From: Willy Tarreau <w@1wt.eu>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org, linux@roeck-us.net
Cc: WANG Cong <xiyou.wangcong@gmail.com>,
Paul Mackerras <paulus@samba.org>,
linux-ppp@vger.kernel.org, Guillaume Nault <g.nault@alphalink.fr>,
Cyrill Gorcunov <gorcunov@openvz.org>,
"David S . Miller" <davem@davemloft.net>,
Willy Tarreau <w@1wt.eu>
Subject: [PATCH 3.10 031/319] ppp: defer netns reference release for ppp channel
Date: Sun, 5 Feb 2017 20:20:18 +0100 [thread overview]
Message-ID: <1486322486-8024-2-git-send-email-w@1wt.eu> (raw)
In-Reply-To: <1486322486-8024-1-git-send-email-w@1wt.eu>
From: WANG Cong <xiyou.wangcong@gmail.com>
commit 205e1e255c479f3fd77446415706463b282f94e4 upstream
Matt reported that we have a NULL pointer dereference
in ppp_pernet() from ppp_connect_channel(),
i.e. pch->chan_net is NULL.
This is due to that a parallel ppp_unregister_channel()
could happen while we are in ppp_connect_channel(), during
which pch->chan_net set to NULL. Since we need a reference
to net per channel, it makes sense to sync the refcnt
with the life time of the channel, therefore we should
release this reference when we destroy it.
Fixes: 1f461dcdd296 ("ppp: take reference on channels netns")
Reported-by: Matt Bennett <Matt.Bennett@alliedtelesis.co.nz>
Cc: Paul Mackerras <paulus@samba.org>
Cc: linux-ppp@vger.kernel.org
Cc: Guillaume Nault <g.nault@alphalink.fr>
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
drivers/net/ppp/ppp_generic.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index 14a8d29..ab79c0f 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -2317,8 +2317,6 @@ ppp_unregister_channel(struct ppp_channel *chan)
spin_lock_bh(&pn->all_channels_lock);
list_del(&pch->list);
spin_unlock_bh(&pn->all_channels_lock);
- put_net(pch->chan_net);
- pch->chan_net = NULL;
pch->file.dead = 1;
wake_up_interruptible(&pch->file.rwait);
@@ -2925,6 +2923,9 @@ ppp_disconnect_channel(struct channel *pch)
*/
static void ppp_destroy_channel(struct channel *pch)
{
+ put_net(pch->chan_net);
+ pch->chan_net = NULL;
+
atomic_dec(&channel_count);
if (!pch->file.dead) {
--
2.8.0.rc2.1.gbe9624a
next prev parent reply other threads:[~2017-02-05 20:22 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-05 19:20 [PATCH 3.10 030/319] PM / devfreq: Fix incorrect type issue Willy Tarreau
2017-02-05 19:20 ` Willy Tarreau [this message]
2017-02-05 19:20 ` [PATCH 3.10 032/319] x86/mm/xen: Suppress hugetlbfs in PV guests Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 033/319] xen: Add RING_COPY_REQUEST() Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 034/319] xen-netback: don't use last request to determine minimum Tx credit Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 035/319] xen-netback: use RING_COPY_REQUEST() throughout Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 036/319] xen-blkback: only read request operation from shared ring once Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 037/319] xen/pciback: Save xen_pci_op commands before processing it Willy Tarreau
2017-02-06 14:33 ` Konrad Rzeszutek Wilk
2017-02-06 22:33 ` Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 038/319] xen/pciback: Return error on XEN_PCI_OP_enable_msi when device has MSI or MSI-X enabled Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 039/319] xen/pciback: Return error on XEN_PCI_OP_enable_msix " Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 040/319] xen/pciback: Do not install an IRQ handler for MSI interrupts Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 041/319] xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 042/319] xen/pciback: Don't allow MSI-X ops if PCI_COMMAND_MEMORY is not set Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 043/319] xen-pciback: Add name prefix to global 'permissive' variable Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 044/319] x86/xen: fix upper bound of pmd loop in xen_cleanhighmap() Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 045/319] x86/traps: Ignore high word of regs->cs in early_idt_handler_common Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 046/319] x86/mm: Disable preemption during CR3 read+write Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 047/319] x86/apic: Do not init irq remapping if ioapic is disabled Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 048/319] x86/mm/pat, /dev/mem: Remove superfluous error message Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 049/319] x86/paravirt: Do not trace _paravirt_ident_*() functions Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 050/319] x86/build: Build compressed x86 kernels as PIE Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 051/319] x86/um: reuse asm-generic/barrier.h Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 052/319] iommu/amd: Update Alias-DTE in update_device_table() Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 053/319] iommu/amd: Free domain id when free a domain of struct dma_ops_domain Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 054/319] ARM: 8616/1: dt: Respect property size when parsing CPUs Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 055/319] ARM: 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7 Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 056/319] ARM: sa1100: clear reset status prior to reboot Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 057/319] ARM: sa1111: fix pcmcia suspend/resume Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 058/319] arm64: avoid returning from bad_mode Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 059/319] arm64: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 060/319] arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 061/319] arm64: debug: avoid resetting stepping state machine when TIF_SINGLESTEP Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 062/319] MIPS: Malta: Fix IOCU disable switch read for MIPS64 Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 063/319] MIPS: ptrace: Fix regs_return_value for kernel context Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 064/319] powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 065/319] powerpc/vdso64: Use double word compare on pointers Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 066/319] powerpc/powernv: Use CPU-endian PEST in pnv_pci_dump_p7ioc_diag_data() Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 067/319] powerpc/64: Fix incorrect return value from __copy_tofrom_user Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 068/319] powerpc/nvram: Fix an incorrect partition merge Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 069/319] avr32: fix copy_from_user() Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 070/319] avr32: fix 'undefined reference to `___copy_from_user' Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 071/319] avr32: off by one in at32_init_pio() Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 072/319] s390/dasd: fix hanging device after clear subchannel Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 073/319] parisc: Ensure consistent state when switching to kernel stack at syscall entry Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 074/319] microblaze: fix __get_user() Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 075/319] microblaze: fix copy_from_user() Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 076/319] mn10300: failing __get_user() and get_user() should zero Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 077/319] m32r: fix __get_user() Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 078/319] sh64: failing __get_user() should zero Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 079/319] score: fix __get_user/get_user Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 080/319] s390: get_user() should zero on failure Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 081/319] ARC: uaccess: get_user to zero out dest in cause of fault Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 082/319] asm-generic: make get_user() clear the destination on errors Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 083/319] frv: fix clear_user() Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 084/319] cris: buggered copy_from_user/copy_to_user/clear_user Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 085/319] blackfin: fix copy_from_user() Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 086/319] score: fix copy_from_user() and friends Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 087/319] sh: fix copy_from_user() Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 088/319] hexagon: fix strncpy_from_user() error return Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 089/319] mips: copy_from_user() must zero the destination on access_ok() failure Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 090/319] asm-generic: make copy_from_user() zero the destination properly Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 091/319] alpha: fix copy_from_user() Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 092/319] metag: copy_from_user() should zero the destination on access_ok() failure Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 093/319] parisc: fix copy_from_user() Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 094/319] openrisc: " Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 095/319] openrisc: fix the fix of copy_from_user() Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 096/319] mn10300: copy_from_user() should zero on access_ok() failure Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 097/319] sparc32: fix copy_from_user() Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 098/319] ppc32: " Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 099/319] ia64: copy_from_user() should zero the destination on access_ok() failure Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1486322486-8024-2-git-send-email-w@1wt.eu \
--to=w@1wt.eu \
--cc=davem@davemloft.net \
--cc=g.nault@alphalink.fr \
--cc=gorcunov@openvz.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-ppp@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=paulus@samba.org \
--cc=stable@vger.kernel.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).