From: David Miller <davem@davemloft.net>
To: michael.chan@broadcom.com
Cc: wangyufen@huawei.com, siva.kallam@broadcom.com,
prashant@broadcom.com, mchan@broadcom.com,
netdev@vger.kernel.org
Subject: Re: [PATCH] tg3: Avoid NULL pointer dereference in tg3_get_nstats()
Date: Thu, 05 Jan 2017 15:17:05 -0500 (EST) [thread overview]
Message-ID: <20170105.151705.2187713228201334532.davem@davemloft.net> (raw)
In-Reply-To: <CACKFLimPkD6hxECA+ZhH+7BVmVSoJ1GfAMZyJ7S50CbhiuC0mA@mail.gmail.com>
From: Michael Chan <michael.chan@broadcom.com>
Date: Thu, 5 Jan 2017 12:04:13 -0800
> But it looks like ndo_get_stats() can be called without rtnl lock from
> net-procfs.c. So it is possible that we'll read tp->hw_stats after it
> has been freed. For example, if we are reading /proc/net/dev and
> closing tg3 at the same time. David, is not taking rtnl_lock in
> net-procfs.c by design?
Probably not, that dev_get_stats() call probably should be surrounded
by RTNL protection.
Doing a quick grep on dev_get_stats() shows other call sites, most of
which are using it to fetch slave device statistics from the get stats
method of the parent. Which should be ok.
It appears that the vlan procfs code in net/8021q/vlanproc.c has a
similar bug as net/core/net-procfs.c
Maybe net/core/net-sysfs.c has the same issue as well, and perhaps also
net/openvswitch/vport.c:ovs_vport_get_stats().
next prev parent reply other threads:[~2017-01-05 20:17 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-05 14:13 [PATCH] tg3: Avoid NULL pointer dereference in tg3_get_nstats() Wang Yufen
2017-01-05 17:33 ` David Miller
2017-01-05 20:04 ` Michael Chan
2017-01-05 20:17 ` David Miller [this message]
2017-01-05 21:53 ` Michael Chan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170105.151705.2187713228201334532.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=mchan@broadcom.com \
--cc=michael.chan@broadcom.com \
--cc=netdev@vger.kernel.org \
--cc=prashant@broadcom.com \
--cc=siva.kallam@broadcom.com \
--cc=wangyufen@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox