[PATCH -net v2 0/2] net: netpoll and netconsole fixes

[PATCH -net v2 0/2] net: netpoll and netconsole fixes

[Nikolay Aleksandrov]

Hi,
This small patchset fixes a possible race condition in netpoll_cleanup
which can lead to a NULL pointer dereference because the check and
manipulation of np->dev are done outside of the rtnl lock (patch 01).
The second patch fixes a deadlock in netconsole and does a trivial comment
style fix.

v2: fix the function style in patch 01

Best regards,
 Nikolay Aleksandrov

Nikolay Aleksandrov (2):
  netpoll: fix NULL pointer dereference in netpoll_cleanup
  netconsole: fix a deadlock with rtnl and netconsole's mutex

 drivers/net/netconsole.c | 5 +----
 net/core/netpoll.c       | 9 ++++-----
 2 files changed, 5 insertions(+), 9 deletions(-)

-- 
1.8.1.4

[PATCH -net v2 1/2] netpoll: fix NULL pointer dereference in netpoll_cleanup

[Nikolay Aleksandrov]

I've been hitting a NULL ptr deref while using netconsole because the
np->dev check and the pointer manipulation in netpoll_cleanup are done
without rtnl and the following sequence happens when having a netconsole
over a vlan and we remove the vlan while disabling the netconsole:
	CPU 1					CPU2
					removes vlan and calls the notifier
enters store_enabled(), calls
netdev_cleanup which checks np->dev
and then waits for rtnl
					executes the netconsole netdev
					release notifier making np->dev
					== NULL and releases rtnl
continues to dereference a member of
np->dev which at this point is == NULL

Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
---
v2: fix the style as requested

 net/core/netpoll.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/net/core/netpoll.c b/net/core/netpoll.c
index 2c637e9..2ba363d 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -1284,15 +1284,14 @@ EXPORT_SYMBOL_GPL(__netpoll_free_async);
 
 void netpoll_cleanup(struct netpoll *np)
 {
-	if (!np->dev)
-		return;
-
 	rtnl_lock();
+	if (!np->dev)
+		goto out;
 	__netpoll_cleanup(np);
-	rtnl_unlock();
-
 	dev_put(np->dev);
 	np->dev = NULL;
+out:
+	rtnl_unlock();
 }
 EXPORT_SYMBOL(netpoll_cleanup);
 
-- 
1.8.1.4

[PATCH -net v2 2/2] netconsole: fix a deadlock with rtnl and netconsole's mutex

[Nikolay Aleksandrov]

This bug was introduced by commit
7a163bfb7ce50895bbe67300ea610d31b9c09230 ("netconsole: avoid a crash with
multiple sysfs writers"). In store_enabled() we have the following
sequence: acquire nt->mutex then rtnl, but in the netconsole netdev
notifier we have rtnl then nt->mutex effectively leading to a deadlock.
The NULL pointer dereference that the above commit tries to fix is
actually due to another bug in netpoll_cleanup(). This is fixed by dropping
the mutex from the netdev notifier as it's already protected by rtnl.

Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
---
v2: new patch dependent on the fix from patch 01

 drivers/net/netconsole.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/drivers/net/netconsole.c b/drivers/net/netconsole.c
index dcb2134..adeee61 100644
--- a/drivers/net/netconsole.c
+++ b/drivers/net/netconsole.c
@@ -684,15 +684,12 @@ restart:
 			case NETDEV_RELEASE:
 			case NETDEV_JOIN:
 			case NETDEV_UNREGISTER:
-				/*
-				 * rtnl_lock already held
+				/* rtnl_lock already held
 				 * we might sleep in __netpoll_cleanup()
 				 */
 				spin_unlock_irqrestore(&target_list_lock, flags);
 
-				mutex_lock(&nt->mutex);
 				__netpoll_cleanup(&nt->np);
-				mutex_unlock(&nt->mutex);
 
 				spin_lock_irqsave(&target_list_lock, flags);
 				dev_put(nt->np.dev);
-- 
1.8.1.4

Re: [PATCH -net v2 0/2] net: netpoll and netconsole fixes

[David Miller]

From: Nikolay Aleksandrov <nikolay@redhat.com>
Date: Thu, 19 Sep 2013 15:02:34 +0200

> This small patchset fixes a possible race condition in netpoll_cleanup
> which can lead to a NULL pointer dereference because the check and
> manipulation of np->dev are done outside of the rtnl lock (patch 01).
> The second patch fixes a deadlock in netconsole and does a trivial comment
> style fix.

Both applied and queued up for -stable, thanks.