diff mbox series

[RESEND,v2] net/x25: Fix null-ptr-deref in x25_connect

Message ID 20201109065449.9014-1-ms@dev.tdt.de (mailing list archive)
State Not Applicable
Delegated to: Netdev Maintainers
Headers show
Series [RESEND,v2] net/x25: Fix null-ptr-deref in x25_connect | expand

Checks

Context Check Description
netdev/cover_letter success Link
netdev/fixes_present success Link
netdev/patch_count success Link
netdev/tree_selection success Guessed tree name to be net-next
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/source_inline success Was 0 now: 0
netdev/verify_signedoff success Link
netdev/module_param success Was 0 now: 0
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/verify_fixes success Link
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/header_inline success Link
netdev/stable success Stable not CCed

Commit Message

Martin Schiller Nov. 9, 2020, 6:54 a.m. UTC
This fixes a regression for blocking connects introduced by commit
4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect").

The x25->neighbour is already set to "NULL" by x25_disconnect() now,
while a blocking connect is waiting in
x25_wait_for_connection_establishment(). Therefore x25->neighbour must
not be accessed here again and x25->state is also already set to
X25_STATE_0 by x25_disconnect().

Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect")
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
---

Change from v1:
also handle interrupting signals correctly

---
 net/x25/af_x25.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Xie He Nov. 11, 2020, 11:38 a.m. UTC | #1
> This fixes a regression for blocking connects introduced by commit
> 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect").

> The x25->neighbour is already set to "NULL" by x25_disconnect() now,
> while a blocking connect is waiting in
> x25_wait_for_connection_establishment(). Therefore x25->neighbour must
> not be accessed here again and x25->state is also already set to
> X25_STATE_0 by x25_disconnect().

> Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect")
> Signed-off-by: Martin Schiller <ms@dev.tdt.de>

Oh. Sorry, I didn't see your patch. I just submitted another patch to fix
the same problem.

I also found another problem introduced by the same regression commit,
which I was also trying to fix in my patch.

See:
http://patchwork.ozlabs.org/project/netdev/patch/20201111100424.3989-1-xie.he.0141@gmail.com/
Xie He Nov. 11, 2020, 11:59 a.m. UTC | #2
> @@ -825,7 +825,7 @@  static int x25_connect(struct socket *sock, struct sockaddr *uaddr,
>  	sock->state = SS_CONNECTED;
>  	rc = 0;
>  out_put_neigh:
> -	if (rc) {
> +	if (rc && x25->neighbour) {
>  		read_lock_bh(&x25_list_lock);
>  		x25_neigh_put(x25->neighbour);
>  		x25->neighbour = NULL;

Thanks! It's amazing to see we are trying to fix the same issue.

Reviewed-by: Xie He <xie.he.0141@gmail.com>
Jakub Kicinski Nov. 11, 2020, 10:57 p.m. UTC | #3
On Wed, 11 Nov 2020 03:59:47 -0800 Xie He wrote:
> > @@ -825,7 +825,7 @@  static int x25_connect(struct socket *sock, struct sockaddr *uaddr,
> >  	sock->state = SS_CONNECTED;
> >  	rc = 0;
> >  out_put_neigh:
> > -	if (rc) {
> > +	if (rc && x25->neighbour) {
> >  		read_lock_bh(&x25_list_lock);
> >  		x25_neigh_put(x25->neighbour);
> >  		x25->neighbour = NULL;  
> 
> Reviewed-by: Xie He <xie.he.0141@gmail.com>

Applied, thanks!
diff mbox series

Patch

diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index 0bbb283f23c9..046d3fee66a9 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -825,7 +825,7 @@  static int x25_connect(struct socket *sock, struct sockaddr *uaddr,
 	sock->state = SS_CONNECTED;
 	rc = 0;
 out_put_neigh:
-	if (rc) {
+	if (rc && x25->neighbour) {
 		read_lock_bh(&x25_list_lock);
 		x25_neigh_put(x25->neighbour);
 		x25->neighbour = NULL;