[PATCH] pppoe: fix race at init time

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Eric Dumazet <eric.dumazet@gmail.com>
To: "David S. Miller" <davem@davemloft.net>
Cc: Pavel Emelyanov <xemul@openvz.org>,
	Igor M Podlesny <for.poige+bugzilla.kernel.org@gmail.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	netdev@vger.kernel.org, Cyrill Gorcunov <gorcunov@gmail.com>
Subject: [PATCH] pppoe: fix race at init time
Date: Tue, 28 Jul 2009 19:46:37 +0200	[thread overview]
Message-ID: <4A6F397D.6010606@gmail.com> (raw)
In-Reply-To: <4A6F017B.4060909@gmail.com>

Eric Dumazet a écrit :
> Eric Dumazet a écrit :
>> Seems drivers/net/pppol2tp.c is a suspect...
>>
>> It uses register_pernet_gen_device() from pppol2tp_init()
>> but doesnt call unregister_pernet_gen_device()
> 
> OK patch seems really easy...
> 
> This bug was added in commit 4e9fb8016a351b5b9da7fea32bcfdbc9d836e421
> net: pppol2tp - introduce net-namespace functionality
> 
> So this is a stable candidate I guess ?
> 
> Thank you

So Igor still has a panic... lets try a third patch then :)

[PATCH] pppoe: fix race at init time

I believe we have a race in ppoe_init() :

As soon as dev_add_pack(&pppoes_ptype); and/or dev_add_pack(&pppoed_ptype); 
are called, we can receive packets while nets not yet fully ready
(ie : pppoe_init_net() not yet called)

This means we should be prepared to get a NULL pointer
from net_generic(net, pppoe_net_id) call.

We miss this NULL check in get_item() and possibly crash if this nets 
has no struct pppoe_net attached yet. Other subroutines
are safe.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
---
diff --git a/drivers/net/pppoe.c b/drivers/net/pppoe.c
index f0031f1..e50af8c 100644
--- a/drivers/net/pppoe.c
+++ b/drivers/net/pppoe.c
@@ -237,14 +237,15 @@ static struct pppox_sock *__delete_item(struct pppoe_net *pn, __be16 sid,
 static inline struct pppox_sock *get_item(struct pppoe_net *pn, __be16 sid,
 					unsigned char *addr, int ifindex)
 {
-	struct pppox_sock *po;
-
-	read_lock_bh(&pn->hash_lock);
-	po = __get_item(pn, sid, addr, ifindex);
-	if (po)
-		sock_hold(sk_pppox(po));
-	read_unlock_bh(&pn->hash_lock);
-
+	struct pppox_sock *po = NULL;
+
+	if (pn) {
+		read_lock_bh(&pn->hash_lock);
+		po = __get_item(pn, sid, addr, ifindex);
+		if (po)
+			sock_hold(sk_pppox(po));
+		read_unlock_bh(&pn->hash_lock);
+	}
 	return po;
 }

next prev parent reply	other threads:[~2009-07-28 17:46 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <bug-13760-10286@http.bugzilla.kernel.org/>
2009-07-22 20:45 ` [Bugme-new] [Bug 13760] New: 2.6.30 kernel locks up with pppoe in back trace (regression) Andrew Morton
2009-07-23  6:39   ` Igor M Podlesny
2009-07-23  7:01     ` Andrew Morton
2009-07-23 16:15       ` David Miller
2009-07-23 17:51         ` Andrew Morton
2009-07-23 17:53           ` David Miller
2009-07-23 19:11             ` Jarek Poplawski
2009-07-25  3:33               ` Herbert Xu
2009-07-25  4:41                 ` Igor M Podlesny
2009-07-28  6:40       ` Igor M Podlesny
2009-07-28  8:44         ` Eric Dumazet
2009-07-28  9:51           ` Pavel Emelyanov
2009-07-28 12:30             ` Eric Dumazet
2009-07-28 12:36               ` [PATCH] net: net_assign_generic() fix Eric Dumazet
2009-07-28 13:03                 ` Pavel Emelyanov
2009-07-28 13:16                   ` Eric Dumazet
2009-07-28 13:22                     ` Eric Dumazet
2009-07-28 13:47                       ` [PATCH] pppol2tp: calls unregister_pernet_gen_device() at unload time Eric Dumazet
2009-07-28 14:29                         ` Cyrill Gorcunov
2009-07-28 17:46                         ` Eric Dumazet [this message]
2009-07-28 18:48                           ` [PATCH] pppoe: fix race at init time Cyrill Gorcunov
2009-07-29  3:55                             ` Igor M Podlesny
2009-07-29  4:33                               ` Eric Dumazet
2009-07-29 14:46                               ` Cyrill Gorcunov
2009-08-12 23:40                                 ` David Miller
2009-08-14 16:42                                   ` Cyrill Gorcunov
2009-07-29  9:43                           ` [PATCH] pppoe: fix /proc/net/pppoe Eric Dumazet
2009-07-30 21:19                             ` David Miller
2009-08-02 19:28                         ` [PATCH] pppol2tp: calls unregister_pernet_gen_device() at unload time David Miller
2009-08-02 19:27                     ` [PATCH] net: net_assign_generic() fix David Miller
2009-07-23 16:14     ` [Bugme-new] [Bug 13760] New: 2.6.30 kernel locks up with pppoe in back trace (regression) David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f0031f1 dfblob:e50af8c )
 OR (
bs:"[PATCH] pppoe: fix race at init time" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4A6F397D.6010606@gmail.com \
    --to=eric.dumazet@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=davem@davemloft.net \
    --cc=for.poige+bugzilla.kernel.org@gmail.com \
    --cc=gorcunov@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=xemul@openvz.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).