From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Matt Bennett <Matt.Bennett@alliedtelesis.co.nz>,
Paul Mackerras <paulus@samba.org>,
linux-ppp@vger.kernel.org, Guillaume Nault <g.nault@alphalink.fr>,
Cyrill Gorcunov <gorcunov@openvz.org>,
Cong Wang <xiyou.wangcong@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Amit Pundir <amit.pundir@linaro.org>
Subject: [PATCH 3.18 41/49] ppp: defer netns reference release for ppp channel
Date: Thu, 18 May 2017 13:16:50 +0000 [thread overview]
Message-ID: <20170518131644.768363983@linuxfoundation.org> (raw)
In-Reply-To: <20170518131643.028057293@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: WANG Cong <xiyou.wangcong@gmail.com>
commit 205e1e255c479f3fd77446415706463b282f94e4 upstream.
Matt reported that we have a NULL pointer dereference
in ppp_pernet() from ppp_connect_channel(),
i.e. pch->chan_net is NULL.
This is due to that a parallel ppp_unregister_channel()
could happen while we are in ppp_connect_channel(), during
which pch->chan_net set to NULL. Since we need a reference
to net per channel, it makes sense to sync the refcnt
with the life time of the channel, therefore we should
release this reference when we destroy it.
Fixes: 1f461dcdd296 ("ppp: take reference on channels netns")
Reported-by: Matt Bennett <Matt.Bennett@alliedtelesis.co.nz>
Cc: Paul Mackerras <paulus@samba.org>
Cc: linux-ppp@vger.kernel.org
Cc: Guillaume Nault <g.nault@alphalink.fr>
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ppp/ppp_generic.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -2342,8 +2342,6 @@ ppp_unregister_channel(struct ppp_channe
spin_lock_bh(&pn->all_channels_lock);
list_del(&pch->list);
spin_unlock_bh(&pn->all_channels_lock);
- put_net(pch->chan_net);
- pch->chan_net = NULL;
pch->file.dead = 1;
wake_up_interruptible(&pch->file.rwait);
@@ -2960,6 +2958,9 @@ ppp_disconnect_channel(struct channel *p
*/
static void ppp_destroy_channel(struct channel *pch)
{
+ put_net(pch->chan_net);
+ pch->chan_net = NULL;
+
atomic_dec(&channel_count);
if (!pch->file.dead) {
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Matt Bennett <Matt.Bennett@alliedtelesis.co.nz>,
Paul Mackerras <paulus@samba.org>,
linux-ppp@vger.kernel.org, Guillaume Nault <g.nault@alphalink.fr>,
Cyrill Gorcunov <gorcunov@openvz.org>,
Cong Wang <xiyou.wangcong@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Amit Pundir <amit.pundir@linaro.org>
Subject: [PATCH 3.18 41/49] ppp: defer netns reference release for ppp channel
Date: Thu, 18 May 2017 15:16:50 +0200 [thread overview]
Message-ID: <20170518131644.768363983@linuxfoundation.org> (raw)
In-Reply-To: <20170518131643.028057293@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: WANG Cong <xiyou.wangcong@gmail.com>
commit 205e1e255c479f3fd77446415706463b282f94e4 upstream.
Matt reported that we have a NULL pointer dereference
in ppp_pernet() from ppp_connect_channel(),
i.e. pch->chan_net is NULL.
This is due to that a parallel ppp_unregister_channel()
could happen while we are in ppp_connect_channel(), during
which pch->chan_net set to NULL. Since we need a reference
to net per channel, it makes sense to sync the refcnt
with the life time of the channel, therefore we should
release this reference when we destroy it.
Fixes: 1f461dcdd296 ("ppp: take reference on channels netns")
Reported-by: Matt Bennett <Matt.Bennett@alliedtelesis.co.nz>
Cc: Paul Mackerras <paulus@samba.org>
Cc: linux-ppp@vger.kernel.org
Cc: Guillaume Nault <g.nault@alphalink.fr>
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ppp/ppp_generic.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -2342,8 +2342,6 @@ ppp_unregister_channel(struct ppp_channe
spin_lock_bh(&pn->all_channels_lock);
list_del(&pch->list);
spin_unlock_bh(&pn->all_channels_lock);
- put_net(pch->chan_net);
- pch->chan_net = NULL;
pch->file.dead = 1;
wake_up_interruptible(&pch->file.rwait);
@@ -2960,6 +2958,9 @@ ppp_disconnect_channel(struct channel *p
*/
static void ppp_destroy_channel(struct channel *pch)
{
+ put_net(pch->chan_net);
+ pch->chan_net = NULL;
+
atomic_dec(&channel_count);
if (!pch->file.dead) {
next prev parent reply other threads:[~2017-05-18 13:16 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-18 13:16 [PATCH 3.18 00/49] 3.18.54-stable review Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 01/49] target/fileio: Fix zero-length READ and WRITE handling Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 02/49] usb: host: xhci: print correct command ring address Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 03/49] USB: serial: ftdi_sio: add device ID for Microsemi/Arrow SF2PLUS Dev Kit Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 04/49] USB: Proper handling of Race Condition when two USB class drivers try to call init_usb_class simultaneously Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 05/49] staging: vt6656: use off stack for in buffer USB transfers Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 06/49] staging: vt6656: use off stack for out " Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 07/49] staging: gdm724x: gdm_mux: fix use-after-free on module unload Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 08/49] staging: comedi: jr3_pci: fix possible null pointer dereference Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 09/49] staging: comedi: jr3_pci: cope with jiffies wraparound Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 10/49] usb: misc: add missing continue in switch Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 11/49] usb: hub: Do not attempt to autosuspend disconnected devices Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 12/49] usb: misc: legousbtower: Fix buffers on stack Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 13/49] x86/boot: Fix BSS corruption/overwrite bug in early x86 kernel startup Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 14/49] um: Fix PTRACE_POKEUSER on x86_64 Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 15/49] dm era: save spacemap metadata root after the pre-commit Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 16/49] IB/IPoIB: ibX: failed to create mcg debug file Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 17/49] IB/mlx4: Fix ib device initialization error flow Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 18/49] fs/xattr.c: zero out memory copied to userspace in getxattr Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 19/49] ceph: fix memory leak in __ceph_setxattr() Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 20/49] fs/block_dev: always invalidate cleancache in invalidate_bdev() Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 21/49] Set unicode flag on cifs echo request to avoid Mac error Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 22/49] SMB3: Work around mount failure when using SMB3 dialect to Macs Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 25/49] padata: free correct variable Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 26/49] md/raid1: avoid reusing a resync bio after error handling Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 27/49] serial: omap: fix runtime-pm handling on unbind Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 28/49] serial: omap: suspend device on probe errors Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 29/49] Bluetooth: Fix user channel for 32bit userspace on 64bit kernel Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 30/49] arm64: make sys_call_table const Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 31/49] perf: Fix event->ctx locking Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 32/49] arm64: perf: reject groups spanning multiple HW PMUs Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 33/49] perf: Fix race in swevent hash Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 34/49] ASN.1: Fix non-match detection failure on data overrun Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 35/49] KEYS: Fix ASN.1 indefinite length object parsing Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 36/49] ext4: fix potential use after free in __ext4_journal_stop Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 37/49] sg: Fix double-free when drives detach during SG_IO Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 38/49] ipv6: sctp: add rcu protection around np->opt Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 39/49] ipv6: sctp: fix lockdep splat in sctp_v6_get_dst() Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 40/49] af_unix: Guard against other == sk in unix_dgram_sendmsg Greg Kroah-Hartman
2017-05-18 13:16 ` Greg Kroah-Hartman [this message]
2017-05-18 13:16 ` [PATCH 3.18 41/49] ppp: defer netns reference release for ppp channel Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 42/49] HID: core: prevent out-of-bound readings Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 44/49] sched: panic on corrupted stack end Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 45/49] ALSA: seq: Fix race at timer setup and close Greg Kroah-Hartman
2017-05-18 13:16 ` [PATCH 3.18 46/49] ALSA: timer: Fix race among timer ioctls Greg Kroah-Hartman
2017-05-18 17:29 ` [PATCH 3.18 00/49] 3.18.54-stable review Shuah Khan
2017-05-19 1:04 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170518131644.768363983@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=Matt.Bennett@alliedtelesis.co.nz \
--cc=amit.pundir@linaro.org \
--cc=davem@davemloft.net \
--cc=g.nault@alphalink.fr \
--cc=gorcunov@openvz.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-ppp@vger.kernel.org \
--cc=paulus@samba.org \
--cc=stable@vger.kernel.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.