From: Xie He <xie.he.0141@gmail.com>
To: Martin Schiller <ms@dev.tdt.de>
Cc: Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Linux Kernel Network Developers <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH net] net: x25: Fix kernel crashes due to x25_disconnect releasing x25_neigh
Date: Wed, 11 Nov 2020 04:09:03 -0800 [thread overview]
Message-ID: <CAJht_ENQsGVdkzSgQ3C1wDXBJyo9i-xdtzS=hsmMM339RGNRqA@mail.gmail.com> (raw)
In-Reply-To: <89483cb5fbf9e06edf3108fa4def6eef@dev.tdt.de>
On Wed, Nov 11, 2020 at 3:41 AM Martin Schiller <ms@dev.tdt.de> wrote:
>
> > 1) When we receive a connection, the x25_rx_call_request function in
> > af_x25.c does not increase the refcount when it assigns the pointer.
> > When we disconnect, x25_disconnect is called and the struct's refcount
> > is decreased without being increased in the first place.
>
> Yes, this is a problem and should be fixed. As an alternative to your
> approach, you could also go the way to prevent the call of
> x25_neigh_put(nb) in x25_lapb_receive_frame() in case of a Call Request.
> However, this would require more effort.
Yes, right. I think my approach is easier.
> > This causes frequent kernel crashes when using AF_X25 sockets.
> >
> > 2) When we initiate a connection but the connection is refused by the
> > remote side, x25_disconnect is called which decreases the refcount and
> > resets the pointer to NULL. But the x25_connect function in af_x25.c,
> > which is waiting for the connection to be established, notices the
> > failure and then tries to decrease the refcount again, resulting in a
> > NULL-pointer-dereference error.
> >
> > This crashes the kernel every time a connection is refused by the
> > remote
> > side.
>
> For this bug I already sent a fix some time ago (last time I sent a
> RESEND yesterday), but unfortunately it was not merged yet:
> https://lore.kernel.org/patchwork/patch/1334917/
I see. Thanks! Hope it will be merged soon!
I'll re-submit my patch without your part after your patch is merged.
prev parent reply other threads:[~2020-11-11 12:13 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-11 10:04 [PATCH net] net: x25: Fix kernel crashes due to x25_disconnect releasing x25_neigh Xie He
2020-11-11 11:41 ` Martin Schiller
2020-11-11 12:09 ` Xie He [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJht_ENQsGVdkzSgQ3C1wDXBJyo9i-xdtzS=hsmMM339RGNRqA@mail.gmail.com' \
--to=xie.he.0141@gmail.com \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ms@dev.tdt.de \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.