netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Wang Chen <wangchen@cn.fujitsu.com>
To: Patrick McHardy <kaber@trash.net>
Cc: "David S. Miller" <davem@davemloft.net>, NETDEV <netdev@vger.kernel.org>
Subject: Re: v3 [PATCH net-next 5/7] ipv4: Check return of dev_set_allmulti
Date: Tue, 08 Jul 2008 17:41:35 +0800	[thread overview]
Message-ID: <4873364F.1030709@cn.fujitsu.com> (raw)
In-Reply-To: <4871FC5C.9030106@trash.net>

Patrick McHardy said the following on 2008-7-7 19:22:
>>      case 0:
>>          dev = ip_dev_find(&init_net, vifc->vifc_lcl_addr.s_addr);
>>          if (!dev)
>>              return -EADDRNOTAVAIL;
>>          dev_put(dev);
>> +        err = dev_set_allmulti(dev, 1);
>> +        if (err)
>> +            return err;
> 
> Also looks like a use after free, but again, one that is
> already present without your patch.
> 

Here is the patch for fixing use after free.
It fixes both ipv4 and ipv6 side and on top of my patches.
This patch will be the 6/8 of the series.

I will wait for Patrick's ack and resend the whole series again.

Signed-off-by: Wang Chen <wangchen@cn.fujitsu.com>
---
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index a55a23a..23fa3f3 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -441,8 +441,10 @@ static int vif_add(struct vifctl *vifc, int mrtsock)
 		dev = ipmr_reg_vif();
 		if (!dev)
 			return -ENOBUFS;
+		dev_hold(dev);
 		err = dev_set_allmulti(dev, 1);
 		if (err) {
+			dev_put(dev);
 			unregister_netdevice(dev);
 			return err;
 		}
@@ -452,8 +454,10 @@ static int vif_add(struct vifctl *vifc, int mrtsock)
 		dev = ipmr_new_tunnel(vifc);
 		if (!dev)
 			return -ENOBUFS;
+		dev_hold(dev);
 		err = dev_set_allmulti(dev, 1);
 		if (err) {
+			dev_put(dev);
 			ipmr_del_tunnel(dev, vifc);
 			return err;
 		}
@@ -462,10 +466,11 @@ static int vif_add(struct vifctl *vifc, int mrtsock)
 		dev = ip_dev_find(&init_net, vifc->vifc_lcl_addr.s_addr);
 		if (!dev)
 			return -EADDRNOTAVAIL;
-		dev_put(dev);
 		err = dev_set_allmulti(dev, 1);
-		if (err)
+		if (err) {
+			dev_put(dev);
 			return err;
+		}
 		break;
 	default:
 		return -EINVAL;
@@ -496,7 +501,6 @@ static int vif_add(struct vifctl *vifc, int mrtsock)
 
 	/* And finish update writing critical data */
 	write_lock_bh(&mrt_lock);
-	dev_hold(dev);
 	v->dev=dev;
 #ifdef CONFIG_IP_PIMSM
 	if (v->flags&VIFF_REGISTER)
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 6cd286d..a9bd74d 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -621,8 +621,10 @@ static int mif6_add(struct mif6ctl *vifc, int mrtsock)
 		dev = ip6mr_reg_vif();
 		if (!dev)
 			return -ENOBUFS;
+		dev_hold(dev);
 		err = dev_set_allmulti(dev, 1);
 		if (err) {
+			dev_put(dev);
 			unregister_netdevice(dev);
 			return err;
 		}
@@ -632,10 +634,11 @@ static int mif6_add(struct mif6ctl *vifc, int mrtsock)
 		dev = dev_get_by_index(&init_net, vifc->mif6c_pifi);
 		if (!dev)
 			return -EADDRNOTAVAIL;
-		dev_put(dev);
 		err = dev_set_allmulti(dev, 1);
-		if (err)
+		if (err) {
+			dev_put(dev);
 			return err;
+		}
 		break;
 	default:
 		return -EINVAL;
@@ -659,7 +662,6 @@ static int mif6_add(struct mif6ctl *vifc, int mrtsock)
 
 	/* And finish update writing critical data */
 	write_lock_bh(&mrt_lock);
-	dev_hold(dev);
 	v->dev = dev;
 #ifdef CONFIG_IPV6_PIMSM_V2
 	if (v->flags & MIFF_REGISTER)


  parent reply	other threads:[~2008-07-08  9:46 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-07-07  2:31 v3 [PATCH net-next 0/7] Check return of dev_set_promiscuity/allmulti Wang Chen
2008-07-07  2:33 ` v3 [PATCH net-next 1/7] af_packet: " Wang Chen
2008-07-07  2:34 ` v3 [PATCH net-next 2/7] bonding: " Wang Chen
2008-07-07  2:35 ` v3 [PATCH net-next 3/7] bridge: Check return of dev_set_promiscuity Wang Chen
2008-07-07  2:36 ` v3 [PATCH net-next 4/7] ipv6: Check return of dev_set_allmulti Wang Chen
2008-07-07 11:20   ` Patrick McHardy
2008-07-07 13:17     ` Wang Chen
2008-07-07 13:26       ` Patrick McHardy
2008-07-07 14:45         ` Wang Chen
2008-07-07  2:37 ` v3 [PATCH net-next 5/7] ipv4: " Wang Chen
2008-07-07 11:22   ` Patrick McHardy
2008-07-08  9:34     ` Wang Chen
2008-07-14  1:14       ` Wang Chen
2008-07-08  9:41     ` Wang Chen [this message]
2008-07-14  1:05       ` Wang Chen
2008-07-07  2:38 ` v3 [PATCH net-next 6/7] macvlan: " Wang Chen
2008-07-07  2:38 ` v3 [PATCH net-next 7/7] 8021q: Check return of dev_set_promiscuity/allmulti Wang Chen
  -- strict thread matches above, loose matches on Subject: below --
2008-07-01  3:19 [PATCH net-next 0/7] " Wang Chen
2008-07-01  3:27 ` v2 [PATCH net-next 5/7] ipv4: Check return of dev_set_allmulti Wang Chen
2008-07-01  9:40   ` Patrick McHardy
2008-07-02  8:24     ` v3 " Wang Chen
2008-07-02 12:55       ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4873364F.1030709@cn.fujitsu.com \
    --to=wangchen@cn.fujitsu.com \
    --cc=davem@davemloft.net \
    --cc=kaber@trash.net \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).