[PATCH 4.7 006/184] ipv4: panic in leaf_walk_rcu due to stale node pointer

2016-09-22 Thread Greg Kroah-Hartman 
4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: David Forster 


[ Upstream commit 94d9f1c5906b20053efe375b6d66610bca4b8b64 ]

Panic occurs when issuing "cat /proc/net/route" whilst
populating FIB with > 1M routes.

Use of cached node pointer in fib_route_get_idx is unsafe.

 BUG: unable to handle kernel paging request at c90001630024
 IP: [] leaf_walk_rcu+0x10/0xe0
 PGD 11b08d067 PUD 11b08e067 PMD dac4b067 PTE 0
 Oops:  [#1] SMP
 Modules linked in: nfsd auth_rpcgss oid_registry nfs_acl nfs lockd grace fscac
 snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep virti
 acpi_cpufreq button parport_pc ppdev lp parport autofs4 ext4 crc16 mbcache jbd
tio_ring virtio floppy uhci_hcd ehci_hcd usbcore usb_common libata scsi_mod
 CPU: 1 PID: 785 Comm: cat Not tainted 4.2.0-rc8+ #4
 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
 task: 8800da1c0bc0 ti: 88011a05c000 task.ti: 88011a05c000
 RIP: 0010:[]  [] leaf_walk_rcu+0x10/0xe0
 RSP: 0018:88011a05fda0  EFLAGS: 00010202
 RAX: 8800d8a40c00 RBX: 8800da4af940 RCX: 88011a05ff20
 RDX: c90001630020 RSI: 01013531 RDI: 8800da4af950
 RBP:  R08: 8800da1f9a00 R09: 
 R10: 8800db45b7e4 R11: 0246 R12: 8800da4af950
 R13: 8800d97a74c0 R14:  R15: 8800d97a7480
 FS:  7fd3970e0700() GS:88011fd0() knlGS:
 CS:  0010 DS:  ES:  CR0: 8005003b
 CR2: c90001630024 CR3: 00011a7e4000 CR4: 06e0
 Stack:
  814d00d3  88011a05ff20 8800da1f9a00
  811dd8b9 0800 0002 7fd396f35000
  811f8714 3431 8138dce0 0f80
 Call Trace:
  [] ? fib_route_seq_start+0x93/0xc0
  [] ? seq_read+0x149/0x380
  [] ? fsnotify+0x3b4/0x500
  [] ? process_echoes+0x70/0x70
  [] ? proc_reg_read+0x47/0x70
  [] ? __vfs_read+0x23/0xd0
  [] ? rw_verify_area+0x52/0xf0
  [] ? vfs_read+0x81/0x120
  [] ? SyS_read+0x42/0xa0
  [] ? entry_SYSCALL_64_fastpath+0x16/0x75
 Code: 48 85 c0 75 d8 f3 c3 31 c0 c3 f3 c3 66 66 66 66 66 66 2e 0f 1f 84 00 00
a 04 89 f0 33 02 44 89 c9 48 d3 e8 0f b6 4a 05 49 89
 RIP  [] leaf_walk_rcu+0x10/0xe0
  RSP 
 CR2: c90001630024

Signed-off-by: Dave Forster 
Acked-by: Alexander Duyck 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv4/fib_trie.c |8 ++--
 1 file changed, 2 insertions(+), 6 deletions(-)

--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -2452,9 +2452,7 @@ struct fib_route_iter {
 static struct key_vector *fib_route_get_idx(struct fib_route_iter *iter,
loff_t pos)
 {
-   struct fib_table *tb = iter->main_tb;
struct key_vector *l, **tp = >tnode;
-   struct trie *t;
t_key key;
 
/* use cache location of next-to-find key */
@@ -2462,8 +2460,6 @@ static struct key_vector *fib_route_get_
pos -= iter->pos;
key = iter->key;
} else {
-   t = (struct trie *)tb->tb_data;
-   iter->tnode = t->kv;
iter->pos = 0;
key = 0;
}
@@ -2504,12 +2500,12 @@ static void *fib_route_seq_start(struct
return NULL;
 
iter->main_tb = tb;
+   t = (struct trie *)tb->tb_data;
+   iter->tnode = t->kv;
 
if (*pos != 0)
return fib_route_get_idx(iter, *pos);
 
-   t = (struct trie *)tb->tb_data;
-   iter->tnode = t->kv;
iter->pos = 0;
iter->key = 0;

[PATCH 4.7 006/184] ipv4: panic in leaf_walk_rcu due to stale node pointer

2016-09-22 Thread Greg Kroah-Hartman 
4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: David Forster 


[ Upstream commit 94d9f1c5906b20053efe375b6d66610bca4b8b64 ]

Panic occurs when issuing "cat /proc/net/route" whilst
populating FIB with > 1M routes.

Use of cached node pointer in fib_route_get_idx is unsafe.

 BUG: unable to handle kernel paging request at c90001630024
 IP: [] leaf_walk_rcu+0x10/0xe0
 PGD 11b08d067 PUD 11b08e067 PMD dac4b067 PTE 0
 Oops:  [#1] SMP
 Modules linked in: nfsd auth_rpcgss oid_registry nfs_acl nfs lockd grace fscac
 snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep virti
 acpi_cpufreq button parport_pc ppdev lp parport autofs4 ext4 crc16 mbcache jbd
tio_ring virtio floppy uhci_hcd ehci_hcd usbcore usb_common libata scsi_mod
 CPU: 1 PID: 785 Comm: cat Not tainted 4.2.0-rc8+ #4
 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
 task: 8800da1c0bc0 ti: 88011a05c000 task.ti: 88011a05c000
 RIP: 0010:[]  [] leaf_walk_rcu+0x10/0xe0
 RSP: 0018:88011a05fda0  EFLAGS: 00010202
 RAX: 8800d8a40c00 RBX: 8800da4af940 RCX: 88011a05ff20
 RDX: c90001630020 RSI: 01013531 RDI: 8800da4af950
 RBP:  R08: 8800da1f9a00 R09: 
 R10: 8800db45b7e4 R11: 0246 R12: 8800da4af950
 R13: 8800d97a74c0 R14:  R15: 8800d97a7480
 FS:  7fd3970e0700() GS:88011fd0() knlGS:
 CS:  0010 DS:  ES:  CR0: 8005003b
 CR2: c90001630024 CR3: 00011a7e4000 CR4: 06e0
 Stack:
  814d00d3  88011a05ff20 8800da1f9a00
  811dd8b9 0800 0002 7fd396f35000
  811f8714 3431 8138dce0 0f80
 Call Trace:
  [] ? fib_route_seq_start+0x93/0xc0
  [] ? seq_read+0x149/0x380
  [] ? fsnotify+0x3b4/0x500
  [] ? process_echoes+0x70/0x70
  [] ? proc_reg_read+0x47/0x70
  [] ? __vfs_read+0x23/0xd0
  [] ? rw_verify_area+0x52/0xf0
  [] ? vfs_read+0x81/0x120
  [] ? SyS_read+0x42/0xa0
  [] ? entry_SYSCALL_64_fastpath+0x16/0x75
 Code: 48 85 c0 75 d8 f3 c3 31 c0 c3 f3 c3 66 66 66 66 66 66 2e 0f 1f 84 00 00
a 04 89 f0 33 02 44 89 c9 48 d3 e8 0f b6 4a 05 49 89
 RIP  [] leaf_walk_rcu+0x10/0xe0
  RSP 
 CR2: c90001630024

Signed-off-by: Dave Forster 
Acked-by: Alexander Duyck 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv4/fib_trie.c |8 ++--
 1 file changed, 2 insertions(+), 6 deletions(-)

--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -2452,9 +2452,7 @@ struct fib_route_iter {
 static struct key_vector *fib_route_get_idx(struct fib_route_iter *iter,
loff_t pos)
 {
-   struct fib_table *tb = iter->main_tb;
struct key_vector *l, **tp = >tnode;
-   struct trie *t;
t_key key;
 
/* use cache location of next-to-find key */
@@ -2462,8 +2460,6 @@ static struct key_vector *fib_route_get_
pos -= iter->pos;
key = iter->key;
} else {
-   t = (struct trie *)tb->tb_data;
-   iter->tnode = t->kv;
iter->pos = 0;
key = 0;
}
@@ -2504,12 +2500,12 @@ static void *fib_route_seq_start(struct
return NULL;
 
iter->main_tb = tb;
+   t = (struct trie *)tb->tb_data;
+   iter->tnode = t->kv;
 
if (*pos != 0)
return fib_route_get_idx(iter, *pos);
 
-   t = (struct trie *)tb->tb_data;
-   iter->tnode = t->kv;
iter->pos = 0;
iter->key = 0;