tap: reference to KVA of an unloaded module causes kernel panic

The commit 9a393b5d59 ("tap: tap as an independent module") created a
separate tap module that implements tap functionality and exports
interfaces that will be used by macvtap and ipvtap modules to create
create respective tap devices.

However, that patch introduced a regression wherein the modules macvtap
and ipvtap can be removed (through modprobe -r) while there are
applications using the respective /dev/tapX devices. These applications
cause kernel to hold reference to /dev/tapX through 'struct cdev
macvtap_cdev' and 'struct cdev ipvtap_dev' defined in macvtap and ipvtap
modules respectively. So,  when the application is later closed the
kernel panics because we are referencing KVA that is present in the
unloaded modules.

----------8<------- Example ----------8<----------
$ sudo ip li add name mv0 link enp7s0 type macvtap
$ sudo ip li show mv0 |grep mv0| awk -e '{print $1 $2}'
  14:mv0@enp7s0:
$ cat /dev/tap14 &
$ lsmod |egrep -i 'tap|vlan'
macvtap                16384  0
macvlan                24576  1 macvtap
tap                    24576  3 macvtap
$ sudo modprobe -r macvtap
$ fg
cat /dev/tap14
^C

<...system panics...>
BUG: unable to handle kernel paging request at ffffffffa038c500
IP: cdev_put+0xf/0x30
----------8<-----------------8<----------

The fix is to set cdev.owner to the module that creates the tap device
(either macvtap or ipvtap). With this set, the operations (in
fs/char_dev.c) on char device holds and releases the module through
cdev_get() and cdev_put() and will not allow the module to unload
prematurely.

Fixes: 9a393b5d59 (tap: tap as an independent module)
Signed-off-by: Girish Moodalbail <girish.moodalbail@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Girish Moodalbail 2017-10-27 00:00:16 -07:00 committed by David S. Miller
parent ee1836aec4
commit dea6e19f4e
4 changed files with 9 additions and 8 deletions

View File

@ -197,8 +197,8 @@ static int ipvtap_init(void)
{ {
int err; int err;
err = tap_create_cdev(&ipvtap_cdev, &ipvtap_major, "ipvtap"); err = tap_create_cdev(&ipvtap_cdev, &ipvtap_major, "ipvtap",
THIS_MODULE);
if (err) if (err)
goto out1; goto out1;

View File

@ -204,8 +204,8 @@ static int macvtap_init(void)
{ {
int err; int err;
err = tap_create_cdev(&macvtap_cdev, &macvtap_major, "macvtap"); err = tap_create_cdev(&macvtap_cdev, &macvtap_major, "macvtap",
THIS_MODULE);
if (err) if (err)
goto out1; goto out1;

View File

@ -1249,8 +1249,8 @@ static int tap_list_add(dev_t major, const char *device_name)
return 0; return 0;
} }
int tap_create_cdev(struct cdev *tap_cdev, int tap_create_cdev(struct cdev *tap_cdev, dev_t *tap_major,
dev_t *tap_major, const char *device_name) const char *device_name, struct module *module)
{ {
int err; int err;
@ -1259,6 +1259,7 @@ int tap_create_cdev(struct cdev *tap_cdev,
goto out1; goto out1;
cdev_init(tap_cdev, &tap_fops); cdev_init(tap_cdev, &tap_fops);
tap_cdev->owner = module;
err = cdev_add(tap_cdev, *tap_major, TAP_NUM_DEVS); err = cdev_add(tap_cdev, *tap_major, TAP_NUM_DEVS);
if (err) if (err)
goto out2; goto out2;

View File

@ -73,8 +73,8 @@ void tap_del_queues(struct tap_dev *tap);
int tap_get_minor(dev_t major, struct tap_dev *tap); int tap_get_minor(dev_t major, struct tap_dev *tap);
void tap_free_minor(dev_t major, struct tap_dev *tap); void tap_free_minor(dev_t major, struct tap_dev *tap);
int tap_queue_resize(struct tap_dev *tap); int tap_queue_resize(struct tap_dev *tap);
int tap_create_cdev(struct cdev *tap_cdev, int tap_create_cdev(struct cdev *tap_cdev, dev_t *tap_major,
dev_t *tap_major, const char *device_name); const char *device_name, struct module *module);
void tap_destroy_cdev(dev_t major, struct cdev *tap_cdev); void tap_destroy_cdev(dev_t major, struct cdev *tap_cdev);
#endif /*_LINUX_IF_TAP_H_*/ #endif /*_LINUX_IF_TAP_H_*/