aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/net/tap.c
diff options
context:
space:
mode:
authorGirish Moodalbail <girish.moodalbail@oracle.com>2017-10-27 00:00:16 -0700
committerDavid S. Miller <davem@davemloft.net>2017-10-28 19:17:21 +0900
commitdea6e19f4ef746aa18b4c33d1a7fed54356796ed (patch)
tree812cc8b2a95206a026113b274c74d63bfadb1622 /drivers/net/tap.c
parenttcp: refresh tp timestamp before tcp_mtu_probe() (diff)
downloadlinux-dev-dea6e19f4ef746aa18b4c33d1a7fed54356796ed.tar.xz
linux-dev-dea6e19f4ef746aa18b4c33d1a7fed54356796ed.zip
tap: reference to KVA of an unloaded module causes kernel panic
The commit 9a393b5d5988 ("tap: tap as an independent module") created a separate tap module that implements tap functionality and exports interfaces that will be used by macvtap and ipvtap modules to create create respective tap devices. However, that patch introduced a regression wherein the modules macvtap and ipvtap can be removed (through modprobe -r) while there are applications using the respective /dev/tapX devices. These applications cause kernel to hold reference to /dev/tapX through 'struct cdev macvtap_cdev' and 'struct cdev ipvtap_dev' defined in macvtap and ipvtap modules respectively. So, when the application is later closed the kernel panics because we are referencing KVA that is present in the unloaded modules. ----------8<------- Example ----------8<---------- $ sudo ip li add name mv0 link enp7s0 type macvtap $ sudo ip li show mv0 |grep mv0| awk -e '{print $1 $2}' 14:mv0@enp7s0: $ cat /dev/tap14 & $ lsmod |egrep -i 'tap|vlan' macvtap 16384 0 macvlan 24576 1 macvtap tap 24576 3 macvtap $ sudo modprobe -r macvtap $ fg cat /dev/tap14 ^C <...system panics...> BUG: unable to handle kernel paging request at ffffffffa038c500 IP: cdev_put+0xf/0x30 ----------8<-----------------8<---------- The fix is to set cdev.owner to the module that creates the tap device (either macvtap or ipvtap). With this set, the operations (in fs/char_dev.c) on char device holds and releases the module through cdev_get() and cdev_put() and will not allow the module to unload prematurely. Fixes: 9a393b5d5988ea4e (tap: tap as an independent module) Signed-off-by: Girish Moodalbail <girish.moodalbail@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net/tap.c')
-rw-r--r--drivers/net/tap.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/net/tap.c b/drivers/net/tap.c
index 98ee6cc2875d..1b10fcc6a58d 100644
--- a/drivers/net/tap.c
+++ b/drivers/net/tap.c
@@ -1249,8 +1249,8 @@ static int tap_list_add(dev_t major, const char *device_name)
return 0;
}
-int tap_create_cdev(struct cdev *tap_cdev,
- dev_t *tap_major, const char *device_name)
+int tap_create_cdev(struct cdev *tap_cdev, dev_t *tap_major,
+ const char *device_name, struct module *module)
{
int err;
@@ -1259,6 +1259,7 @@ int tap_create_cdev(struct cdev *tap_cdev,
goto out1;
cdev_init(tap_cdev, &tap_fops);
+ tap_cdev->owner = module;
err = cdev_add(tap_cdev, *tap_major, TAP_NUM_DEVS);
if (err)
goto out2;