From: ebiederm@xmission.com (Eric W. Biederman)
To: "Stoyan Gaydarov" <stoyboyker@gmail.com>
Cc: "Denis V. Lunev" <den@openvz.org>,
akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
"Alexey Dobriyan" <adobriyan@openvz.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH 9/12] ipv4: assign PDE->data before gluing PDE into /proc tree
Date: Fri, 11 Jul 2008 20:42:51 -0700 [thread overview]
Message-ID: <m1abgn6a4k.fsf@frodo.ebiederm.org> (raw)
In-Reply-To: <6d291e080807112012r7ae44318oc41366b83d484b7f@mail.gmail.com> (Stoyan Gaydarov's message of "Fri, 11 Jul 2008 22:12:30 -0500")
"Stoyan Gaydarov" <stoyboyker@gmail.com> writes:
> First off, sorry to bring such an old email back but I can seem to get
> a bad feeling when looking back over it.
>
> On Tue, Apr 29, 2008 at 6:13 AM, Denis V. Lunev <den@openvz.org> wrote:
>> The check for PDE->data != NULL becomes useless after the replacement
>> of proc_net_fops_create with proc_create_data.
>>
>> Signed-off-by: Denis V. Lunev <den@openvz.org>
>> Cc: Alexey Dobriyan <adobriyan@openvz.org>
>> Cc: Eric W. Biederman <ebiederm@xmission.com>
>> Cc: David S. Miller <davem@davemloft.net>
>> ---
>> net/ipv4/tcp_ipv4.c | 10 +++-------
>> net/ipv4/udp.c | 7 +++----
>> 2 files changed, 6 insertions(+), 11 deletions(-)
>>
>> diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
>> index 7766151..4d97b28 100644
>> --- a/net/ipv4/tcp_ipv4.c
>> +++ b/net/ipv4/tcp_ipv4.c
>> @@ -2214,9 +2214,6 @@ static int tcp_seq_open(struct inode *inode, struct file
> *file)
>> struct tcp_iter_state *s;
>> int err;
>>
>> - if (unlikely(afinfo == NULL))
>> - return -EINVAL;
> I think that this check needs to stay in some form, reason below.
>> -
>> err = seq_open_net(inode, file, &afinfo->seq_ops,
>> sizeof(struct tcp_iter_state));
>> if (err < 0)
>> @@ -2241,10 +2238,9 @@ int tcp_proc_register(struct net *net, struct
> tcp_seq_afinfo *afinfo)
>> afinfo->seq_ops.next = tcp_seq_next;
>> afinfo->seq_ops.stop = tcp_seq_stop;
>>
>> - p = proc_net_fops_create(net, afinfo->name, S_IRUGO, &afinfo->seq_fops);
>> - if (p)
>> - p->data = afinfo;
>> - else
>> + p = proc_create_data(afinfo->name, S_IRUGO, net->proc_net,
>
> When you try to pass in afinfo->name (and also the seq_fops) you are
> assuming that afinfo is not null meaning in the unlikely(as shown
> above) even that it is null you get a very bad null pointer problem.
> If I am just way off do let me know because this just seams to me like
> a bad idea. This is also still present in 2.6.26-rc9.
It appears you are getting things confused. The original window is that tcp_seq_open
(which is what get called when you open the proc file) had a small race that p->data
could be read before it was set.
With proc_create_data that race was closed.
You are saying that it is a problem for tcp_seq_open to be passed a NULL afinfo.
It is. That has nothing to do with the original race (as that is a very
different part of the code). Feel free to audit all of the callers if
you like. That problem however is not subtle or racy.
So I see nothing wrong with this patch unless you can find a problem with
proc_create_data.
Eric
next prev parent reply other threads:[~2008-07-12 3:52 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-29 11:12 [PATCH 0/12] Further PDE->data assignments cleanups Denis V. Lunev
2008-04-29 11:13 ` [PATCH 1/12] sunrpc: assign PDE->data before gluing PDE into /proc tree Denis V. Lunev
2008-05-02 9:44 ` David Miller
2008-04-29 11:13 ` [PATCH 2/12] netfilter: " Denis V. Lunev
2008-05-02 9:45 ` David Miller
2008-04-29 11:13 ` [PATCH 3/12] net: " Denis V. Lunev
2008-05-02 9:46 ` David Miller
2008-04-29 11:13 ` [PATCH 4/12] ipv6: " Denis V. Lunev
2008-05-02 9:47 ` David Miller
2008-04-29 11:13 ` [PATCH 5/12] atm: " Denis V. Lunev
2008-05-02 11:08 ` David Miller
2008-04-29 11:13 ` [PATCH 6/12] vlan: " Denis V. Lunev
2008-05-02 11:09 ` David Miller
2008-04-29 11:13 ` [PATCH 7/12] cciss: " Denis V. Lunev
2008-04-29 15:26 ` Miller, Mike (OS Dev)
2008-04-29 11:13 ` [PATCH 8/12] powerpc: " Denis V. Lunev
2008-04-29 11:13 ` [PATCH 9/12] ipv4: " Denis V. Lunev
2008-05-02 11:10 ` David Miller
2008-07-12 3:12 ` Stoyan Gaydarov
2008-07-12 3:42 ` Eric W. Biederman [this message]
2008-07-12 14:55 ` Denis V. Lunev
2008-04-29 11:13 ` [PATCH 10/12] netfilter: assign PDE->fops " Denis V. Lunev
2008-05-02 11:11 ` David Miller
2008-04-29 11:13 ` [PATCH 11/12] netfilter: assign PDE->data " Denis V. Lunev
2008-04-29 12:01 ` Patrick McHardy
2008-05-02 11:12 ` David Miller
2008-04-29 11:13 ` [PATCH 12/12] netns: assign PDE->data before gluing entry " Denis V. Lunev
2008-05-02 11:12 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1abgn6a4k.fsf@frodo.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=adobriyan@openvz.org \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=den@openvz.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stoyboyker@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.