| Message ID | 1457390145-2700-1-git-send-email-kamal@canonical.com |
|---|---|
| State | New |
| Headers | show |
Hi, This fix introduces a new fault, which is fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/tipc/subscr.c?id=4de13d7ed6ffdcbb34317acaa9236f121176f5f8 For stable TIPC, both fixes are needed. regards Partha On 03/07/2016 11:35 PM, Kamal Mostafa wrote: > This is a note to let you know that I have just added a patch titled > > tipc: fix connection abort during subscription cancel > > to the linux-4.2.y-queue branch of the 4.2.y-ckt extended stable tree > which can be found at: > > http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-4.2.y-queue > > This patch is scheduled to be released in version 4.2.8-ckt5. > > If you, or anyone else, feels it should not be added to this tree, please > reply to this email. > > For more information about the 4.2.y-ckt tree, see > https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable > > Thanks. > -Kamal > > ---8<------------------------------------------------------------ > > From c6fc2835a09cadc1c9b556ef7b466950dca20a30 Mon Sep 17 00:00:00 2001 > From: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com> > Date: Wed, 27 Jan 2016 11:35:59 +0100 > Subject: tipc: fix connection abort during subscription cancel > > [ Upstream commit 4d5cfcba2f6ec494d8810b9e3c0a7b06255c8067 ] > > In 'commit 7fe8097cef5f ("tipc: fix nullpointer bug when subscribing > to events")', we terminate the connection if the subscription > creation fails. > In the same commit, the subscription creation result was based on > the value of the subscription pointer (set in the function) instead > of the return code. > > Unfortunately, the same function tipc_subscrp_create() handles > subscription cancel request. For a subscription cancellation request, > the subscription pointer cannot be set. Thus if a subscriber has > several subscriptions and cancels any of them, the connection is > terminated. > > In this commit, we terminate the connection based on the return value > of tipc_subscrp_create(). > Fixes: commit 7fe8097cef5f ("tipc: fix nullpointer bug when subscribing to events") > > Reviewed-by: Jon Maloy <jon.maloy@ericsson.com> > Signed-off-by: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > Signed-off-by: Kamal Mostafa <kamal@canonical.com> > --- > net/tipc/subscr.c | 11 +++++------ > 1 file changed, 5 insertions(+), 6 deletions(-) > > diff --git a/net/tipc/subscr.c b/net/tipc/subscr.c > index 350cca3..69ee2ee 100644 > --- a/net/tipc/subscr.c > +++ b/net/tipc/subscr.c > @@ -289,15 +289,14 @@ static void tipc_subscrb_rcv_cb(struct net *net, int conid, > struct sockaddr_tipc *addr, void *usr_data, > void *buf, size_t len) > { > - struct tipc_subscriber *subscriber = usr_data; > + struct tipc_subscriber *subscrb = usr_data; > struct tipc_subscription *sub = NULL; > struct tipc_net *tn = net_generic(net, tipc_net_id); > > - tipc_subscrp_create(net, (struct tipc_subscr *)buf, subscriber, &sub); > - if (sub) > - tipc_nametbl_subscribe(sub); > - else > - tipc_conn_terminate(tn->topsrv, subscriber->conid); > + if (tipc_subscrp_create(net, (struct tipc_subscr *)buf, subscrb, &sub)) > + return tipc_conn_terminate(tn->topsrv, subscrb->conid); > + > + tipc_nametbl_subscribe(sub); > } > > /* Handle one request to establish a new subscriber */ > -- > 2.7.0 >
On Tue, 2016-03-08 at 15:14 +0100, Parthasarathy Bhuvaragan wrote: > Hi, > > This fix introduces a new fault, which is fixed by: > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commi > t/net/tipc/subscr.c?id=4de13d7ed6ffdcbb34317acaa9236f121176f5f8 > > For stable TIPC, both fixes are needed. > > regards > Partha Thanks very much for the heads-up Partha. I'll ensure that these two commits land together for 4.2-stable: 4de13d7e tipc: fix nullptr crash during subscription cancel 4d5cfcb tipc: fix connection abort during subscription cancel -Kamal > On 03/07/2016 11:35 PM, Kamal Mostafa wrote: > > > > This is a note to let you know that I have just added a patch > > titled > > > > tipc: fix connection abort during subscription cancel > > > > to the linux-4.2.y-queue branch of the 4.2.y-ckt extended stable > > tree > > which can be found at: > > > > http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-4.2. > > y-queue > > > > This patch is scheduled to be released in version 4.2.8-ckt5. > > > > If you, or anyone else, feels it should not be added to this tree, > > please > > reply to this email. > > > > For more information about the 4.2.y-ckt tree, see > > https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable > > > > Thanks. > > -Kamal > > > > ---8<------------------------------------------------------------ > > > > From c6fc2835a09cadc1c9b556ef7b466950dca20a30 Mon Sep 17 00:00:00 > > 2001 > > From: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.c > > om> > > Date: Wed, 27 Jan 2016 11:35:59 +0100 > > Subject: tipc: fix connection abort during subscription cancel > > > > [ Upstream commit 4d5cfcba2f6ec494d8810b9e3c0a7b06255c8067 ] > > > > In 'commit 7fe8097cef5f ("tipc: fix nullpointer bug when > > subscribing > > to events")', we terminate the connection if the subscription > > creation fails. > > In the same commit, the subscription creation result was based on > > the value of the subscription pointer (set in the function) instead > > of the return code. > > > > Unfortunately, the same function tipc_subscrp_create() handles > > subscription cancel request. For a subscription cancellation > > request, > > the subscription pointer cannot be set. Thus if a subscriber has > > several subscriptions and cancels any of them, the connection is > > terminated. > > > > In this commit, we terminate the connection based on the return > > value > > of tipc_subscrp_create(). > > Fixes: commit 7fe8097cef5f ("tipc: fix nullpointer bug when > > subscribing to events") > > > > Reviewed-by: Jon Maloy <jon.maloy@ericsson.com> > > Signed-off-by: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@e > > ricsson.com> > > Signed-off-by: David S. Miller <davem@davemloft.net> > > Signed-off-by: Kamal Mostafa <kamal@canonical.com> > > --- > > net/tipc/subscr.c | 11 +++++------ > > 1 file changed, 5 insertions(+), 6 deletions(-) > > > > diff --git a/net/tipc/subscr.c b/net/tipc/subscr.c > > index 350cca3..69ee2ee 100644 > > --- a/net/tipc/subscr.c > > +++ b/net/tipc/subscr.c > > @@ -289,15 +289,14 @@ static void tipc_subscrb_rcv_cb(struct net > > *net, int conid, > > struct sockaddr_tipc *addr, void > > *usr_data, > > void *buf, size_t len) > > { > > - struct tipc_subscriber *subscriber = usr_data; > > + struct tipc_subscriber *subscrb = usr_data; > > struct tipc_subscription *sub = NULL; > > struct tipc_net *tn = net_generic(net, tipc_net_id); > > > > - tipc_subscrp_create(net, (struct tipc_subscr *)buf, > > subscriber, &sub); > > - if (sub) > > - tipc_nametbl_subscribe(sub); > > - else > > - tipc_conn_terminate(tn->topsrv, subscriber- > > >conid); > > + if (tipc_subscrp_create(net, (struct tipc_subscr *)buf, > > subscrb, &sub)) > > + return tipc_conn_terminate(tn->topsrv, subscrb- > > >conid); > > + > > + tipc_nametbl_subscribe(sub); > > } > > > > /* Handle one request to establish a new subscriber */ > > -- > > 2.7.0 > >
diff --git a/net/tipc/subscr.c b/net/tipc/subscr.c index 350cca3..69ee2ee 100644 --- a/net/tipc/subscr.c +++ b/net/tipc/subscr.c @@ -289,15 +289,14 @@ static void tipc_subscrb_rcv_cb(struct net *net, int conid, struct sockaddr_tipc *addr, void *usr_data, void *buf, size_t len) { - struct tipc_subscriber *subscriber = usr_data; + struct tipc_subscriber *subscrb = usr_data; struct tipc_subscription *sub = NULL; struct tipc_net *tn = net_generic(net, tipc_net_id); - tipc_subscrp_create(net, (struct tipc_subscr *)buf, subscriber, &sub); - if (sub) - tipc_nametbl_subscribe(sub); - else - tipc_conn_terminate(tn->topsrv, subscriber->conid); + if (tipc_subscrp_create(net, (struct tipc_subscr *)buf, subscrb, &sub)) + return tipc_conn_terminate(tn->topsrv, subscrb->conid); + + tipc_nametbl_subscribe(sub); } /* Handle one request to establish a new subscriber */
This is a note to let you know that I have just added a patch titled tipc: fix connection abort during subscription cancel to the linux-4.2.y-queue branch of the 4.2.y-ckt extended stable tree which can be found at: http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-4.2.y-queue This patch is scheduled to be released in version 4.2.8-ckt5. If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 4.2.y-ckt tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Kamal ---8<------------------------------------------------------------ From c6fc2835a09cadc1c9b556ef7b466950dca20a30 Mon Sep 17 00:00:00 2001 From: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com> Date: Wed, 27 Jan 2016 11:35:59 +0100 Subject: tipc: fix connection abort during subscription cancel [ Upstream commit 4d5cfcba2f6ec494d8810b9e3c0a7b06255c8067 ] In 'commit 7fe8097cef5f ("tipc: fix nullpointer bug when subscribing to events")', we terminate the connection if the subscription creation fails. In the same commit, the subscription creation result was based on the value of the subscription pointer (set in the function) instead of the return code. Unfortunately, the same function tipc_subscrp_create() handles subscription cancel request. For a subscription cancellation request, the subscription pointer cannot be set. Thus if a subscriber has several subscriptions and cancels any of them, the connection is terminated. In this commit, we terminate the connection based on the return value of tipc_subscrp_create(). Fixes: commit 7fe8097cef5f ("tipc: fix nullpointer bug when subscribing to events") Reviewed-by: Jon Maloy <jon.maloy@ericsson.com> Signed-off-by: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Kamal Mostafa <kamal@canonical.com> --- net/tipc/subscr.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) -- 2.7.0