linux/drivers/net
Girish Moodalbail dea6e19f4e tap: reference to KVA of an unloaded module causes kernel panic
The commit 9a393b5d59 ("tap: tap as an independent module") created a
separate tap module that implements tap functionality and exports
interfaces that will be used by macvtap and ipvtap modules to create
create respective tap devices.

However, that patch introduced a regression wherein the modules macvtap
and ipvtap can be removed (through modprobe -r) while there are
applications using the respective /dev/tapX devices. These applications
cause kernel to hold reference to /dev/tapX through 'struct cdev
macvtap_cdev' and 'struct cdev ipvtap_dev' defined in macvtap and ipvtap
modules respectively. So,  when the application is later closed the
kernel panics because we are referencing KVA that is present in the
unloaded modules.

----------8<------- Example ----------8<----------
$ sudo ip li add name mv0 link enp7s0 type macvtap
$ sudo ip li show mv0 |grep mv0| awk -e '{print $1 $2}'
  14:mv0@enp7s0:
$ cat /dev/tap14 &
$ lsmod |egrep -i 'tap|vlan'
macvtap                16384  0
macvlan                24576  1 macvtap
tap                    24576  3 macvtap
$ sudo modprobe -r macvtap
$ fg
cat /dev/tap14
^C

<...system panics...>
BUG: unable to handle kernel paging request at ffffffffa038c500
IP: cdev_put+0xf/0x30
----------8<-----------------8<----------

The fix is to set cdev.owner to the module that creates the tap device
(either macvtap or ipvtap). With this set, the operations (in
fs/char_dev.c) on char device holds and releases the module through
cdev_get() and cdev_put() and will not allow the module to unload
prematurely.

Fixes: 9a393b5d59 (tap: tap as an independent module)
Signed-off-by: Girish Moodalbail <girish.moodalbail@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-28 19:17:21 +09:00
..
appletalk
arcnet
bonding net: bonding: fix tlb_dynamic_lb default value 2017-09-12 20:58:12 -07:00
caif
can can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages 2017-10-24 13:00:36 +02:00
cris
dsa net: dsa: mv88e6060: fix switch MAC address 2017-10-14 18:40:03 -07:00
ethernet Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net-queue 2017-10-28 00:05:34 +09:00
fddi net: defxx: constify eisa_device_id 2017-08-19 17:13:41 -07:00
fjes
hamradio hamradio: baycom: make hdlcdrv_ops const 2017-08-07 14:26:46 -07:00
hippi
hyperv hv_netvsc: fix send buffer failure on MTU change 2017-09-21 15:17:16 -07:00
ieee802154 ieee802154: ca8210: Fix a potential NULL pointer dereference 2017-08-20 20:51:30 +02:00
ipvlan tap: reference to KVA of an unloaded module causes kernel panic 2017-10-28 19:17:21 +09:00
phy net: phy: Fix truncation of large IRQ numbers in phy_attached_print() 2017-09-21 20:35:17 -07:00
plip
ppp ppp: fix race in ppp device destruction 2017-10-06 10:16:34 -07:00
slip
team team: use a larger struct for mac address 2017-07-29 11:25:05 -07:00
usb cdc_ether: flag the Huawei ME906/ME909 as WWAN 2017-10-24 18:32:54 +09:00
vmxnet3
wan - For the randstruct plugin, enable automatic randomization of structures 2017-09-07 20:30:19 -07:00
wimax wimax/i2400m: Remove VLAIS 2017-10-10 12:35:05 -07:00
wireless iwlwifi: nvm: set the correct offsets to 3168 series 2017-10-06 13:59:44 +03:00
xen-netback xen-netfront, xen-netback: Use correct minimum MTU values 2017-10-16 16:00:44 -04:00
dummy.c
eql.c
geneve.c geneve: Fix function matching VNI and tunnel ID on big-endian 2017-10-21 02:50:42 +01:00
gtp.c gtp: Initialize 64-bit per-cpu stats correctly 2017-08-01 20:06:07 -07:00
ifb.c
Kconfig x86/lguest: Remove lguest support 2017-08-24 09:57:28 +02:00
LICENSE.SRC
loopback.c
macsec.c macsec: fix memory leaks when skb_to_sgvec fails 2017-10-11 14:07:20 -07:00
macvlan.c macvlan: add offload features for encapsulation 2017-08-18 16:06:54 -07:00
macvtap.c tap: reference to KVA of an unloaded module causes kernel panic 2017-10-28 19:17:21 +09:00
Makefile irda: move drivers/net/irda to drivers/staging/irda/drivers 2017-08-28 16:42:57 -07:00
mdio.c
mii.c
netconsole.c
nlmon.c
ntb_netdev.c
rionet.c
sb1000.c
Space.c
sungem_phy.c
tap.c tap: reference to KVA of an unloaded module causes kernel panic 2017-10-28 19:17:21 +09:00
tun.c tuntap: properly align skb->head before building skb 2017-10-28 19:05:28 +09:00
veth.c
virtio_net.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
vrf.c net: vrf: avoid gcc-4.6 warning 2017-09-15 14:22:21 -07:00
vsockmon.c
vxlan.c vxlan: factor out VXLAN-GPE next protocol 2017-08-29 15:16:52 -07:00
xen-netfront.c xen-netfront, xen-netback: Use correct minimum MTU values 2017-10-16 16:00:44 -04:00