| Message ID | 20150517213031.4ABD2480853@fruggeri-Arora18.sjc.aristanetworks.com |
|---|---|
| State | Awaiting Upstream, archived |
| Delegated to: | David Miller |
| Headers | show |
On Sun, May 17, 2015 at 02:30:31PM -0700, Francesco Ruggeri wrote: > nfnetlink_log_init registers netlink callback nfulnl_rcv_nl_event before > registering the pernet_subsys, but the callback relies on data structures > allocated by pernet init functions. > When nfnetlink_log is loaded, if a netlink message is received after > the netlink callback is registered but before the pernet_subsys is > registered, the kernel will panic in the sequence > > nfulnl_rcv_nl_event > nfnl_log_pernet > net_generic > BUG_ON(id == 0) where id is nfnl_log_net_id. > > The panic can be easily reproduced in 4.0.3 by: > > while true ;do modprobe nfnetlink_log ; rmmod nfnetlink_log ; done & > while true ;do ip netns add dummy ; ip netns del dummy ; done & > > This patch moves register_pernet_subsys to earlier in nfnetlink_log_init. > > Notice that the BUG_ON hit in 4.0.3 was recently removed in 2591ffd308 > ["netns: remove BUG_ONs from net_generic()"]. I'm going to send a v2 of this patch with two changes: * We have the same problem in nfnetlink_queue. * Remove status = -ENOMEM as it is scratched soon thereafter. Please, have a look at the patch I'll send after this and confirm this looks good to you. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c index 3ad9126..536ced5 100644 --- a/net/netfilter/nfnetlink_log.c +++ b/net/netfilter/nfnetlink_log.c @@ -1075,6 +1075,12 @@ static int __init nfnetlink_log_init(void) { int status = -ENOMEM; + status = register_pernet_subsys(&nfnl_log_net_ops); + if (status < 0) { + pr_err("failed to register pernet ops\n"); + goto out; + } + netlink_register_notifier(&nfulnl_rtnl_notifier); status = nfnetlink_subsys_register(&nfulnl_subsys); if (status < 0) { @@ -1088,28 +1094,23 @@ static int __init nfnetlink_log_init(void) goto cleanup_subsys; } - status = register_pernet_subsys(&nfnl_log_net_ops); - if (status < 0) { - pr_err("failed to register pernet ops\n"); - goto cleanup_logger; - } return status; -cleanup_logger: - nf_log_unregister(&nfulnl_logger); cleanup_subsys: nfnetlink_subsys_unregister(&nfulnl_subsys); cleanup_netlink_notifier: netlink_unregister_notifier(&nfulnl_rtnl_notifier); + unregister_pernet_subsys(&nfnl_log_net_ops); +out: return status; } static void __exit nfnetlink_log_fini(void) { - unregister_pernet_subsys(&nfnl_log_net_ops); nf_log_unregister(&nfulnl_logger); nfnetlink_subsys_unregister(&nfulnl_subsys); netlink_unregister_notifier(&nfulnl_rtnl_notifier); + unregister_pernet_subsys(&nfnl_log_net_ops); } MODULE_DESCRIPTION("netfilter userspace logging");
nfnetlink_log_init registers netlink callback nfulnl_rcv_nl_event before registering the pernet_subsys, but the callback relies on data structures allocated by pernet init functions. When nfnetlink_log is loaded, if a netlink message is received after the netlink callback is registered but before the pernet_subsys is registered, the kernel will panic in the sequence nfulnl_rcv_nl_event nfnl_log_pernet net_generic BUG_ON(id == 0) where id is nfnl_log_net_id. The panic can be easily reproduced in 4.0.3 by: while true ;do modprobe nfnetlink_log ; rmmod nfnetlink_log ; done & while true ;do ip netns add dummy ; ip netns del dummy ; done & This patch moves register_pernet_subsys to earlier in nfnetlink_log_init. Notice that the BUG_ON hit in 4.0.3 was recently removed in 2591ffd308 ["netns: remove BUG_ONs from net_generic()"]. Signed-off-by: Francesco Ruggeri <fruggeri@arista.com> --- net/netfilter/nfnetlink_log.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-)