From 7dc00c82cbb0119cf4663f65bbaa2cc55f961db2 Mon Sep 17 00:00:00 2001 From: Wang Chen Date: Mon, 14 Jul 2008 20:56:34 -0700 Subject: [PATCH] ipv4: Fix ipmr unregister device oops An oops happens during device unregister. The following oops happened when I add two tunnels, which use a same device, and then delete one tunnel. Obviously deleting tunnel "A" causes device unregister, which send a notification, and after receiving notification, ipmr do unregister again for tunnel "B" which also use same device. That is wrong. After receiving notification, ipmr only needs to decrease reference count and don't do duplicated unregister. Fortunately, IPv6 side doesn't add tunnel in ip6mr, so it's clean. This patch fixs: - unregister device oops - using after dev_put() Here is the oops: === Jul 11 15:39:29 wangchen kernel: ------------[ cut here ]------------ Jul 11 15:39:29 wangchen kernel: kernel BUG at net/core/dev.c:3651! Jul 11 15:39:29 wangchen kernel: invalid opcode: 0000 [#1] Jul 11 15:39:29 wangchen kernel: Modules linked in: ipip tunnel4 nfsd lockd nfs_acl auth_rpcgss sunrpc exportfs ipv6 snd_pcm_oss snd_mixer_oss snd_seq snd_seq_device af_packet binfmt_misc button battery ac loop dm_mod usbhid ff_memless pcmcia firmware_class ohci1394 8139too mii ieee1394 yenta_socket rsrc_nonstatic pcmcia_core ide_cd_mod cdrom snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm i2c_i801 snd_timer snd i2c_core soundcore snd_page_alloc rng_core shpchp ehci_hcd uhci_hcd pci_hotplug intel_agp agpgart usbcore ext3 jbd ata_piix ahci libata dock edd fan thermal processor thermal_sys piix sd_mod scsi_mod ide_disk ide_core [last unloaded: freq_table] Jul 11 15:39:29 wangchen kernel: Jul 11 15:39:29 wangchen kernel: Pid: 4102, comm: mroute Not tainted (2.6.26-rc9-default #69) Jul 11 15:39:29 wangchen kernel: EIP: 0060:[] EFLAGS: 00010202 CPU: 0 Jul 11 15:39:29 wangchen kernel: EIP is at rollback_registered+0x61/0xe3 Jul 11 15:39:29 wangchen kernel: EAX: 00000001 EBX: ecba6000 ECX: 00000000 EDX: ffffffff Jul 11 15:39:29 wangchen kernel: ESI: 00000001 EDI: ecba6000 EBP: c03de2e8 ESP: ed8e7c3c Jul 11 15:39:29 wangchen kernel: DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068 Jul 11 15:39:29 wangchen kernel: Process mroute (pid: 4102, ti=ed8e6000 task=ed41e830 task.ti=ed8e6000) Jul 11 15:39:29 wangchen kernel: Stack: ecba6000 c024641c 00000028 c0284e1a 00000001 c03de2e8 ecba6000 eecff360 Jul 11 15:39:29 wangchen kernel: c0284e4c c03536f4 fffffff8 00000000 c029a819 ecba6000 00000006 ecba6000 Jul 11 15:39:29 wangchen kernel: 00000000 ecba6000 c03de2c0 c012841b ffffffff 00000000 c024639f ecba6000 Jul 11 15:39:29 wangchen kernel: Call Trace: Jul 11 15:39:29 wangchen kernel: [] unregister_netdevice+0x2f/0x51 Jul 11 15:39:29 wangchen kernel: [] vif_delete+0xaf/0xc3 Jul 11 15:39:29 wangchen kernel: [] ipmr_device_event+0x1e/0x30 Jul 11 15:39:29 wangchen kernel: [] notifier_call_chain+0x2a/0x47 Jul 11 15:39:29 wangchen kernel: [] raw_notifier_call_chain+0x9/0xc Jul 11 15:39:29 wangchen kernel: [] rollback_registered+0x95/0xe3 Jul 11 15:39:29 wangchen kernel: [] unregister_netdevice+0x2f/0x51 Jul 11 15:39:29 wangchen kernel: [] vif_delete+0xaf/0xc3 Jul 11 15:39:29 wangchen kernel: [] ip_mroute_setsockopt+0x47a/0x801 Jul 11 15:39:29 wangchen kernel: [] do_get_write_access+0x2df/0x313 [jbd] Jul 11 15:39:29 wangchen kernel: [] __find_get_block_slow+0xda/0xe4 Jul 11 15:39:29 wangchen kernel: [] __find_get_block+0xf8/0x122 Jul 11 15:39:29 wangchen kernel: [] __find_get_block+0xf8/0x122 Jul 11 15:39:29 wangchen kernel: [] journal_cancel_revoke+0xda/0x110 [jbd] Jul 11 15:39:29 wangchen kernel: [] ip_setsockopt+0xa9/0x9ee Jul 11 15:39:29 wangchen kernel: [] journal_cancel_revoke+0xda/0x110 [jbd] Jul 11 15:39:29 wangchen kernel: [] do_get_write_access+0x2df/0x313 [jbd] Jul 11 15:39:29 wangchen kernel: [] __ext3_get_inode_loc+0xcf/0x271 [ext3] Jul 11 15:39:29 wangchen kernel: [] __ext3_journal_dirty_metadata+0x13/0x32 [ext3] Jul 11 15:39:29 wangchen kernel: [] __wake_up+0xf/0x15 Jul 11 15:39:29 wangchen kernel: [] journal_stop+0x1bd/0x1c6 [jbd] Jul 11 15:39:29 wangchen kernel: [] __ext3_journal_stop+0x19/0x34 [ext3] Jul 11 15:39:29 wangchen kernel: [] get_page_from_freelist+0x94/0x369 Jul 11 15:39:29 wangchen kernel: [] filemap_fault+0x1ac/0x2fe Jul 11 15:39:29 wangchen kernel: [] security_sk_alloc+0xd/0xf Jul 11 15:39:29 wangchen kernel: [] sk_prot_alloc+0x36/0x78 Jul 11 15:39:29 wangchen kernel: [] sk_alloc+0x3a/0x40 Jul 11 15:39:29 wangchen kernel: [] raw_hash_sk+0x46/0x4e Jul 11 15:39:29 wangchen kernel: [] d_alloc+0x1b/0x157 Jul 11 15:39:29 wangchen kernel: [] sock_common_setsockopt+0x12/0x16 Jul 11 15:39:29 wangchen kernel: [] sys_setsockopt+0x6f/0x8e Jul 11 15:39:29 wangchen kernel: [] sys_socketcall+0x15c/0x19e Jul 11 15:39:29 wangchen kernel: [] sysenter_past_esp+0x6a/0x99 Jul 11 15:39:29 wangchen kernel: [] unix_poll+0x69/0x78 Jul 11 15:39:29 wangchen kernel: ======================= Jul 11 15:39:29 wangchen kernel: Code: 83 e0 01 00 00 85 c0 75 1f 53 53 68 12 81 31 c0 e8 3c 30 ed ff ba 3f 0e 00 00 b8 b9 7f 31 c0 83 c4 0c 5b e9 f5 26 ed ff 48 74 04 <0f> 0b eb fe 89 d8 e8 21 ff ff ff 89 d8 e8 62 ea ff ff c7 83 e0 Jul 11 15:39:29 wangchen kernel: EIP: [] rollback_registered+0x61/0xe3 SS:ESP 0068:ed8e7c3c Jul 11 15:39:29 wangchen kernel: ---[ end trace c311acf85d169786 ]--- === Signed-off-by: Wang Chen Signed-off-by: David S. Miller --- net/ipv4/ipmr.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c index 2f4d8afd067c..c9ab47b966b5 100644 --- a/net/ipv4/ipmr.c +++ b/net/ipv4/ipmr.c @@ -184,6 +184,7 @@ struct net_device *ipmr_new_tunnel(struct vifctl *v) if (dev_open(dev)) goto failure; + dev_hold(dev); } } return dev; @@ -250,6 +251,8 @@ static struct net_device *ipmr_reg_vif(void) if (dev_open(dev)) goto failure; + dev_hold(dev); + return dev; failure: @@ -264,9 +267,10 @@ failure: /* * Delete a VIF entry + * @notify: Set to 1, if the caller is a notifier_call */ -static int vif_delete(int vifi) +static int vif_delete(int vifi, int notify) { struct vif_device *v; struct net_device *dev; @@ -309,7 +313,7 @@ static int vif_delete(int vifi) ip_rt_multicast_event(in_dev); } - if (v->flags&(VIFF_TUNNEL|VIFF_REGISTER)) + if (v->flags&(VIFF_TUNNEL|VIFF_REGISTER) && !notify) unregister_netdevice(dev); dev_put(dev); @@ -435,6 +439,7 @@ static int vif_add(struct vifctl *vifc, int mrtsock) err = dev_set_allmulti(dev, 1); if (err) { unregister_netdevice(dev); + dev_put(dev); return err; } break; @@ -446,6 +451,7 @@ static int vif_add(struct vifctl *vifc, int mrtsock) err = dev_set_allmulti(dev, 1); if (err) { ipmr_del_tunnel(dev, vifc); + dev_put(dev); return err; } break; @@ -453,10 +459,11 @@ static int vif_add(struct vifctl *vifc, int mrtsock) dev = ip_dev_find(&init_net, vifc->vifc_lcl_addr.s_addr); if (!dev) return -EADDRNOTAVAIL; - dev_put(dev); err = dev_set_allmulti(dev, 1); - if (err) + if (err) { + dev_put(dev); return err; + } break; default: return -EINVAL; @@ -487,7 +494,6 @@ static int vif_add(struct vifctl *vifc, int mrtsock) /* And finish update writing critical data */ write_lock_bh(&mrt_lock); - dev_hold(dev); v->dev=dev; #ifdef CONFIG_IP_PIMSM if (v->flags&VIFF_REGISTER) @@ -834,7 +840,7 @@ static void mroute_clean_tables(struct sock *sk) */ for (i=0; idev==dev) - vif_delete(ct); + vif_delete(ct, 1); } return NOTIFY_DONE; } -- 2.30.2