From: Willy Tarreau <w@1wt.eu> To: linux-kernel@vger.kernel.org, stable@vger.kernel.org, linux@roeck-us.net Cc: WANG Cong <xiyou.wangcong@gmail.com>, Paul Mackerras <paulus@samba.org>, linux-ppp@vger.kernel.org, Guillaume Nault <g.nault@alphalink.fr>, Cyrill Gorcunov <gorcunov@openvz.org>, "David S . Miller" <davem@davemloft.net>, Willy Tarreau <w@1wt.eu> Subject: [PATCH 3.10 031/319] ppp: defer netns reference release for ppp channel Date: Sun, 5 Feb 2017 20:20:18 +0100 [thread overview] Message-ID: <1486322486-8024-2-git-send-email-w@1wt.eu> (raw) In-Reply-To: <1486322486-8024-1-git-send-email-w@1wt.eu> From: WANG Cong <xiyou.wangcong@gmail.com> commit 205e1e255c479f3fd77446415706463b282f94e4 upstream Matt reported that we have a NULL pointer dereference in ppp_pernet() from ppp_connect_channel(), i.e. pch->chan_net is NULL. This is due to that a parallel ppp_unregister_channel() could happen while we are in ppp_connect_channel(), during which pch->chan_net set to NULL. Since we need a reference to net per channel, it makes sense to sync the refcnt with the life time of the channel, therefore we should release this reference when we destroy it. Fixes: 1f461dcdd296 ("ppp: take reference on channels netns") Reported-by: Matt Bennett <Matt.Bennett@alliedtelesis.co.nz> Cc: Paul Mackerras <paulus@samba.org> Cc: linux-ppp@vger.kernel.org Cc: Guillaume Nault <g.nault@alphalink.fr> Cc: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Willy Tarreau <w@1wt.eu> --- drivers/net/ppp/ppp_generic.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c index 14a8d29..ab79c0f 100644 --- a/drivers/net/ppp/ppp_generic.c +++ b/drivers/net/ppp/ppp_generic.c @@ -2317,8 +2317,6 @@ ppp_unregister_channel(struct ppp_channel *chan) spin_lock_bh(&pn->all_channels_lock); list_del(&pch->list); spin_unlock_bh(&pn->all_channels_lock); - put_net(pch->chan_net); - pch->chan_net = NULL; pch->file.dead = 1; wake_up_interruptible(&pch->file.rwait); @@ -2925,6 +2923,9 @@ ppp_disconnect_channel(struct channel *pch) */ static void ppp_destroy_channel(struct channel *pch) { + put_net(pch->chan_net); + pch->chan_net = NULL; + atomic_dec(&channel_count); if (!pch->file.dead) { -- 2.8.0.rc2.1.gbe9624a
WARNING: multiple messages have this Message-ID (diff)
From: Willy Tarreau <w@1wt.eu> To: linux-kernel@vger.kernel.org, stable@vger.kernel.org, linux@roeck-us.net Cc: WANG Cong <xiyou.wangcong@gmail.com>, Paul Mackerras <paulus@samba.org>, linux-ppp@vger.kernel.org, Guillaume Nault <g.nault@alphalink.fr>, Cyrill Gorcunov <gorcunov@openvz.org>, "David S . Miller" <davem@davemloft.net>, Willy Tarreau <w@1wt.eu> Subject: [PATCH 3.10 031/319] ppp: defer netns reference release for ppp channel Date: Sun, 05 Feb 2017 19:20:18 +0000 [thread overview] Message-ID: <1486322486-8024-2-git-send-email-w@1wt.eu> (raw) In-Reply-To: <1486322486-8024-1-git-send-email-w@1wt.eu> From: WANG Cong <xiyou.wangcong@gmail.com> commit 205e1e255c479f3fd77446415706463b282f94e4 upstream Matt reported that we have a NULL pointer dereference in ppp_pernet() from ppp_connect_channel(), i.e. pch->chan_net is NULL. This is due to that a parallel ppp_unregister_channel() could happen while we are in ppp_connect_channel(), during which pch->chan_net set to NULL. Since we need a reference to net per channel, it makes sense to sync the refcnt with the life time of the channel, therefore we should release this reference when we destroy it. Fixes: 1f461dcdd296 ("ppp: take reference on channels netns") Reported-by: Matt Bennett <Matt.Bennett@alliedtelesis.co.nz> Cc: Paul Mackerras <paulus@samba.org> Cc: linux-ppp@vger.kernel.org Cc: Guillaume Nault <g.nault@alphalink.fr> Cc: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Willy Tarreau <w@1wt.eu> --- drivers/net/ppp/ppp_generic.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c index 14a8d29..ab79c0f 100644 --- a/drivers/net/ppp/ppp_generic.c +++ b/drivers/net/ppp/ppp_generic.c @@ -2317,8 +2317,6 @@ ppp_unregister_channel(struct ppp_channel *chan) spin_lock_bh(&pn->all_channels_lock); list_del(&pch->list); spin_unlock_bh(&pn->all_channels_lock); - put_net(pch->chan_net); - pch->chan_net = NULL; pch->file.dead = 1; wake_up_interruptible(&pch->file.rwait); @@ -2925,6 +2923,9 @@ ppp_disconnect_channel(struct channel *pch) */ static void ppp_destroy_channel(struct channel *pch) { + put_net(pch->chan_net); + pch->chan_net = NULL; + atomic_dec(&channel_count); if (!pch->file.dead) { -- 2.8.0.rc2.1.gbe9624a
next prev parent reply other threads:[~2017-02-05 20:22 UTC|newest] Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-02-05 19:20 [PATCH 3.10 030/319] PM / devfreq: Fix incorrect type issue Willy Tarreau 2017-02-05 19:20 ` Willy Tarreau [this message] 2017-02-05 19:20 ` [PATCH 3.10 031/319] ppp: defer netns reference release for ppp channel Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 032/319] x86/mm/xen: Suppress hugetlbfs in PV guests Willy Tarreau 2017-02-05 19:20 ` Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 033/319] xen: Add RING_COPY_REQUEST() Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 034/319] xen-netback: don't use last request to determine minimum Tx credit Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 035/319] xen-netback: use RING_COPY_REQUEST() throughout Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 036/319] xen-blkback: only read request operation from shared ring once Willy Tarreau 2017-02-05 19:20 ` Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 037/319] xen/pciback: Save xen_pci_op commands before processing it Willy Tarreau 2017-02-06 14:33 ` Konrad Rzeszutek Wilk 2017-02-06 22:33 ` Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 038/319] xen/pciback: Return error on XEN_PCI_OP_enable_msi when device has MSI or MSI-X enabled Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 039/319] xen/pciback: Return error on XEN_PCI_OP_enable_msix " Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 040/319] xen/pciback: Do not install an IRQ handler for MSI interrupts Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 041/319] xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 042/319] xen/pciback: Don't allow MSI-X ops if PCI_COMMAND_MEMORY is not set Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 043/319] xen-pciback: Add name prefix to global 'permissive' variable Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 044/319] x86/xen: fix upper bound of pmd loop in xen_cleanhighmap() Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 045/319] x86/traps: Ignore high word of regs->cs in early_idt_handler_common Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 046/319] x86/mm: Disable preemption during CR3 read+write Willy Tarreau 2017-02-05 19:20 ` Willy Tarreau 2017-02-05 19:20 ` Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 047/319] x86/apic: Do not init irq remapping if ioapic is disabled Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 048/319] x86/mm/pat, /dev/mem: Remove superfluous error message Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 049/319] x86/paravirt: Do not trace _paravirt_ident_*() functions Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 050/319] x86/build: Build compressed x86 kernels as PIE Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 051/319] x86/um: reuse asm-generic/barrier.h Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 052/319] iommu/amd: Update Alias-DTE in update_device_table() Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 053/319] iommu/amd: Free domain id when free a domain of struct dma_ops_domain Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 054/319] ARM: 8616/1: dt: Respect property size when parsing CPUs Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 055/319] ARM: 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7 Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 056/319] ARM: sa1100: clear reset status prior to reboot Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 057/319] ARM: sa1111: fix pcmcia suspend/resume Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 058/319] arm64: avoid returning from bad_mode Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 059/319] arm64: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO Willy Tarreau 2017-02-05 19:20 ` Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 060/319] arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 061/319] arm64: debug: avoid resetting stepping state machine when TIF_SINGLESTEP Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 062/319] MIPS: Malta: Fix IOCU disable switch read for MIPS64 Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 063/319] MIPS: ptrace: Fix regs_return_value for kernel context Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 064/319] powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 065/319] powerpc/vdso64: Use double word compare on pointers Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 066/319] powerpc/powernv: Use CPU-endian PEST in pnv_pci_dump_p7ioc_diag_data() Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 067/319] powerpc/64: Fix incorrect return value from __copy_tofrom_user Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 068/319] powerpc/nvram: Fix an incorrect partition merge Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 069/319] avr32: fix copy_from_user() Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 070/319] avr32: fix 'undefined reference to `___copy_from_user' Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 071/319] avr32: off by one in at32_init_pio() Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 072/319] s390/dasd: fix hanging device after clear subchannel Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 073/319] parisc: Ensure consistent state when switching to kernel stack at syscall entry Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 074/319] microblaze: fix __get_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 075/319] microblaze: fix copy_from_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 076/319] mn10300: failing __get_user() and get_user() should zero Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 077/319] m32r: fix __get_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 078/319] sh64: failing __get_user() should zero Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 079/319] score: fix __get_user/get_user Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 080/319] s390: get_user() should zero on failure Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 081/319] ARC: uaccess: get_user to zero out dest in cause of fault Willy Tarreau 2017-02-05 19:21 ` Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 082/319] asm-generic: make get_user() clear the destination on errors Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 083/319] frv: fix clear_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 084/319] cris: buggered copy_from_user/copy_to_user/clear_user Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 085/319] blackfin: fix copy_from_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 086/319] score: fix copy_from_user() and friends Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 087/319] sh: fix copy_from_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 088/319] hexagon: fix strncpy_from_user() error return Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 089/319] mips: copy_from_user() must zero the destination on access_ok() failure Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 090/319] asm-generic: make copy_from_user() zero the destination properly Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 091/319] alpha: fix copy_from_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 092/319] metag: copy_from_user() should zero the destination on access_ok() failure Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 093/319] parisc: fix copy_from_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 094/319] openrisc: " Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 095/319] openrisc: fix the fix of copy_from_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 096/319] mn10300: copy_from_user() should zero on access_ok() failure Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 097/319] sparc32: fix copy_from_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 098/319] ppc32: " Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 099/319] ia64: copy_from_user() should zero the destination on access_ok() failure Willy Tarreau
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1486322486-8024-2-git-send-email-w@1wt.eu \ --to=w@1wt.eu \ --cc=davem@davemloft.net \ --cc=g.nault@alphalink.fr \ --cc=gorcunov@openvz.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-ppp@vger.kernel.org \ --cc=linux@roeck-us.net \ --cc=paulus@samba.org \ --cc=stable@vger.kernel.org \ --cc=xiyou.wangcong@gmail.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.