Commit 45e526e8 authored Oct 23, 2013 by Nikolay Aleksandrov Committed by David S. Miller Oct 25, 2013

netconsole: fix NULL pointer dereference



We need to disable the netconsole (enabled = 0) before setting nt->np.dev
to NULL because otherwise we might still have users after the
netpoll_cleanup() since nt->enabled is set afterwards and we can
have a message which will result in a NULL pointer dereference.
It is very easy to hit dereferences all over the netpoll_send_udp function
by running the following two loops in parallel:
while [ 1 ]; do echo 1 > enabled; echo 0 > enabled; done;
while [ 1 ]; do echo 00:11:22:33:44:55 > remote_mac; done;
(the second loop is to generate messages, it can be done by anything)

We're safe to set nt->np.dev = NULL and nt->enabled = 0 with the spinlock
since it's required in the write_msg() function.

Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Reviewed-by: Veacelsav Falico <vfalico@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 0e67d990

drivers/net/netconsole.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -310,6 +310,7 @@ static ssize_t store_enabled(struct netconsole_target *nt,
		const char *buf,
		size_t count)
		{
		unsigned long flags;
		int enabled;
		int err;

		@@ -342,6 +343,13 @@ static ssize_t store_enabled(struct netconsole_target *nt,
		printk(KERN_INFO "netconsole: network logging started\n");

		} else { /* 0 */
		/* We need to disable the netconsole before cleaning it up
		* otherwise we might end up in write_msg() with
		* nt->np.dev == NULL and nt->enabled == 1
		*/
		spin_lock_irqsave(&target_list_lock, flags);
		nt->enabled = 0;
		spin_unlock_irqrestore(&target_list_lock, flags);
		netpoll_cleanup(&nt->np);
		}