sock.c:LINE (3)

Paolo Abeni Mon, 19 Feb 2018 05:57:44 -0800

On Mon, 2018-02-19 at 13:23 +0000, Jon Maloy wrote:
> I don't understand this one. tipc_topsrv_stop() can only be trigged
> from a user doing rmmod(), and I double checked that this is running
> in user mode.
> How does the call chain you are reporting occur?


tipc_topsrv_stop() is called also at net namespace destruction time:

static void __net_exit tipc_exit_net(struct net *net)
{
        tipc_topsrv_stop(net);
#...

I *think* the following should fix the issue, but I'm unsure if it's
safe.

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git 
master

---
diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c
index 02013e00f287..63f35eae7236 100644
--- a/net/tipc/topsrv.c
+++ b/net/tipc/topsrv.c
@@ -693,9 +693,9 @@ void tipc_topsrv_stop(struct net *net)
        }
        __module_get(lsock->ops->owner);
        __module_get(lsock->sk->sk_prot_creator->owner);
-       sock_release(lsock);
        srv->listener = NULL;
        spin_unlock_bh(&srv->idr_lock);
+       sock_release(lsock);
        tipc_topsrv_work_stop(srv);
        idr_destroy(&srv->conn_idr);
        kfree(srv);

Re: BUG: sleeping function called from invalid context at net/core/sock.c:LINE (3)

Reply via email to