From: Nikolay Aleksandrov <nikolay@redhat.com>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net
Subject: Re: [PATCH -net] netpoll: fix NULL pointer dereference in netpoll_cleanup
Date: Tue, 17 Sep 2013 16:37:05 +0200 [thread overview]
Message-ID: <52386911.2010504@redhat.com> (raw)
In-Reply-To: <1379427155-8561-1-git-send-email-nikolay@redhat.com>
On 09/17/2013 04:12 PM, Nikolay Aleksandrov wrote:
> I've been hitting a NULL ptr deref while using netconsole because the
> np->dev check and the pointer manipulation in netpoll_cleanup are done
> without rtnl and the following sequence happens when having a netconsole
> over a vlan and we remove the vlan while disabling the netconsole:
> CPU 1 CPU2
> removes vlan and calls the notifier
> enters store_enabled(), calls
> netdev_cleanup which checks np->dev
> and then waits for rtnl
> executes the netconsole netdev
> release notifier making np->dev
> == NULL and releases rtnl
> continues to dereference a member of
> np->dev which at this point is == NULL
>
> Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
> ---
Just FYI there seems to be a deadlock in netconsole as well:
rtnl -> nt->mutex in the notifier coupled with
nt->mutex -> rtnl in store_enabled()
I can re-post a patchset that fixes these together, because after this is
applied the NULL pointer dereference is not hit, but the deadlock is easily hit.
The deadlock was introduced in commit 7a163bfb7ce50895bbe67300ea610d31b9c09230
("netconsole: avoid a crash with multiple sysfs writers").
Nik
next prev parent reply other threads:[~2013-09-17 14:40 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-17 14:12 [PATCH -net] netpoll: fix NULL pointer dereference in netpoll_cleanup Nikolay Aleksandrov
2013-09-17 14:37 ` Nikolay Aleksandrov [this message]
2013-09-17 18:06 ` Nikolay Aleksandrov
2013-09-18 16:15 ` David Miller
2013-09-18 16:25 ` Joe Perches
2013-09-18 21:09 ` Nikolay Aleksandrov
2013-09-18 21:06 ` Nikolay Aleksandrov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52386911.2010504@redhat.com \
--to=nikolay@redhat.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).