Patch "netpoll: fix NULL pointer dereference in netpoll_cleanup" has been added to the 3.11-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Sun, 06 Oct 2013 19:16:25 -0700

This is a note to let you know that I've just added the patch titled

    netpoll: fix NULL pointer dereference in netpoll_cleanup

to the 3.11-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netpoll-fix-null-pointer-dereference-in-netpoll_cleanup.patch
and it can be found in the queue-3.11 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 92b2199beb548be746037cc1ed6dd91007b6a237 Mon Sep 17 00:00:00 2001
From: Nikolay Aleksandrov <nikolay@xxxxxxxxxx>
Date: Thu, 19 Sep 2013 15:02:35 +0200
Subject: netpoll: fix NULL pointer dereference in netpoll_cleanup

From: Nikolay Aleksandrov <nikolay@xxxxxxxxxx>

[ Upstream commit d0fe8c888b1fd1a2f84b9962cabcb98a70988aec ]

I've been hitting a NULL ptr deref while using netconsole because the
np->dev check and the pointer manipulation in netpoll_cleanup are done
without rtnl and the following sequence happens when having a netconsole
over a vlan and we remove the vlan while disabling the netconsole:
	CPU 1					CPU2
					removes vlan and calls the notifier
enters store_enabled(), calls
netdev_cleanup which checks np->dev
and then waits for rtnl
					executes the netconsole netdev
					release notifier making np->dev
					== NULL and releases rtnl
continues to dereference a member of
np->dev which at this point is == NULL

Signed-off-by: Nikolay Aleksandrov <nikolay@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 net/core/netpoll.c |    9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -1284,15 +1284,14 @@ EXPORT_SYMBOL_GPL(__netpoll_free_async);
 
 void netpoll_cleanup(struct netpoll *np)
 {
-	if (!np->dev)
-		return;
-
 	rtnl_lock();
+	if (!np->dev)
+		goto out;
 	__netpoll_cleanup(np);
-	rtnl_unlock();
-
 	dev_put(np->dev);
 	np->dev = NULL;
+out:
+	rtnl_unlock();
 }
 EXPORT_SYMBOL(netpoll_cleanup);
 


Patches currently in stable-queue which might be from nikolay@xxxxxxxxxx are

queue-3.11/netpoll-fix-null-pointer-dereference-in-netpoll_cleanup.patch
queue-3.11/net-flow_dissector-fix-thoff-for-ipproto_ah.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html







