4.4-stable patches

added patches:
	ppp-defer-netns-reference-release-for-ppp-channel.patch

diff --git a/queue-4.4/ppp-defer-netns-reference-release-for-ppp-channel.patch b/queue-4.4/ppp-defer-netns-reference-release-for-ppp-channel.patch
new file mode 100644 (file)
index 0000000..888d232
--- /dev/null
+++ b/queue-4.4/ppp-defer-netns-reference-release-for-ppp-channel.patch
@@ -0,0 +1,57 @@
+From 205e1e255c479f3fd77446415706463b282f94e4 Mon Sep 17 00:00:00 2001
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Tue, 5 Jul 2016 22:12:36 -0700
+Subject: ppp: defer netns reference release for ppp channel
+
+From: WANG Cong <xiyou.wangcong@gmail.com>
+
+commit 205e1e255c479f3fd77446415706463b282f94e4 upstream.
+
+Matt reported that we have a NULL pointer dereference
+in ppp_pernet() from ppp_connect_channel(),
+i.e. pch->chan_net is NULL.
+
+This is due to that a parallel ppp_unregister_channel()
+could happen while we are in ppp_connect_channel(), during
+which pch->chan_net set to NULL. Since we need a reference
+to net per channel, it makes sense to sync the refcnt
+with the life time of the channel, therefore we should
+release this reference when we destroy it.
+
+Fixes: 1f461dcdd296 ("ppp: take reference on channels netns")
+Reported-by: Matt Bennett <Matt.Bennett@alliedtelesis.co.nz>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: linux-ppp@vger.kernel.org
+Cc: Guillaume Nault <g.nault@alphalink.fr>
+Cc: Cyrill Gorcunov <gorcunov@openvz.org>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: bmajal222 <bmajal222@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ppp/ppp_generic.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -2390,8 +2390,6 @@ ppp_unregister_channel(struct ppp_channe
+       spin_lock_bh(&pn->all_channels_lock);
+       list_del(&pch->list);
+       spin_unlock_bh(&pn->all_channels_lock);
+-      put_net(pch->chan_net);
+-      pch->chan_net = NULL;
+ 
+       pch->file.dead = 1;
+       wake_up_interruptible(&pch->file.rwait);
+@@ -2984,6 +2982,9 @@ ppp_disconnect_channel(struct channel *p
+  */
+ static void ppp_destroy_channel(struct channel *pch)
+ {
++      put_net(pch->chan_net);
++      pch->chan_net = NULL;
++
+       atomic_dec(&channel_count);
+ 
+       if (!pch->file.dead) {

diff --git a/queue-4.4/series b/queue-4.4/series
index f23f30405a2dfdfebf66a18ce77a98969a82f4df..7acaa0662d0fad7da2ac58864c0285ec684448d7 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -58,3 +58,4 @@ xen-gntdev-use-vm_mixedmap-instead-of-vm_io-to-avoid-numa-balancing.patch
 arm-xen-use-alloc_percpu-rather-than-__alloc_percpu.patch
 xfs-set-agi-buffer-type-in-xlog_recover_clear_agi_bucket.patch
 driver-core-fix-race-between-creating-querying-glue-dir-and-its-cleanup.patch
+ppp-defer-netns-reference-release-for-ppp-channel.patch