CVE-2021-47163

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tipc: wait and exit until all work queues are done<br /> <br /> On some host, a crash could be triggered simply by repeating these<br /> commands several times:<br /> <br /> # modprobe tipc<br /> # tipc bearer enable media udp name UDP1 localip 127.0.0.1<br /> # rmmod tipc<br /> <br /> [] BUG: unable to handle kernel paging request at ffffffffc096bb00<br /> [] Workqueue: events 0xffffffffc096bb00<br /> [] Call Trace:<br /> [] ? process_one_work+0x1a7/0x360<br /> [] ? worker_thread+0x30/0x390<br /> [] ? create_worker+0x1a0/0x1a0<br /> [] ? kthread+0x116/0x130<br /> [] ? kthread_flush_work_fn+0x10/0x10<br /> [] ? ret_from_fork+0x35/0x40<br /> <br /> When removing the TIPC module, the UDP tunnel sock will be delayed to<br /> release in a work queue as sock_release() can&amp;#39;t be done in rtnl_lock().<br /> If the work queue is schedule to run after the TIPC module is removed,<br /> kernel will crash as the work queue function cleanup_beareri() code no<br /> longer exists when trying to invoke it.<br /> <br /> To fix it, this patch introduce a member wq_count in tipc_net to track<br /> the numbers of work queues in schedule, and wait and exit until all<br /> work queues are done in tipc_exit_net().