From patchwork Thu Jun 27 23:51:04 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kamal Mostafa <kamal@canonical.com>
X-Patchwork-Id: 255247
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 1CB5C2C033A
	for <incoming@patchwork.ozlabs.org>;
	Fri, 28 Jun 2013 09:51:25 +1000 (EST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1UsLy7-00013j-AB; Thu, 27 Jun 2013 23:51:15 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <kamal@canonical.com>) id 1UsLxz-00012x-CJ
	for kernel-team@lists.ubuntu.com; Thu, 27 Jun 2013 23:51:07 +0000
Received: from c-67-160-231-42.hsd1.ca.comcast.net ([67.160.231.42]
	helo=fourier) by youngberry.canonical.com with esmtpsa
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <kamal@canonical.com>)
	id 1UsLxz-0006Iu-5r; Thu, 27 Jun 2013 23:51:07 +0000
Received: from kamal by fourier with local (Exim 4.80)
	(envelope-from <kamal@whence.com>)
	id 1UsLxw-0003Cw-S4; Thu, 27 Jun 2013 16:51:04 -0700
From: Kamal Mostafa <kamal@canonical.com>
To: Zefan Li <lizefan@huawei.com>
Subject: [ 3.8.y.z extended stable ] Patch "dlci: validate the net device in
	dlci_del()" has been added to staging queue
Date: Thu, 27 Jun 2013 16:51:04 -0700
Message-Id: <1372377064-12298-1-git-send-email-kamal@canonical.com>
X-Mailer: git-send-email 1.8.1.2
X-Extended-Stable: 3.8
Cc: Li Jinyue <lijinyue@huawei.com>, Kamal Mostafa <kamal@canonical.com>,
	"David S. Miller" <davem@davemloft.net>, kernel-team@lists.ubuntu.com
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: kernel-team-bounces@lists.ubuntu.com

This is a note to let you know that I have just added a patch titled

    dlci: validate the net device in dlci_del()

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue

This patch is scheduled to be released in version 3.8.13.4.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

From 3306eb6510cf29790991e275d87605945c6eefdd Mon Sep 17 00:00:00 2001
From: Zefan Li <lizefan@huawei.com>
Date: Wed, 26 Jun 2013 15:31:58 +0800
Subject: dlci: validate the net device in dlci_del()

commit 578a1310f2592ba90c5674bca21c1dbd1adf3f0a upstream.

We triggered an oops while running trinity with 3.4 kernel:

BUG: unable to handle kernel paging request at 0000000100000d07
IP: [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
PGD 640c0d067 PUD 0
Oops: 0000 [#1] PREEMPT SMP
CPU 3
...
Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285          /BC11BTSA
RIP: 0010:[<ffffffffa0109738>]  [<ffffffffa0109738>] dlci_ioctl+0xd8/0x2d4 [dlci]
...
Call Trace:
  [<ffffffff8137c5c3>] sock_ioctl+0x153/0x280
  [<ffffffff81195494>] do_vfs_ioctl+0xa4/0x5e0
  [<ffffffff8118354a>] ? fget_light+0x3ea/0x490
  [<ffffffff81195a1f>] sys_ioctl+0x4f/0x80
  [<ffffffff81478b69>] system_call_fastpath+0x16/0x1b
...

It's because the net device is not a dlci device.

Reported-by: Li Jinyue <lijinyue@huawei.com>
Signed-off-by: Li Zefan <lizefan@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/net/wan/dlci.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

--
1.8.1.2

diff --git a/drivers/net/wan/dlci.c b/drivers/net/wan/dlci.c
index 1f6e053..6a8a382 100644
--- a/drivers/net/wan/dlci.c
+++ b/drivers/net/wan/dlci.c
@@ -384,6 +384,7 @@ static int dlci_del(struct dlci_add *dlci)
 	struct frad_local	*flp;
 	struct net_device	*master, *slave;
 	int			err;
+	bool			found = false;

 	rtnl_lock();

@@ -394,6 +395,17 @@ static int dlci_del(struct dlci_add *dlci)
 		goto out;
 	}

+	list_for_each_entry(dlp, &dlci_devs, list) {
+		if (dlp->master == master) {
+			found = true;
+			break;
+		}
+	}
+	if (!found) {
+		err = -ENODEV;
+		goto out;
+	}
+
 	if (netif_running(master)) {
 		err = -EBUSY;
 		goto out;