From patchwork Tue May 9 14:42:38 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98927 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857534qge; Tue, 9 May 2017 07:43:29 -0700 (PDT) X-Received: by 10.99.163.18 with SMTP id s18mr534444pge.150.1494341009739; Tue, 09 May 2017 07:43:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494341009; cv=none; d=google.com; s=arc-20160816; b=iDeQbeJQETpGPofLu5MwB004PPtsool0gWmNUUTtamDmMsIsxlWqzypSyECIoyv1Qi hU5gVhR0oG2SRWdsIYU6jbp5++8UtS7lcFH9sTrLUD5W+C7OlDUT4XTRbN9fnHGb/948 1fRpakoXulKqHR3M24850Nvh0o821QDtyclc30lbXHztlWNBMIJTygxAv+FNflVhU3aj ogg2oOIjecky46jp2y2uPIlqd8WepXx3ilQP+uTA5Cv9c4vi43CGgBXEjJoYd2gowbxn Q1kp5HQGCYpNJP0Q7Ya1X1cNnjaDL15lwf23lR9fFDCVRti5Ss3dFmu4Jo3XiJsfI0aO O1Nw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=KNgvizFCbbCir765zyMNcMDjaxAgWKcgwfBf2NXj5kQ=; b=gkHknejWZlrKBcmxPBFSVM63HaUq0xVnxa2EGHXnwOxBednNGudjsx/bvnjoDTYcAK r5DWyFD1H7u39nAXDAcyiKwuP3djf7dun53Pv5YL7aBo7DBcDINQxjj9Wx9V4gLEIQVO rI/wmM4KPfASt+HkXqAMqv7EQfZTFweTMJ3K0xaL1apDQ0vbNv4bbtvVzl/Q7G3+xvyc 6wECJOuV5qbr1QurJYrfTMnzA9ug5qhhgHU/VQYgU8yNs8Mk6sZ0tG5Jb74PSnuKWHoG Q4v21gce2VMq6E3rmJ8jwc8fBWOYD5SN7nswXsyi9WWkRB9XGAe6MR1t3/s8X5IIEZTV njig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h2si99892pli.322.2017.05.09.07.43.29; Tue, 09 May 2017 07:43:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754202AbdEIOn2 (ORCPT + 6 others); Tue, 9 May 2017 10:43:28 -0400 Received: from mail-pg0-f43.google.com ([74.125.83.43]:35651 "EHLO mail-pg0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753957AbdEIOn1 (ORCPT ); Tue, 9 May 2017 10:43:27 -0400 Received: by mail-pg0-f43.google.com with SMTP id o3so751895pgn.2 for ; Tue, 09 May 2017 07:43:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=KNgvizFCbbCir765zyMNcMDjaxAgWKcgwfBf2NXj5kQ=; b=JpSPAJ43QchWnqvtFYtxA0vI/lhYe82bFFw5g08aAhK9BehmPReQdT+oZIHHNI2Tio LzyKCVeDpL17eV1OPCqVaap9Wf72fZkxMtif2DWiChGtNMBKGaPxu2AZs4SinbRCc9mt H0Q18T8o6Fdhs/n/5pq7On9h1h5yeL0L7EAlo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=KNgvizFCbbCir765zyMNcMDjaxAgWKcgwfBf2NXj5kQ=; b=bN1Emtay2PzNscWSiRwMVBybISxw6ec3YaBvGbaRP8ke15LcTvHtU61KPgrFwdd5F5 fx8A0Zn9euaRXsuDUKZbN5xY35GfOi9Q4KG1PirWQCdT+3yqgLNnWYcO69EnisthFAJp q6/FkiuUV+dFO4B81/+qdywr8kCzKjPX7oFd8dEy4ldPr1D5rD7QSAO2HFkXX3Ow7AMS hLH2MZVqtthJyc7mWd5YKR536tY0aZUda4g772gK846RbvuIZulMYMTOG3xQIu8FdCzw bDfWJ62IwU+p8BZU4IZJ9DTdQcERPROJajKbO4VbU9KV7cAYTgsIBRdCQCeTfym1wxAT G4Pw== X-Gm-Message-State: AODbwcAecf3fR7QwlC5BjYP1ifb8JdC3z8zAc5A4ls0eIgmoH9Bwekhw pqbqe449zOtQ5zNj X-Received: by 10.84.175.129 with SMTP id t1mr673334plb.190.1494341006762; Tue, 09 May 2017 07:43:26 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:26 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, WANG Cong , Paul Mackerras , linux-ppp@vger.kernel.org, Guillaume Nault , Cyrill Gorcunov , "David S . Miller" Subject: [PATCH for-3.18 14/24] ppp: defer netns reference release for ppp channel Date: Tue, 9 May 2017 20:12:38 +0530 Message-Id: <1494340968-17152-15-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: WANG Cong commit 205e1e255c479f3fd77446415706463b282f94e4 upstream. Matt reported that we have a NULL pointer dereference in ppp_pernet() from ppp_connect_channel(), i.e. pch->chan_net is NULL. This is due to that a parallel ppp_unregister_channel() could happen while we are in ppp_connect_channel(), during which pch->chan_net set to NULL. Since we need a reference to net per channel, it makes sense to sync the refcnt with the life time of the channel, therefore we should release this reference when we destroy it. Fixes: 1f461dcdd296 ("ppp: take reference on channels netns") Reported-by: Matt Bennett Cc: Paul Mackerras Cc: linux-ppp@vger.kernel.org Cc: Guillaume Nault Cc: Cyrill Gorcunov Signed-off-by: Cong Wang Reviewed-by: Cyrill Gorcunov Signed-off-by: David S. Miller Signed-off-by: Amit Pundir --- drivers/net/ppp/ppp_generic.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.7.4 diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c index e3fbbbbd84e7..3dd1c19756ec 100644 --- a/drivers/net/ppp/ppp_generic.c +++ b/drivers/net/ppp/ppp_generic.c @@ -2342,8 +2342,6 @@ ppp_unregister_channel(struct ppp_channel *chan) spin_lock_bh(&pn->all_channels_lock); list_del(&pch->list); spin_unlock_bh(&pn->all_channels_lock); - put_net(pch->chan_net); - pch->chan_net = NULL; pch->file.dead = 1; wake_up_interruptible(&pch->file.rwait); @@ -2960,6 +2958,9 @@ ppp_disconnect_channel(struct channel *pch) */ static void ppp_destroy_channel(struct channel *pch) { + put_net(pch->chan_net); + pch->chan_net = NULL; + atomic_dec(&channel_count); if (!pch->file.dead) {