inet6_connection_sock.h | ||
| inet6_hashtables.h | ||
| inet_common.h | ||
| inet_connection_sock.h | ||
| inet_ecn.h | ||
| inet_frag.h | ||
| inet_hashtables.h | ||
| inet_sock.h | ||
| inet_timewait_sock.h | ||
| inetpeer.h | ||
| ip6_checksum.h | ||
| ip6_fib.h | ||
| ip6_route.h | ||
| ip6_tunnel.h | ||
| ip_fib.h | ||
| ip_vs.h | ||
| ip.h | ||
| ipcomp.h | ||
| ipconfig.h | ||
| ipip.h | ||
| ipv6.h | ||
| ipx.h | ||
| iw_handler.h | ||
| lapb.h | ||
| lib80211.h | ||
| llc_c_ac.h | ||
| llc_c_ev.h | ||
| llc_c_st.h | ||
| llc_conn.h | ||
| llc_if.h | ||
| llc_pdu.h | ||
| llc_s_ac.h | ||
| llc_s_ev.h | ||
| llc_s_st.h | ||
| llc_sap.h | ||
| llc.h | ||
| mac80211.h | ||
| mip6.h | ||
| ndisc.h | ||
| neighbour.h | ||
| net_namespace.h | ||
| netdma.h | ||
| netevent.h | ||
| netlabel.h | ||
| netlink.h | ||
| netrom.h | ||
| nexthop.h | ||
| nl802154.h | ||
| p8022.h | ||
| pkt_cls.h | ||
| pkt_sched.h | ||
| protocol.h | ||
| psnap.h | ||
| raw.h | ||
| rawv6.h | ||
| red.h | ||
| regulatory.h | ||
| request_sock.h | ||
| rose.h | ||
| route.h | ||
| rtnetlink.h | ||
| sch_generic.h | ||
| scm.h | ||
| slhc_vj.h | ||
| snmp.h | ||
| sock.h | ||
| stp.h | ||
| tcp_states.h | ||
| tcp.h | ||
| timewait_sock.h | ||
| transp_v6.h | ||
| udp.h | ||
| udplite.h | ||
| wext.h | ||
| wimax.h | ||
| wpan-phy.h | ||
| x25.h | ||
| x25device.h | ||
| xfrm.h | ||