Received: by 2002:ac0:a874:0:0:0:0:0 with SMTP id c49csp168414ima;
        Thu, 14 Mar 2019 23:25:52 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwy/mXNb+ykuQqK1MAVEk7WZ9rjNZ8ERDFgqs1rqvPNgRl2cI5u9OZ0ypGb/fTMwqVW1Pf3
X-Received: by 2002:aa7:8051:: with SMTP id y17mr2331236pfm.92.1552631152832;
        Thu, 14 Mar 2019 23:25:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1552631152; cv=none;
        d=google.com; s=arc-20160816;
        b=FuV2qDZIf0lD9YDInjkhFeJc+aRX8ct56L1M6lnRF5n24v/tluTiDiETHPSQUU5rqe
         DZFS7JHBe0h+b3BDDKfoJSeUj2et1jYww9nPDT9ihJrIrhZZAvJsxMGT44qFH39X9vGz
         l1ANW1oTfdSNefcu8nmJvgpXMJwRZdgm+Owjx2cOXz0qxeL3bfYukaxPRR0UTcl/j9sj
         tBnGP0klM7ztfSy9HS718/KcA5EV3jhOFabUul8A+/61EBwWz+G4ek/5U3wX+7mILBi+
         ksP4UhHhxo+1gqbGgM1PfQybeT7Hqf9ZlkNBAQe/ReqdbjsoB5vbjg5TwUh6tGJ5s/6a
         ENMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=2WpBXJVAOK6iGA0SPpadqSl4SAqO+R8ROw6D80GGNr0=;
        b=JEI+vkzRgIoTsGG1XRK3PDx2sEJpQQp88Evwa+gDv06ALfSVAe2wlh3uD3VM4ph0Bb
         CkvgAjxVYDb2APh90wCbV0y5UeE5uzg0t3EPBo5YCpR+1F1GyHKsxtlS/+mu0H3+MHpD
         9Co2s1PNRb+JajQ1lxpSQ8M+AQ/Cw4qEq1yvKpdZjDt9oTrBC6/PLIhZsczeTTa+cdYT
         1fvkef8qEh8ZFnpuWl2UDeX6NRggQ8WTZvxNukN7yBV2VR+rRJacYCtw5eFIahHQgodP
         gn3AjlVzPJwSmdYz9z1SjYu0NfbjHqjP2ByQpwfN0DkCP+NLAbC34HAdmElzrXp9OcLU
         OBNw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x18si989111plr.76.2019.03.14.23.25.36;
        Thu, 14 Mar 2019 23:25:52 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728337AbfCOGY6 (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Fri, 15 Mar 2019 02:24:58 -0400
Received: from orcrist.hmeau.com ([104.223.48.154]:52030 "EHLO
        deadmen.hmeau.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728025AbfCOGY6 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 15 Mar 2019 02:24:58 -0400
Received: from gondobar.mordor.me.apana.org.au ([192.168.128.4] helo=gondobar)
        by deadmen.hmeau.com with esmtps (Exim 4.89 #2 (Debian))
        id 1h4gGr-0007Mj-9m; Fri, 15 Mar 2019 14:24:45 +0800
Received: from herbert by gondobar with local (Exim 4.89)
        (envelope-from <herbert@gondor.apana.org.au>)
        id 1h4gGk-0000aI-Mg; Fri, 15 Mar 2019 14:24:38 +0800
Date:   Fri, 15 Mar 2019 14:24:38 +0800
From:   Herbert Xu <herbert@gondor.apana.org.au>
To:     Su Yanjun <suyj.fnst@cn.fujitsu.com>
Cc:     steffen.klassert@secunet.com, davem@davemloft.net,
        kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        Eric Dumazet <eric.dumazet@gmail.com>
Subject: Re: [PATCH] xfrm6_tunnel: Fix potential panic when unloading
 xfrm6_tunnel module
Message-ID: <20190315062438.id3664ccow5uxgvt@gondor.apana.org.au>
References: <1552546782-102587-1-git-send-email-suyj.fnst@cn.fujitsu.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1552546782-102587-1-git-send-email-suyj.fnst@cn.fujitsu.com>
User-Agent: NeoMutt/20170113 (1.7.2)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Mar 14, 2019 at 02:59:42PM +0800, Su Yanjun wrote:
> When unloading xfrm6_tunnel module, xfrm6_tunnel_fini directly
> frees the xfrm6_tunnel_spi_kmem. Maybe someone has gotten the
> xfrm6_tunnel_spi, so need to wait it.
> 
> Fixes: 91cc3bb0b04ff("xfrm6_tunnel: RCU conversion")
> Signed-off-by: Su Yanjun <suyj.fnst@cn.fujitsu.com>
> ---
>  net/ipv6/xfrm6_tunnel.c | 4 ++++
>  1 file changed, 4 insertions(+)

This looks good to me.  And it's not just the matter of accessing
freed memory.  A worse problem would be trying to execute code
from an unloaded module.

Acked-by: Herbert Xu <herbert@gondor.apana.org.au>

> diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
> index bc65db7..12cb3aa 100644
> --- a/net/ipv6/xfrm6_tunnel.c
> +++ b/net/ipv6/xfrm6_tunnel.c
> @@ -402,6 +402,10 @@ static void __exit xfrm6_tunnel_fini(void)
>  	xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
>  	xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
>  	unregister_pernet_subsys(&xfrm6_tunnel_net_ops);
> +	/* Someone maybe has gotten the xfrm6_tunnel_spi.
> +	 * So need to wait it.
> +	 */
> +	rcu_barrier();
>  	kmem_cache_destroy(xfrm6_tunnel_spi_kmem);
>  }

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt