diff options
| author | Junwei Hu <hujunwei4@huawei.com> | 2019-05-16 10:51:15 +0800 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2019-05-16 12:25:02 -0700 |
| commit | 7e27e8d6130c5e88fac9ddec4249f7f2337fe7f8 (patch) | |
| tree | 79a25be33c426c2ee802da089de94365cd5fde60 /kernel | |
| parent | 61fb0d01680771f72cc9d39783fb2c122aaad51e (diff) | |
| download | lwn-7e27e8d6130c5e88fac9ddec4249f7f2337fe7f8.tar.gz lwn-7e27e8d6130c5e88fac9ddec4249f7f2337fe7f8.zip | |
tipc: switch order of device registration to fix a crash
When tipc is loaded while many processes try to create a TIPC socket,
a crash occurs:
PANIC: Unable to handle kernel paging request at virtual
address "dfff20000000021d"
pc : tipc_sk_create+0x374/0x1180 [tipc]
lr : tipc_sk_create+0x374/0x1180 [tipc]
Exception class = DABT (current EL), IL = 32 bits
Call trace:
tipc_sk_create+0x374/0x1180 [tipc]
__sock_create+0x1cc/0x408
__sys_socket+0xec/0x1f0
__arm64_sys_socket+0x74/0xa8
...
This is due to race between sock_create and unfinished
register_pernet_device. tipc_sk_insert tries to do
"net_generic(net, tipc_net_id)".
but tipc_net_id is not initialized yet.
So switch the order of the two to close the race.
This can be reproduced with multiple processes doing socket(AF_TIPC, ...)
and one process doing module removal.
Fixes: a62fbccecd62 ("tipc: make subscriber server support net namespace")
Signed-off-by: Junwei Hu <hujunwei4@huawei.com>
Reported-by: Wang Wang <wangwang2@huawei.com>
Reviewed-by: Xiaogang Wang <wangxiaogang3@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'kernel')
0 files changed, 0 insertions, 0 deletions