diff options
| author | Eric Dumazet <edumazet@google.com> | 2017-01-27 11:11:44 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-02-18 09:11:40 -0500 |
| commit | adf86d59bb9b08d9eb67054251d29484c5ec102c (patch) | |
| tree | 936e15e292d0e10e72104aed6c79304744395dff /include/linux/can/core.h | |
| parent | 390caeedd4fdb95b2225768305d163c291f21b5a (diff) | |
can: Fix kernel panic at security_sock_rcv_skb
[ Upstream commit f1712c73714088a7252d276a57126d56c7d37e64 ]
Zhang Yanmin reported crashes [1] and provided a patch adding a
synchronize_rcu() call in can_rx_unregister()
The main problem seems that the sockets themselves are not RCU
protected.
If CAN uses RCU for delivery, then sockets should be freed only after
one RCU grace period.
Recent kernels could use sock_set_flag(sk, SOCK_RCU_FREE), but let's
ease stable backports with the following fix instead.
[1]
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<ffffffff81495e25>] selinux_socket_sock_rcv_skb+0x65/0x2a0
Call Trace:
<IRQ>
[<ffffffff81485d8c>] security_sock_rcv_skb+0x4c/0x60
[<ffffffff81d55771>] sk_filter+0x41/0x210
[<ffffffff81d12913>] sock_queue_rcv_skb+0x53/0x3a0
[<ffffffff81f0a2b3>] raw_rcv+0x2a3/0x3c0
[<ffffffff81f06eab>] can_rcv_filter+0x12b/0x370
[<ffffffff81f07af9>] can_receive+0xd9/0x120
[<ffffffff81f07beb>] can_rcv+0xab/0x100
[<ffffffff81d362ac>] __netif_receive_skb_core+0xd8c/0x11f0
[<ffffffff81d36734>] __netif_receive_skb+0x24/0xb0
[<ffffffff81d37f67>] process_backlog+0x127/0x280
[<ffffffff81d36f7b>] net_rx_action+0x33b/0x4f0
[<ffffffff810c88d4>] __do_softirq+0x184/0x440
[<ffffffff81f9e86c>] do_softirq_own_stack+0x1c/0x30
<EOI>
[<ffffffff810c76fb>] do_softirq.part.18+0x3b/0x40
[<ffffffff810c8bed>] do_softirq+0x1d/0x20
[<ffffffff81d30085>] netif_rx_ni+0xe5/0x110
[<ffffffff8199cc87>] slcan_receive_buf+0x507/0x520
[<ffffffff8167ef7c>] flush_to_ldisc+0x21c/0x230
[<ffffffff810e3baf>] process_one_work+0x24f/0x670
[<ffffffff810e44ed>] worker_thread+0x9d/0x6f0
[<ffffffff810e4450>] ? rescuer_thread+0x480/0x480
[<ffffffff810ebafc>] kthread+0x12c/0x150
[<ffffffff81f9ccef>] ret_from_fork+0x3f/0x70
Reported-by: Zhang Yanmin <yanmin.zhang@intel.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'include/linux/can/core.h')
| -rw-r--r-- | include/linux/can/core.h | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/include/linux/can/core.h b/include/linux/can/core.h index a0875001b13c..df08a41d5be5 100644 --- a/include/linux/can/core.h +++ b/include/linux/can/core.h | |||
| @@ -45,10 +45,9 @@ struct can_proto { | |||
| 45 | extern int can_proto_register(const struct can_proto *cp); | 45 | extern int can_proto_register(const struct can_proto *cp); |
| 46 | extern void can_proto_unregister(const struct can_proto *cp); | 46 | extern void can_proto_unregister(const struct can_proto *cp); |
| 47 | 47 | ||
| 48 | extern int can_rx_register(struct net_device *dev, canid_t can_id, | 48 | int can_rx_register(struct net_device *dev, canid_t can_id, canid_t mask, |
| 49 | canid_t mask, | 49 | void (*func)(struct sk_buff *, void *), |
| 50 | void (*func)(struct sk_buff *, void *), | 50 | void *data, char *ident, struct sock *sk); |
| 51 | void *data, char *ident); | ||
| 52 | 51 | ||
| 53 | extern void can_rx_unregister(struct net_device *dev, canid_t can_id, | 52 | extern void can_rx_unregister(struct net_device *dev, canid_t can_id, |
| 54 | canid_t mask, | 53 | canid_t mask, |