From: Eric Dumazet <eric.dumazet@gmail.com>
To: "David S. Miller" <davem@davemloft.net>
Cc: Pavel Emelyanov <xemul@openvz.org>,
Igor M Podlesny <for.poige+bugzilla.kernel.org@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
netdev@vger.kernel.org, Cyrill Gorcunov <gorcunov@gmail.com>
Subject: [PATCH] pppoe: fix race at init time
Date: Tue, 28 Jul 2009 19:46:37 +0200 [thread overview]
Message-ID: <4A6F397D.6010606@gmail.com> (raw)
In-Reply-To: <4A6F017B.4060909@gmail.com>
Eric Dumazet a écrit :
> Eric Dumazet a écrit :
>> Seems drivers/net/pppol2tp.c is a suspect...
>>
>> It uses register_pernet_gen_device() from pppol2tp_init()
>> but doesnt call unregister_pernet_gen_device()
>
> OK patch seems really easy...
>
> This bug was added in commit 4e9fb8016a351b5b9da7fea32bcfdbc9d836e421
> net: pppol2tp - introduce net-namespace functionality
>
> So this is a stable candidate I guess ?
>
> Thank you
So Igor still has a panic... lets try a third patch then :)
[PATCH] pppoe: fix race at init time
I believe we have a race in ppoe_init() :
As soon as dev_add_pack(&pppoes_ptype); and/or dev_add_pack(&pppoed_ptype);
are called, we can receive packets while nets not yet fully ready
(ie : pppoe_init_net() not yet called)
This means we should be prepared to get a NULL pointer
from net_generic(net, pppoe_net_id) call.
We miss this NULL check in get_item() and possibly crash if this nets
has no struct pppoe_net attached yet. Other subroutines
are safe.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
---
diff --git a/drivers/net/pppoe.c b/drivers/net/pppoe.c
index f0031f1..e50af8c 100644
--- a/drivers/net/pppoe.c
+++ b/drivers/net/pppoe.c
@@ -237,14 +237,15 @@ static struct pppox_sock *__delete_item(struct pppoe_net *pn, __be16 sid,
static inline struct pppox_sock *get_item(struct pppoe_net *pn, __be16 sid,
unsigned char *addr, int ifindex)
{
- struct pppox_sock *po;
-
- read_lock_bh(&pn->hash_lock);
- po = __get_item(pn, sid, addr, ifindex);
- if (po)
- sock_hold(sk_pppox(po));
- read_unlock_bh(&pn->hash_lock);
-
+ struct pppox_sock *po = NULL;
+
+ if (pn) {
+ read_lock_bh(&pn->hash_lock);
+ po = __get_item(pn, sid, addr, ifindex);
+ if (po)
+ sock_hold(sk_pppox(po));
+ read_unlock_bh(&pn->hash_lock);
+ }
return po;
}
next prev parent reply other threads:[~2009-07-28 17:46 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-13760-10286@http.bugzilla.kernel.org/>
2009-07-22 20:45 ` [Bugme-new] [Bug 13760] New: 2.6.30 kernel locks up with pppoe in back trace (regression) Andrew Morton
2009-07-23 6:39 ` Igor M Podlesny
2009-07-23 7:01 ` Andrew Morton
2009-07-23 16:15 ` David Miller
2009-07-23 17:51 ` Andrew Morton
2009-07-23 17:53 ` David Miller
2009-07-23 19:11 ` Jarek Poplawski
2009-07-25 3:33 ` Herbert Xu
2009-07-25 4:41 ` Igor M Podlesny
2009-07-28 6:40 ` Igor M Podlesny
2009-07-28 8:44 ` Eric Dumazet
2009-07-28 9:51 ` Pavel Emelyanov
2009-07-28 12:30 ` Eric Dumazet
2009-07-28 12:36 ` [PATCH] net: net_assign_generic() fix Eric Dumazet
2009-07-28 13:03 ` Pavel Emelyanov
2009-07-28 13:16 ` Eric Dumazet
2009-07-28 13:22 ` Eric Dumazet
2009-07-28 13:47 ` [PATCH] pppol2tp: calls unregister_pernet_gen_device() at unload time Eric Dumazet
2009-07-28 14:29 ` Cyrill Gorcunov
2009-07-28 17:46 ` Eric Dumazet [this message]
2009-07-28 18:48 ` [PATCH] pppoe: fix race at init time Cyrill Gorcunov
2009-07-29 3:55 ` Igor M Podlesny
2009-07-29 4:33 ` Eric Dumazet
2009-07-29 14:46 ` Cyrill Gorcunov
2009-08-12 23:40 ` David Miller
2009-08-14 16:42 ` Cyrill Gorcunov
2009-07-29 9:43 ` [PATCH] pppoe: fix /proc/net/pppoe Eric Dumazet
2009-07-30 21:19 ` David Miller
2009-08-02 19:28 ` [PATCH] pppol2tp: calls unregister_pernet_gen_device() at unload time David Miller
2009-08-02 19:27 ` [PATCH] net: net_assign_generic() fix David Miller
2009-07-23 16:14 ` [Bugme-new] [Bug 13760] New: 2.6.30 kernel locks up with pppoe in back trace (regression) David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A6F397D.6010606@gmail.com \
--to=eric.dumazet@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=for.poige+bugzilla.kernel.org@gmail.com \
--cc=gorcunov@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=xemul@openvz.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.