GIT: unionfs2-2.6.27.y: tipc: Fix oops on send prior to entering networked mode (v3)

Erez Zadok ezk at fsl.cs.sunysb.edu
Thu Aug 12 23:15:32 EDT 2010 

commit 670037a94e70b107a79fd9ac0f4f2c9e1d26f742
Author: Neil Horman <nhorman at tuxdriver.com>
Date:   Wed Mar 3 08:31:23 2010 +0000

    tipc: Fix oops on send prior to entering networked mode (v3)
    
    commit d0021b252eaf65ca07ed14f0d66425dd9ccab9a6 upstream.
    
    Fix TIPC to disallow sending to remote addresses prior to entering NET_MODE
    
    user programs can oops the kernel by sending datagrams via AF_TIPC prior to
    entering networked mode.  The following backtrace has been observed:
    
    ID: 13459  TASK: ffff810014640040  CPU: 0   COMMAND: "tipc-client"
    [exception RIP: tipc_node_select_next_hop+90]
    RIP: ffffffff8869d3c3  RSP: ffff81002d9a5ab8  RFLAGS: 00010202
    RAX: 0000000000000001  RBX: 0000000000000001  RCX: 0000000000000001
    RDX: 0000000000000000  RSI: 0000000000000001  RDI: 0000000001001001
    RBP: 0000000001001001   R8: 0074736575716552   R9: 0000000000000000
    R10: ffff81003fbd0680  R11: 00000000000000c8  R12: 0000000000000008
    R13: 0000000000000001  R14: 0000000000000001  R15: ffff810015c6ca00
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
    RIP: 0000003cbd8d49a3  RSP: 00007fffc84e0be8  RFLAGS: 00010206
    RAX: 000000000000002c  RBX: ffffffff8005d116  RCX: 0000000000000000
    RDX: 0000000000000008  RSI: 00007fffc84e0c00  RDI: 0000000000000003
    RBP: 0000000000000000   R8: 00007fffc84e0c10   R9: 0000000000000010
    R10: 0000000000000000  R11: 0000000000000246  R12: 0000000000000000
    R13: 00007fffc84e0d10  R14: 0000000000000000  R15: 00007fffc84e0c30
    ORIG_RAX: 000000000000002c  CS: 0033  SS: 002b
    
    What happens is that, when the tipc module in inserted it enters a standalone
    node mode in which communication to its own address is allowed <0.0.0> but not
    to other addresses, since the appropriate data structures have not been
    allocated yet (specifically the tipc_net pointer).  There is nothing stopping a
    client from trying to send such a message however, and if that happens, we
    attempt to dereference tipc_net.zones while the pointer is still NULL, and
    explode.  The fix is pretty straightforward.  Since these oopses all arise from
    the dereference of global pointers prior to their assignment to allocated
    values, and since these allocations are small (about 2k total), lets convert
    these pointers to static arrays of the appropriate size.  All the accesses to
    these bits consider 0/NULL to be a non match when searching, so all the lookups
    still work properly, and there is no longer a chance of a bad dererence
    anywhere.  As a bonus, this lets us eliminate the setup/teardown routines for
    those pointers, and elimnates the need to preform any locking around them to
    prevent access while their being allocated/freed.
    
    I've updated the tipc_net structure to behave this way to fix the exact reported
    problem, and also fixed up the tipc_bearers and media_list arrays to fix an
    obvious simmilar problem that arises from issuing tipc-config commands to
    manipulate bearers/links prior to entering networked mode
    
    I've tested this for a few hours by running the sanity tests and stress test
    with the tipcutils suite, and nothing has fallen over.  There have been a few
    lockdep warnings, but those were there before, and can be addressed later, as
    they didn't actually result in any deadlock.
    
    Signed-off-by: Neil Horman <nhorman at tuxdriver.com>
    CC: Allan Stephens <allan.stephens at windriver.com>
    CC: David S. Miller <davem at davemloft.net>
    CC: tipc-discussion at lists.sourceforge.net
    Signed-off-by: David S. Miller <davem at davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>

diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index a7a3677..a2a53e8 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -45,10 +45,10 @@
 
 #define MAX_ADDR_STR 32
 
-static struct media *media_list = NULL;
+static struct media media_list[MAX_MEDIA];
 static u32 media_count = 0;
 
-struct bearer *tipc_bearers = NULL;
+struct bearer tipc_bearers[MAX_BEARERS];
 
 /**
  * media_name_valid - validate media name
@@ -108,9 +108,11 @@ int  tipc_register_media(u32 media_type,
 	int res = -EINVAL;
 
 	write_lock_bh(&tipc_net_lock);
-	if (!media_list)
-		goto exit;
 
+	if (tipc_mode != TIPC_NET_MODE) {
+		warn("Media <%s> rejected, not in networked mode yet\n", name);
+		goto exit;
+	}
 	if (!media_name_valid(name)) {
 		warn("Media <%s> rejected, illegal name\n", name);
 		goto exit;
@@ -660,33 +662,10 @@ int tipc_disable_bearer(const char *name)
 
 
 
-int tipc_bearer_init(void)
-{
-	int res;
-
-	write_lock_bh(&tipc_net_lock);
-	tipc_bearers = kcalloc(MAX_BEARERS, sizeof(struct bearer), GFP_ATOMIC);
-	media_list = kcalloc(MAX_MEDIA, sizeof(struct media), GFP_ATOMIC);
-	if (tipc_bearers && media_list) {
-		res = 0;
-	} else {
-		kfree(tipc_bearers);
-		kfree(media_list);
-		tipc_bearers = NULL;
-		media_list = NULL;
-		res = -ENOMEM;
-	}
-	write_unlock_bh(&tipc_net_lock);
-	return res;
-}
-
 void tipc_bearer_stop(void)
 {
 	u32 i;
 
-	if (!tipc_bearers)
-		return;
-
 	for (i = 0; i < MAX_BEARERS; i++) {
 		if (tipc_bearers[i].active)
 			tipc_bearers[i].publ.blocked = 1;
@@ -695,10 +674,6 @@ void tipc_bearer_stop(void)
 		if (tipc_bearers[i].active)
 			bearer_disable(tipc_bearers[i].publ.name);
 	}
-	kfree(tipc_bearers);
-	kfree(media_list);
-	tipc_bearers = NULL;
-	media_list = NULL;
 	media_count = 0;
 }
 
diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h
index ca57348..000228e 100644
--- a/net/tipc/bearer.h
+++ b/net/tipc/bearer.h
@@ -114,7 +114,7 @@ struct bearer_name {
 
 struct link;
 
-extern struct bearer *tipc_bearers;
+extern struct bearer tipc_bearers[];
 
 void tipc_media_addr_printf(struct print_buf *pb, struct tipc_media_addr *a);
 struct sk_buff *tipc_media_get_names(void);
diff --git a/net/tipc/net.c b/net/tipc/net.c
index 7906608..f25b1cd 100644
--- a/net/tipc/net.c
+++ b/net/tipc/net.c
@@ -116,7 +116,8 @@
 */
 
 DEFINE_RWLOCK(tipc_net_lock);
-struct network tipc_net = { NULL };
+struct _zone *tipc_zones[256] = { NULL, };
+struct network tipc_net = { tipc_zones };
 
 struct tipc_node *tipc_net_select_remote_node(u32 addr, u32 ref)
 {
@@ -158,28 +159,12 @@ void tipc_net_send_external_routes(u32 dest)
 	}
 }
 
-static int net_init(void)
-{
-	memset(&tipc_net, 0, sizeof(tipc_net));
-	tipc_net.zones = kcalloc(tipc_max_zones + 1, sizeof(struct _zone *), GFP_ATOMIC);
-	if (!tipc_net.zones) {
-		return -ENOMEM;
-	}
-	return 0;
-}
-
 static void net_stop(void)
 {
 	u32 z_num;
 
-	if (!tipc_net.zones)
-		return;
-
-	for (z_num = 1; z_num <= tipc_max_zones; z_num++) {
+	for (z_num = 1; z_num <= tipc_max_zones; z_num++)
 		tipc_zone_delete(tipc_net.zones[z_num]);
-	}
-	kfree(tipc_net.zones);
-	tipc_net.zones = NULL;
 }
 
 static void net_route_named_msg(struct sk_buff *buf)
@@ -282,9 +267,7 @@ int tipc_net_start(u32 addr)
 	tipc_named_reinit();
 	tipc_port_reinit();
 
-	if ((res = tipc_bearer_init()) ||
-	    (res = net_init()) ||
-	    (res = tipc_cltr_init()) ||
+	if ((res = tipc_cltr_init()) ||
 	    (res = tipc_bclink_init())) {
 		return res;
 	}

More information about the unionfs-cvs mailing list