From patchwork Thu Oct 13 02:04:29 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mitsuo Hayasaka <mitsuo.hayasaka.hu@hitachi.com>
X-Patchwork-Id: 119338
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id F2397B6F64
	for <patchwork-incoming@ozlabs.org>;
	Thu, 13 Oct 2011 12:59:38 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752040Ab1JMB7O (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Wed, 12 Oct 2011 21:59:14 -0400
Received: from mail9.hitachi.co.jp ([133.145.228.44]:58443 "EHLO
	mail9.hitachi.co.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751743Ab1JMB7N (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 12 Oct 2011 21:59:13 -0400
Received: from mlsv8.hitachi.co.jp (unknown [133.144.234.166])
	by mail9.hitachi.co.jp (Postfix) with ESMTP id 2EAA337C86;
	Thu, 13 Oct 2011 10:59:12 +0900 (JST)
Received: from mfilter03.hitachi.co.jp by mlsv8.hitachi.co.jp
	(8.13.1/8.13.1) id p9D1xC3f029373; Thu, 13 Oct 2011 10:59:12 +0900
Received: from vshuts2.hitachi.co.jp (vshuts2.hitachi.co.jp [10.201.6.71])
	by mfilter03.hitachi.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id
	p9D1xB1R029146; Thu, 13 Oct 2011 10:59:11 +0900
X-AuditID: b753bd60-a02a4ba000005c89-f7-4e9645eed0dc
Received: from hsdlmain.sdl.hitachi.co.jp (unknown [133.144.14.194])
	by vshuts2.hitachi.co.jp (Symantec Mail Security) with ESMTP id
	D842A8B0314; Thu, 13 Oct 2011 10:59:10 +0900 (JST)
Received: from hsdlvgate2.sdl.hitachi.co.jp by hsdlmain.sdl.hitachi.co.jp
	(8.13.1/3.7W11021512) id p9D1xAGa020540;
	Thu, 13 Oct 2011 10:59:10 +0900
X-AuditID: b753bd60-a02a4ba000005c89-f7-4e9645eed0dc
Received: from sdl99w.sdl.hitachi.co.jp (sdl99w.sdl.hitachi.co.jp
	[133.144.14.250])
	by hsdlvgate2.sdl.hitachi.co.jp (Symantec Mail Security) with ESMTP
	id 478DF236561; Thu, 13 Oct 2011 10:59:10 +0900 (JST)
Received: from ltc219.sdl.hitachi.co.jp (cb10033149.sdl.hitachi.co.jp
	[10.232.10.18])
	by sdl99w.sdl.hitachi.co.jp (Postfix) with ESMTP id EDE5F1254AF;
	Thu, 13 Oct 2011 10:59:07 +0900 (JST)
From: Mitsuo Hayasaka <mitsuo.hayasaka.hu@hitachi.com>
Subject: [PATCH net -v2] [BUGFIX] bonding: use local function pointer of
	bond->recv_probe in bond_handle_frame
To: Jay Vosburgh <fubar@us.ibm.com>,
	Andy Gospodarek <andy@greyhouse.net>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	yrl.pp-manager.tt@hitachi.com,
	Mitsuo Hayasaka <mitsuo.hayasaka.hu@hitachi.com>,
	Jay Vosburgh <fubar@us.ibm.com>, Andy Gospodarek <andy@greyhouse.net>,
	Eric Dumazet <eric.dumazet@gmail.com>,
	WANG Cong <xiyou.wangcong@gmail.com>
Date: Thu, 13 Oct 2011 11:04:29 +0900
Message-ID: <20111013020429.3554.78679.stgit@ltc219.sdl.hitachi.co.jp>
User-Agent: StGIT/0.14.3
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAA==
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

The bond->recv_probe is called in bond_handle_frame() when
a packet is received, but bond_close() sets it to NULL. So,
a panic occurs when both functions work in parallel.

Why this happen:
After null pointer check of bond->recv_probe, an sk_buff is
duplicated and bond->recv_probe is called in bond_handle_frame.
So, a panic occurs when bond_close() is called between the
check and call of bond->recv_probe.

Patch:
This patch uses a local function pointer of bond->recv_probe
in bond_handle_frame(). So, it can avoid the null pointer
dereference.


Signed-off-by: Mitsuo Hayasaka <mitsuo.hayasaka.hu@hitachi.com>
Cc: Jay Vosburgh <fubar@us.ibm.com>
Cc: Andy Gospodarek <andy@greyhouse.net>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: WANG Cong <xiyou.wangcong@gmail.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
---

 drivers/net/bonding/bond_main.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 6d79b78..de3d351 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1435,6 +1435,8 @@ static rx_handler_result_t bond_handle_frame(struct sk_buff **pskb)
 	struct sk_buff *skb = *pskb;
 	struct slave *slave;
 	struct bonding *bond;
+	void (*recv_probe)(struct sk_buff *, struct bonding *,
+				struct slave *);
 
 	skb = skb_share_check(skb, GFP_ATOMIC);
 	if (unlikely(!skb))
@@ -1448,11 +1450,12 @@ static rx_handler_result_t bond_handle_frame(struct sk_buff **pskb)
 	if (bond->params.arp_interval)
 		slave->dev->last_rx = jiffies;
 
-	if (bond->recv_probe) {
+	recv_probe = ACCESS_ONCE(bond->recv_probe);
+	if (recv_probe) {
 		struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC);
 
 		if (likely(nskb)) {
-			bond->recv_probe(nskb, bond, slave);
+			recv_probe(nskb, bond, slave);
 			dev_kfree_skb(nskb);
 		}
 	}