can: Fix kernel panic at security_sock_rcv_skb

[ Upstream commit f1712c73714088a7252d276a57126d56c7d37e64 ] Zhang Yanmin reported crashes [1] and provided a patch adding a synchronize_rcu() call in can_rx_unregister() The main problem seems that the sockets themselves are not RCU protected. If CAN uses RCU for delivery, then sockets should be freed only after one RCU grace period. Recent kernels could use sock_set_flag(sk, SOCK_RCU_FREE), but let's ease stable backports with the following fix instead. [1] BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<ffffffff81495e25>] selinux_socket_sock_rcv_skb+0x65/0x2a0 Call Trace: <IRQ> [<ffffffff81485d8c>] security_sock_rcv_skb+0x4c/0x60 [<ffffffff81d55771>] sk_filter+0x41/0x210 [<ffffffff81d12913>] sock_queue_rcv_skb+0x53/0x3a0 [<ffffffff81f0a2b3>] raw_rcv+0x2a3/0x3c0 [<ffffffff81f06eab>] can_rcv_filter+0x12b/0x370 [<ffffffff81f07af9>] can_receive+0xd9/0x120 [<ffffffff81f07beb>] can_rcv+0xab/0x100 [<ffffffff81d362ac>] __netif_receive_skb_core+0xd8c/0x11f0 [<ffffffff81d36734>] __netif_receive_skb+0x24/0xb0 [<ffffffff81d37f67>] process_backlog+0x127/0x280 [<ffffffff81d36f7b>] net_rx_action+0x33b/0x4f0 [<ffffffff810c88d4>] __do_softirq+0x184/0x440 [<ffffffff81f9e86c>] do_softirq_own_stack+0x1c/0x30 <EOI> [<ffffffff810c76fb>] do_softirq.part.18+0x3b/0x40 [<ffffffff810c8bed>] do_softirq+0x1d/0x20 [<ffffffff81d30085>] netif_rx_ni+0xe5/0x110 [<ffffffff8199cc87>] slcan_receive_buf+0x507/0x520 [<ffffffff8167ef7c>] flush_to_ldisc+0x21c/0x230 [<ffffffff810e3baf>] process_one_work+0x24f/0x670 [<ffffffff810e44ed>] worker_thread+0x9d/0x6f0 [<ffffffff810e4450>] ? rescuer_thread+0x480/0x480 [<ffffffff810ebafc>] kthread+0x12c/0x150 [<ffffffff81f9ccef>] ret_from_fork+0x3f/0x70 Reported-by: Zhang Yanmin <yanmin.zhang@intel.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Acked-by: Oliver Hartkopp <socketcan@hartkopp.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Eric Dumazet <edumazet@google.com> 2017-01-27 11:11:44 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-02-18 09:11:40 -0500
commit: adf86d59bb9b08d9eb67054251d29484c5ec102c (patch)
tree: 936e15e292d0e10e72104aed6c79304744395dff /net/can/gw.c
parent: 390caeedd4fdb95b2225768305d163c291f21b5a (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/net/can/gw.c b/net/can/gw.c
index 455168718c2e..77c8af4047ef 100644
--- a/net/can/gw.c
+++ b/net/can/gw.c
@@ -442,7 +442,7 @@ static inline int cgw_register_filter(struct cgw_job *gwj)
 {
        return can_rx_register(gwj->src.dev, gwj->ccgw.filter.can_id,
                               gwj->ccgw.filter.can_mask, can_can_gw_rcv,
-                               gwj, "gw");
+                               gwj, "gw", NULL);
 }
 static inline void cgw_unregister_filter(struct cgw_job *gwj)
author	Eric Dumazet <edumazet@google.com>	2017-01-27 11:11:44 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-02-18 09:11:40 -0500
commit	adf86d59bb9b08d9eb67054251d29484c5ec102c (patch)
tree	936e15e292d0e10e72104aed6c79304744395dff /net/can/gw.c
parent	390caeedd4fdb95b2225768305d163c291f21b5a (diff)

diff --git a/net/can/gw.c b/net/can/gw.c index 455168718c2e..77c8af4047ef 100644 --- a/net/can/gw.c +++ b/net/can/gw.c
@@ -442,7 +442,7 @@ static inline int cgw_register_filter(struct cgw_job *gwj)
442	{	442	{
443	return can_rx_register(gwj->src.dev, gwj->ccgw.filter.can_id,	443	return can_rx_register(gwj->src.dev, gwj->ccgw.filter.can_id,
444	gwj->ccgw.filter.can_mask, can_can_gw_rcv,	444	gwj->ccgw.filter.can_mask, can_can_gw_rcv,
445	gwj, "gw");	445	gwj, "gw", NULL);
446	}	446	}
447		447
448	static inline void cgw_unregister_filter(struct cgw_job *gwj)	448	static inline void cgw_unregister_filter(struct cgw_job *gwj)