| Message ID | 20201109065449.9014-1-ms@dev.tdt.de |
|---|---|
| State | Accepted |
| Delegated to: | David Miller |
| Headers | show |
| Series | [RESEND,v2] net/x25: Fix null-ptr-deref in x25_connect | expand |
| Context | Check | Description |
|---|---|---|
| jkicinski/cover_letter | success | Link |
| jkicinski/fixes_present | success | Link |
| jkicinski/patch_count | success | Link |
| jkicinski/tree_selection | success | Guessed tree name to be net-next |
| jkicinski/subject_prefix | warning | Target tree name not specified in the subject |
| jkicinski/source_inline | success | Was 0 now: 0 |
| jkicinski/verify_signedoff | success | Link |
| jkicinski/module_param | success | Was 0 now: 0 |
| jkicinski/build_32bit | success | Errors and warnings before: 0 this patch: 0 |
| jkicinski/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| jkicinski/verify_fixes | success | Link |
| jkicinski/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 8 lines checked |
| jkicinski/build_allmodconfig_warn | success | Errors and warnings before: 0 this patch: 0 |
| jkicinski/header_inline | success | Link |
| jkicinski/stable | success | Stable not CCed |
> This fixes a regression for blocking connects introduced by commit > 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect"). > The x25->neighbour is already set to "NULL" by x25_disconnect() now, > while a blocking connect is waiting in > x25_wait_for_connection_establishment(). Therefore x25->neighbour must > not be accessed here again and x25->state is also already set to > X25_STATE_0 by x25_disconnect(). > Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect") > Signed-off-by: Martin Schiller <ms@dev.tdt.de> Oh. Sorry, I didn't see your patch. I just submitted another patch to fix the same problem. I also found another problem introduced by the same regression commit, which I was also trying to fix in my patch. See: http://patchwork.ozlabs.org/project/netdev/patch/20201111100424.3989-1-xie.he.0141@gmail.com/
> @@ -825,7 +825,7 @@ static int x25_connect(struct socket *sock, struct sockaddr *uaddr, > sock->state = SS_CONNECTED; > rc = 0; > out_put_neigh: > - if (rc) { > + if (rc && x25->neighbour) { > read_lock_bh(&x25_list_lock); > x25_neigh_put(x25->neighbour); > x25->neighbour = NULL; Thanks! It's amazing to see we are trying to fix the same issue. Reviewed-by: Xie He <xie.he.0141@gmail.com>
On Wed, 11 Nov 2020 03:59:47 -0800 Xie He wrote: > > @@ -825,7 +825,7 @@ static int x25_connect(struct socket *sock, struct sockaddr *uaddr, > > sock->state = SS_CONNECTED; > > rc = 0; > > out_put_neigh: > > - if (rc) { > > + if (rc && x25->neighbour) { > > read_lock_bh(&x25_list_lock); > > x25_neigh_put(x25->neighbour); > > x25->neighbour = NULL; > > Reviewed-by: Xie He <xie.he.0141@gmail.com> Applied, thanks!
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c index 0bbb283f23c9..046d3fee66a9 100644 --- a/net/x25/af_x25.c +++ b/net/x25/af_x25.c @@ -825,7 +825,7 @@ static int x25_connect(struct socket *sock, struct sockaddr *uaddr, sock->state = SS_CONNECTED; rc = 0; out_put_neigh: - if (rc) { + if (rc && x25->neighbour) { read_lock_bh(&x25_list_lock); x25_neigh_put(x25->neighbour); x25->neighbour = NULL;
This fixes a regression for blocking connects introduced by commit 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect"). The x25->neighbour is already set to "NULL" by x25_disconnect() now, while a blocking connect is waiting in x25_wait_for_connection_establishment(). Therefore x25->neighbour must not be accessed here again and x25->state is also already set to X25_STATE_0 by x25_disconnect(). Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect") Signed-off-by: Martin Schiller <ms@dev.tdt.de> --- Change from v1: also handle interrupting signals correctly --- net/x25/af_x25.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)