1
linux/include/net
Patrick McHardy 2bec5a369e ipv6: fib: fix crash when changing large fib while dumping it
When the fib size exceeds what can be dumped in a single skb, the
dump is suspended and resumed once the last skb has been received
by userspace. When the fib is changed while the dump is suspended,
the walker might contain stale pointers, causing a crash when the
dump is resumed.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
IP: [<ffffffffa01bce04>] fib6_walk_continue+0xbb/0x124 [ipv6]
PGD 5347a067 PUD 65c7067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
...
RIP: 0010:[<ffffffffa01bce04>]
[<ffffffffa01bce04>] fib6_walk_continue+0xbb/0x124 [ipv6]
...
Call Trace:
 [<ffffffff8104aca3>] ? mutex_spin_on_owner+0x59/0x71
 [<ffffffffa01bd105>] inet6_dump_fib+0x11b/0x1b9 [ipv6]
 [<ffffffff81371af4>] netlink_dump+0x5b/0x19e
 [<ffffffff8134f288>] ? consume_skb+0x28/0x2a
 [<ffffffff81373b69>] netlink_recvmsg+0x1ab/0x2c6
 [<ffffffff81372781>] ? netlink_unicast+0xfa/0x151
 [<ffffffff813483e0>] __sock_recvmsg+0x6d/0x79
 [<ffffffff81348a53>] sock_recvmsg+0xca/0xe3
 [<ffffffff81066d4b>] ? autoremove_wake_function+0x0/0x38
 [<ffffffff811ed1f8>] ? radix_tree_lookup_slot+0xe/0x10
 [<ffffffff810b3ed7>] ? find_get_page+0x90/0xa5
 [<ffffffff810b5dc5>] ? filemap_fault+0x201/0x34f
 [<ffffffff810ef152>] ? fget_light+0x2f/0xac
 [<ffffffff813519e7>] ? verify_iovec+0x4f/0x94
 [<ffffffff81349a65>] sys_recvmsg+0x14d/0x223

Store the serial number when beginning to walk the fib and reload
pointers when continuing to walk after a change occured. Similar
to other dumping functions, this might cause unrelated entries to
be missed when entries are deleted.

Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-02-12 12:06:35 -08:00
..
9p 9p: fix readdir corner cases 2009-11-02 08:43:45 -06:00
bluetooth Bluetooth: Implement RejActioned flag 2009-12-03 19:34:24 +01:00
irda net: mark read-only arrays as const 2009-08-05 10:42:58 -07:00
iucv af_iucv: Return -EAGAIN if iucv msg limit is exceeded 2009-06-19 00:10:40 -07:00
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2009-12-16 10:33:18 -08:00
netns netfilter: nf_conntrack: fix hash resizing with namespaces 2010-02-08 11:18:07 -08:00
phonet Phonet: zero-copy GPRS TX 2010-01-07 00:24:55 -08:00
sctp Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-12-09 19:43:33 -08:00
tc_act pkt_sched: skbedit add support for setting mark 2009-10-22 21:56:42 -07:00
tipc
act_api.h net: restore gnet_stats_basic to previous definition 2009-08-17 21:33:49 -07:00
addrconf.h bonding: remap muticast addresses without using dev_close() and dev_open() 2009-09-15 02:37:40 -07:00
af_ieee802154.h af_ieee802154: add support for WANT_ACK socket option 2009-08-12 21:54:50 -07:00
af_rxrpc.h
af_unix.h
ah.h net: cleanup include/net 2009-11-04 05:06:25 -08:00
arp.h net: make neigh_ops constant 2009-09-01 17:40:57 -07:00
atmclip.h clip: convert to internal network_device_stats 2009-01-21 14:01:59 -08:00
ax25.h
ax88796.h ax88796: Add method to take MAC from platform data 2009-03-24 23:32:03 -07:00
cfg80211.h cfg80211: export cfg80211_find_ie 2010-01-26 11:53:20 -05:00
checksum.h
cipso_ipv4.h netlabel: Label incoming TCP connections correctly in SELinux 2009-03-28 15:01:36 +11:00
compat.h net: fix compat_sys_recvmmsg parameter type 2009-12-11 15:07:56 -08:00
datalink.h
dcbnl.h dcbnl: Add support for setapp/getapp to netdev dcbnl_rtnl_ops 2009-09-01 01:24:30 -07:00
dn_dev.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2009-12-08 07:55:01 -08:00
dn_fib.h net: cleanup include/net 2009-11-04 05:06:25 -08:00
dn_neigh.h
dn_nsp.h net: cleanup include/net 2009-11-04 05:06:25 -08:00
dn_route.h
dn.h
dsa.h dsa: add switch chip cascading support 2009-03-21 19:06:54 -07:00
dsfield.h
dst_ops.h netns: embed ip6_dst_ops directly 2009-09-01 17:40:31 -07:00
dst.h net: Add rtnetlink init_rcvwnd to set the TCP initial receive window 2009-12-23 14:13:30 -08:00
esp.h
ethoc.h net: Add support for the OpenCores 10/100 Mbps Ethernet MAC. 2009-03-27 00:16:21 -07:00
fib_rules.h net: Allow fib_rule_unregister to batch 2009-12-03 12:22:55 -08:00
flow.h
garp.h
gen_stats.h net: cleanup include/net 2009-11-04 05:06:25 -08:00
genetlink.h net: cleanup include/net 2009-11-04 05:06:25 -08:00
icmp.h icmp: move icmp_err_convert[] to .rodata 2010-01-23 01:21:28 -08:00
ieee80211_radiotap.h mac80211: fix radiotap header generation 2009-10-30 16:49:20 -04:00
ieee802154_netdev.h ieee802154: add an mlme_ops call to retrieve PHY object 2009-11-06 14:32:18 +03:00
ieee802154.h ieee802154: move headers out of extra directory 2009-07-23 17:08:51 +04:00
if_inet6.h net: cleanup include/net 2009-11-04 05:06:25 -08:00
inet6_connection_sock.h
inet6_hashtables.h tcp: Fix a connect() race with timewait sockets 2009-12-08 20:17:51 -08:00
inet_common.h
inet_connection_sock.h net: Make setsockopt() optlen be unsigned. 2009-09-30 16:12:20 -07:00
inet_ecn.h net: replace __constant_{endian} uses in net headers 2009-02-14 22:58:35 -08:00
inet_frag.h inet fragments: fix sparse warning: context imbalance 2009-02-26 23:13:35 -08:00
inet_hashtables.h tcp: Fix a connect() race with timewait sockets 2009-12-08 20:17:51 -08:00
inet_sock.h tcp: Generalized TTL Security Mechanism 2010-01-11 16:28:01 -08:00
inet_timewait_sock.h tcp: Fix a connect() race with timewait sockets 2009-12-08 20:17:51 -08:00
inetpeer.h inetpeer: Optimize inet_getid() 2009-11-13 20:46:58 -08:00
ip6_checksum.h
ip6_fib.h ipv6: fib: fix crash when changing large fib while dumping it 2010-02-12 12:06:35 -08:00
ip6_route.h net: cleanup include/net 2009-11-04 05:06:25 -08:00
ip6_tunnel.h
ip_fib.h Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2009-11-06 00:55:55 -08:00
ip_vs.h net: cleanup include/net 2009-11-04 05:06:25 -08:00
ip.h net: fix build erros with CONFIG_BUG=n, CONFIG_GENERIC_BUG=n 2010-01-13 18:10:36 -08:00
ipcomp.h
ipconfig.h
ipip.h net: cleanup include/net 2009-11-04 05:06:25 -08:00
ipv6.h netfilter: fix crashes in bridge netfilter caused by fragment jumps 2009-12-15 16:59:59 +01:00
ipx.h net: replace __constant_{endian} uses in net headers 2009-02-14 22:58:35 -08:00
iw_handler.h net: cleanup include/net 2009-11-04 05:06:25 -08:00
lapb.h
lib80211.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h llc: use a device based hash table to speed up multicast delivery 2009-12-26 20:43:57 -08:00
llc_if.h
llc_pdu.h
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
llc.h llc: convert llc_sap_list to RCU 2009-12-26 20:46:28 -08:00
mac80211.h mac80211: fix monitor mode tx radiotap header handling 2010-02-01 15:40:08 -05:00
mip6.h
ndisc.h sysctl: remove "struct file *" argument of ->proc_handler 2009-09-24 07:21:04 -07:00
neighbour.h Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu 2009-12-14 09:58:24 -08:00
net_namespace.h net: Add support for batching network namespace cleanups 2009-12-03 12:22:01 -08:00
netdma.h net_dma: convert to dma_find_channel 2009-01-06 11:38:15 -07:00
netevent.h
netlabel.h netlabel: Cleanup the Smack/NetLabel code to fix incoming TCP connections 2009-03-28 15:01:37 +11:00
netlink.h netlink: constify nlmsghdr arguments 2009-08-25 16:07:40 +02:00
netrom.h ax25: netrom: rose: Fix timer oopses 2010-01-16 01:04:04 -08:00
nexthop.h
nl802154.h ieee802154: add support for channel pages from IEEE 802.15.4-2006 2009-08-19 23:08:22 +04:00
p8022.h
pkt_cls.h net: rename skb->iif to skb->skb_iif 2009-11-20 15:35:04 -08:00
pkt_sched.h sched: add head drop fifo queue 2010-01-28 21:27:00 -08:00
protocol.h net: drop capability from protocol definitions 2009-11-05 21:40:17 -08:00
psnap.h snap: use const for descriptor 2009-03-21 19:06:50 -07:00
raw.h
rawv6.h ipv6: Use correct data types for ICMPv6 type and code 2009-06-23 04:31:07 -07:00
red.h net: cleanup include/net 2009-11-04 05:06:25 -08:00
regulatory.h cfg80211: add regulatory hint disconnect support 2010-02-01 15:40:06 -05:00
request_sock.h tcp: account SYN-ACK timeouts & retransmissions 2010-01-17 19:09:39 -08:00
rose.h NET: ROSE: Don't use static buffer. 2009-07-26 19:11:14 -07:00
route.h net: NETDEV_UNREGISTER_PERNET -> NETDEV_UNREGISTER_BATCH 2009-12-01 16:15:50 -08:00
rtnetlink.h net: Support specifying the network namespace upon device creation. 2009-11-08 00:53:51 -08:00
sch_generic.h sched: add head drop fifo queue 2010-01-28 21:27:00 -08:00
scm.h net: cleanup include/net 2009-11-04 05:06:25 -08:00
slhc_vj.h
snmp.h net: constify MIB name tables 2010-01-23 01:21:27 -08:00
sock.h net: add a wrapper sk_entry() 2010-02-10 11:12:07 -08:00
stp.h
tcp_states.h
tcp.h tcp: account SYN-ACK timeouts & retransmissions 2010-01-17 19:09:39 -08:00
timewait_sock.h
transp_v6.h inet: inet_connection_sock_af_ops const 2009-09-02 01:03:49 -07:00
udp.h udp: bind() optimisation 2009-11-10 20:54:38 -08:00
udplite.h
wext.h wext: refactor 2009-10-07 16:39:43 -04:00
wimax.h Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-12-09 19:43:33 -08:00
wpan-phy.h ieee802154: add support for creation/removal of logic interfaces 2009-11-06 14:32:24 +03:00
x25.h X25: Move SYSCTL ifdefs into header 2009-11-29 00:24:59 -08:00
x25device.h
xfrm.h netns xfrm: xfrm6_tunnel in netns 2010-01-28 06:31:05 -08:00