| Message ID | 20200928092327.329-1-ms@dev.tdt.de |
|---|---|
| State | New |
| Headers | show |
| Series | net/x25: Fix null-ptr-deref in x25_connect | expand |
From: Martin Schiller <ms@dev.tdt.de> Date: Mon, 28 Sep 2020 11:23:27 +0200 > diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c > index 0bbb283f23c9..0524a5530b91 100644 > --- a/net/x25/af_x25.c > +++ b/net/x25/af_x25.c > @@ -820,7 +820,7 @@ static int x25_connect(struct socket *sock, struct sockaddr *uaddr, > > rc = x25_wait_for_connection_establishment(sk); > if (rc) > - goto out_put_neigh; > + goto out; If x25_wait_for_connection_establishment() returns because of an interrupting signal, we are not going to call x25_disconnect(). The case you are fixing only applies _sometimes_ when x25_wait_for_connection_establishment() returns. But not always. That neighbour has to be released at this spot otherwise.
On 2020-09-29 03:43, David Miller wrote: > From: Martin Schiller <ms@dev.tdt.de> > Date: Mon, 28 Sep 2020 11:23:27 +0200 > >> diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c >> index 0bbb283f23c9..0524a5530b91 100644 >> --- a/net/x25/af_x25.c >> +++ b/net/x25/af_x25.c >> @@ -820,7 +820,7 @@ static int x25_connect(struct socket *sock, struct >> sockaddr *uaddr, >> >> rc = x25_wait_for_connection_establishment(sk); >> if (rc) >> - goto out_put_neigh; >> + goto out; > > If x25_wait_for_connection_establishment() returns because of an > interrupting > signal, we are not going to call x25_disconnect(). > > The case you are fixing only applies _sometimes_ when > x25_wait_for_connection_establishment() returns. But not always. > > That neighbour has to be released at this spot otherwise. OK, thanks for the hint. So I think the simplest solution would be to check that x25->neighbour is != NULL like this: diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c index 0bbb283f23c9..046d3fee66a9 100644 --- a/net/x25/af_x25.c +++ b/net/x25/af_x25.c @@ -825,7 +825,7 @@ static int x25_connect(struct socket *sock, struct sockaddr *uaddr, sock->state = SS_CONNECTED; rc = 0; out_put_neigh: - if (rc) { + if (rc && x25->neighbour) { read_lock_bh(&x25_list_lock); x25_neigh_put(x25->neighbour); x25->neighbour = NULL;
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c index 0bbb283f23c9..0524a5530b91 100644 --- a/net/x25/af_x25.c +++ b/net/x25/af_x25.c @@ -820,7 +820,7 @@ static int x25_connect(struct socket *sock, struct sockaddr *uaddr, rc = x25_wait_for_connection_establishment(sk); if (rc) - goto out_put_neigh; + goto out; sock->state = SS_CONNECTED; rc = 0;
This fixes a regression for blocking connects introduced by commit 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect"). The x25->neighbour is already set to "NULL" by x25_disconnect() now, while a blocking connect is waiting in x25_wait_for_connection_establishment(). Therefore x25->neighbour must not be accessed here again and x25->state is also already set to X25_STATE_0 by x25_disconnect(). Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect") Signed-off-by: Martin Schiller <ms@dev.tdt.de> --- net/x25/af_x25.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)