ipv6: fib: fix crash when changing large fib while dumping it
When the fib size exceeds what can be dumped in a single skb, the
dump is suspended and resumed once the last skb has been received
by userspace. When the fib is changed while the dump is suspended,
the walker might contain stale pointers, causing a crash when the
dump is resumed.
BUG: unable to handle kernel NULL pointer dereference at
0000000000000018
IP: [<
ffffffffa01bce04>] fib6_walk_continue+0xbb/0x124 [ipv6]
PGD
5347a067 PUD
65c7067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
...
RIP: 0010:[<
ffffffffa01bce04>]
[<
ffffffffa01bce04>] fib6_walk_continue+0xbb/0x124 [ipv6]
...
Call Trace:
[<
ffffffff8104aca3>] ? mutex_spin_on_owner+0x59/0x71
[<
ffffffffa01bd105>] inet6_dump_fib+0x11b/0x1b9 [ipv6]
[<
ffffffff81371af4>] netlink_dump+0x5b/0x19e
[<
ffffffff8134f288>] ? consume_skb+0x28/0x2a
[<
ffffffff81373b69>] netlink_recvmsg+0x1ab/0x2c6
[<
ffffffff81372781>] ? netlink_unicast+0xfa/0x151
[<
ffffffff813483e0>] __sock_recvmsg+0x6d/0x79
[<
ffffffff81348a53>] sock_recvmsg+0xca/0xe3
[<
ffffffff81066d4b>] ? autoremove_wake_function+0x0/0x38
[<
ffffffff811ed1f8>] ? radix_tree_lookup_slot+0xe/0x10
[<
ffffffff810b3ed7>] ? find_get_page+0x90/0xa5
[<
ffffffff810b5dc5>] ? filemap_fault+0x201/0x34f
[<
ffffffff810ef152>] ? fget_light+0x2f/0xac
[<
ffffffff813519e7>] ? verify_iovec+0x4f/0x94
[<
ffffffff81349a65>] sys_recvmsg+0x14d/0x223
Store the serial number when beginning to walk the fib and reload
pointers when continuing to walk after a change occured. Similar
to other dumping functions, this might cause unrelated entries to
be missed when entries are deleted.
Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
projects / kernel.git / commit