Commit 1913540a authored by Tom Herbert's avatar Tom Herbert Committed by David S. Miller
Browse files

ila: Fix crash caused by rhashtable changes 



commit ca26893f ("rhashtable: Add rhlist interface")
added a field to rhashtable_iter so that length became 56 bytes
and would exceed the size of args in netlink_callback (which is
48 bytes). The netlink diag dump function already has been
allocating a iter structure and storing the pointed to that
in the args of netlink_callback. ila_xlat also uses
rhahstable_iter but is still putting that directly in
the arg block. Now since rhashtable_iter size is increased
we are overwriting beyond the structure. The next field
happens to be cb_mutex pointer in netlink_sock and hence the crash.

Fix is to alloc the rhashtable_iter and save it as pointer
in arg.

Tested:

  modprobe ila
  ./ip ila add loc 3333:0:0:0 loc_match 2222:0:0:1,
  ./ip ila list  # NO crash now

Signed-off-by: default avatarTom Herbert <tom@herbertland.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 3de864f8

net/ipv6/ila/ila_xlat.c

+13 −3
Original line number Diff line number Diff line
@@ -474,7 +474,15 @@ static int ila_nl_dump_start(struct netlink_callback *cb) 
{

	struct net *net = sock_net(cb->skb->sk);

	struct ila_net *ilan = net_generic(net, ila_net_id);

	struct ila_dump_iter *iter = (struct ila_dump_iter *)cb->args;

	struct ila_dump_iter *iter = (struct ila_dump_iter *)cb->args[0];



	if (!iter) {

		iter = kmalloc(sizeof(*iter), GFP_KERNEL);

		if (!iter)

			return -ENOMEM;



		cb->args[0] = (long)iter;

	}



	return rhashtable_walk_init(&ilan->rhash_table, &iter->rhiter,

				    GFP_KERNEL);
@@ -482,16 +490,18 @@ static int ila_nl_dump_start(struct netlink_callback *cb) 


static int ila_nl_dump_done(struct netlink_callback *cb)

{

	struct ila_dump_iter *iter = (struct ila_dump_iter *)cb->args;

	struct ila_dump_iter *iter = (struct ila_dump_iter *)cb->args[0];



	rhashtable_walk_exit(&iter->rhiter);



	kfree(iter);



	return 0;

}



static int ila_nl_dump(struct sk_buff *skb, struct netlink_callback *cb)

{

	struct ila_dump_iter *iter = (struct ila_dump_iter *)cb->args;

	struct ila_dump_iter *iter = (struct ila_dump_iter *)cb->args[0];

	struct rhashtable_iter *rhiter = &iter->rhiter;

	struct ila_map *ila;

	int ret;

CRA Git | Maintained and supported by SUSTech CRA and CCSE