From: hujunwei <huj...@hu...>
Date: Thu, 16 May 2019 10:51:15 +0800
> From: Junwei Hu <huj...@hu...>
>
> When tipc is loaded while many processes try to create a TIPC socket,
> a crash occurs:
> PANIC: Unable to handle kernel paging request at virtual
> address "dfff20000000021d"
> pc : tipc_sk_create+0x374/0x1180 [tipc]
> lr : tipc_sk_create+0x374/0x1180 [tipc]
> Exception class = DABT (current EL), IL = 32 bits
> Call trace:
> tipc_sk_create+0x374/0x1180 [tipc]
> __sock_create+0x1cc/0x408
> __sys_socket+0xec/0x1f0
> __arm64_sys_socket+0x74/0xa8
> ...
>
> This is due to race between sock_create and unfinished
> register_pernet_device. tipc_sk_insert tries to do
> "net_generic(net, tipc_net_id)".
> but tipc_net_id is not initialized yet.
>
> So switch the order of the two to close the race.
>
> This can be reproduced with multiple processes doing socket(AF_TIPC, ...)
> and one process doing module removal.
>
> Fixes: a62fbccecd62 ("tipc: make subscriber server support net namespace")
> Signed-off-by: Junwei Hu <huj...@hu...>
> Reported-by: Wang Wang <wan...@hu...>
> Reviewed-by: Xiaogang Wang <wan...@hu...>
Applied and queued up for -stable.
|
