linux/drivers/net
Nikolay Aleksandrov 7f109f7cc3 vrf: fix double free and memory corruption on register_netdevice failure
When vrf's ->newlink is called, if register_netdevice() fails then it
does free_netdev(), but that's also done by rtnl_newlink() so a second
free happens and memory gets corrupted, to reproduce execute the
following line a couple of times (1 - 5 usually is enough):
$ for i in `seq 1 5`; do ip link add vrf: type vrf table 1; done;
This works because we fail in register_netdevice() because of the wrong
name "vrf:".

And here's a trace of one crash:
[   28.792157] ------------[ cut here ]------------
[   28.792407] kernel BUG at fs/namei.c:246!
[   28.792608] invalid opcode: 0000 [#1] SMP
[   28.793240] Modules linked in: vrf nfsd auth_rpcgss oid_registry
nfs_acl nfs lockd grace sunrpc crct10dif_pclmul crc32_pclmul
crc32c_intel qxl drm_kms_helper ttm drm aesni_intel aes_x86_64 psmouse
glue_helper lrw evdev gf128mul i2c_piix4 ablk_helper cryptd ppdev
parport_pc parport serio_raw pcspkr virtio_balloon virtio_console
i2c_core acpi_cpufreq button 9pnet_virtio 9p 9pnet fscache ipv6 autofs4
ext4 crc16 mbcache jbd2 virtio_blk virtio_net sg sr_mod cdrom
ata_generic ehci_pci uhci_hcd ehci_hcd e1000 usbcore usb_common ata_piix
libata virtio_pci virtio_ring virtio scsi_mod floppy
[   28.796016] CPU: 0 PID: 1148 Comm: ld-linux-x86-64 Not tainted
4.4.0-rc1+ #24
[   28.796016] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.8.1-20150318_183358- 04/01/2014
[   28.796016] task: ffff8800352561c0 ti: ffff88003592c000 task.ti:
ffff88003592c000
[   28.796016] RIP: 0010:[<ffffffff812187b3>]  [<ffffffff812187b3>]
putname+0x43/0x60
[   28.796016] RSP: 0018:ffff88003592fe88  EFLAGS: 00010246
[   28.796016] RAX: 0000000000000000 RBX: ffff8800352561c0 RCX:
0000000000000001
[   28.796016] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
ffff88003784f000
[   28.796016] RBP: ffff88003592ff08 R08: 0000000000000001 R09:
0000000000000000
[   28.796016] R10: 0000000000000000 R11: 0000000000000001 R12:
0000000000000000
[   28.796016] R13: 000000000000047c R14: ffff88003784f000 R15:
ffff8800358c4a00
[   28.796016] FS:  0000000000000000(0000) GS:ffff88003fc00000(0000)
knlGS:0000000000000000
[   28.796016] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   28.796016] CR2: 00007ffd583bc2d9 CR3: 0000000035a99000 CR4:
00000000000406f0
[   28.796016] Stack:
[   28.796016]  ffffffff8121045d ffffffff812102d3 ffff8800352561c0
ffff880035a91660
[   28.796016]  ffff8800008a9880 0000000000000000 ffffffff81a49940
00ffffff81218684
[   28.796016]  ffff8800352561c0 000000000000047c 0000000000000000
ffff880035b36d80
[   28.796016] Call Trace:
[   28.796016]  [<ffffffff8121045d>] ?
do_execveat_common.isra.34+0x74d/0x930
[   28.796016]  [<ffffffff812102d3>] ?
do_execveat_common.isra.34+0x5c3/0x930
[   28.796016]  [<ffffffff8121066c>] do_execve+0x2c/0x30
[   28.796016]  [<ffffffff810939a0>]
call_usermodehelper_exec_async+0xf0/0x140
[   28.796016]  [<ffffffff810938b0>] ? umh_complete+0x40/0x40
[   28.796016]  [<ffffffff815cb1af>] ret_from_fork+0x3f/0x70
[   28.796016] Code: 48 8d 47 1c 48 89 e5 53 48 8b 37 48 89 fb 48 39 c6
74 1a 48 8b 3d 7e e9 8f 00 e8 49 fa fc ff 48 89 df e8 f1 01 fd ff 5b 5d
f3 c3 <0f> 0b 48 89 fe 48 8b 3d 61 e9 8f 00 e8 2c fa fc ff 5b 5d eb e9
[   28.796016] RIP  [<ffffffff812187b3>] putname+0x43/0x60
[   28.796016]  RSP <ffff88003592fe88>

Fixes: 193125dbd8 ("net: Introduce VRF device driver")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-11-23 17:52:46 -05:00
..
appletalk
arcnet arcnet/com20020: add LEDS_CLASS dependency 2015-11-03 11:29:56 -05:00
bonding bonding: fix panic on non-ARPHRD_ETHER enslave failure 2015-11-07 13:17:32 -05:00
caif net: caif: check return value of alloc_netdev 2015-11-09 11:31:13 -05:00
can spi: Updates for v4.4 2015-11-05 13:15:12 -08:00
cris
dsa net: dsa: mv88e6060: replace magic values with register defines 2015-11-15 20:16:16 -05:00
ethernet net: fsl: expands dependencies of NET_VENDOR_FREESCALE 2015-11-23 12:11:58 -05:00
fddi
fjes fjes: fix inconsistent indenting 2015-11-15 17:09:23 -05:00
hamradio Merge branch 'x86/urgent' into x86/asm to fix up conflicts and to pick up fixes 2015-08-18 09:39:47 +02:00
hippi
hyperv flow_dissector: Add flags argument to skb_flow_dissector functions 2015-09-01 15:06:22 -07:00
ieee802154 spi: Updates for v4.4 2015-11-05 13:15:12 -08:00
ipvlan ipvlan: fix use after free of skb 2015-11-17 14:39:29 -05:00
irda net: irda: pxaficp_ir: dmaengine conversion 2015-09-28 22:32:48 -07:00
phy net: phy: Use interrupts when available in NOLINK state 2015-11-17 15:25:44 -05:00
plip
ppp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-11-03 13:41:45 -05:00
slip ppp, slip: Validate VJ compression slot parameters completely 2015-11-02 16:25:00 -05:00
team net: team: convert to using IFF_NO_QUEUE 2015-08-18 11:55:05 -07:00
usb net: qmi_wwan: add XS Stick W100-2 from 4G Systems 2015-11-18 23:01:32 -05:00
vmxnet3 Driver: Vmxnet3: Fix use of mfTableLen for big endian architectures 2015-11-16 15:06:47 -05:00
wan hdlc: fix null-deref on allocation failure 2015-11-18 14:58:03 -05:00
wimax
wireless rtlwifi: rtl8821ae: Fix lockups on boot 2015-11-17 15:58:53 +02:00
xen-netback xen: features for 4.4-rc0 2015-11-04 17:32:42 -08:00
dummy.c net: dummy: add more features 2015-10-21 19:36:10 -07:00
eql.c
geneve.c geneve: add IPv6 bits to geneve_fill_metadata_dst 2015-10-30 12:10:54 +09:00
ifb.c
Kconfig net: Add IPv6 support to VRF device 2015-10-13 04:55:07 -07:00
LICENSE.SRC
loopback.c net: loopback: convert to using IFF_NO_QUEUE 2015-08-18 11:55:05 -07:00
macvlan.c macvlan: fix leak in macvlan_handle_frame 2015-11-17 14:39:29 -05:00
macvtap.c macvtap: Resolve possible __might_sleep warning in macvtap_do_read() 2015-11-09 12:04:44 -05:00
Makefile fjes: Introduce FUJITSU Extended Socket Network Device driver 2015-08-24 14:06:33 -07:00
mdio.c
mii.c
netconsole.c netconsole: use per-attribute show and store methods 2015-10-13 22:17:51 -07:00
nlmon.c net: nlmon: convert to using IFF_NO_QUEUE 2015-08-18 11:55:05 -07:00
ntb_netdev.c NTB: Add flow control to the ntb_netdev 2015-09-07 15:17:08 -04:00
rionet.c
sb1000.c
Space.c
sungem_phy.c
tun.c tun: use sk_fullsock() before reading sk->sk_tsflags 2015-10-12 19:45:48 -07:00
veth.c net: veth: enable noqueue operation by default 2015-08-18 11:55:04 -07:00
virtio_net.c virtio-net: avoid unnecessary sg initialzation 2015-08-27 15:51:45 -07:00
vrf.c vrf: fix double free and memory corruption on register_netdevice failure 2015-11-23 17:52:46 -05:00
vxlan.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-10-24 06:54:12 -07:00
xen-netfront.c xen: features for 4.4-rc0 2015-11-04 17:32:42 -08:00