From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+6db548b615e5aeefdce2@syzkaller.appspotmail.com,
YueHaibing <yuehaibing@huawei.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 27/51] net/x25: Fix null-ptr-deref in x25_disconnect
Date: Mon, 3 Aug 2020 14:20:12 +0200 [thread overview]
Message-ID: <20200803121850.842132215@linuxfoundation.org> (raw)
In-Reply-To: <20200803121849.488233135@linuxfoundation.org>
From: YueHaibing <yuehaibing@huawei.com>
commit 8999dc89497ab1c80d0718828e838c7cd5f6bffe upstream.
We should check null before do x25_neigh_put in x25_disconnect,
otherwise may cause null-ptr-deref like this:
#include <sys/socket.h>
#include <linux/x25.h>
int main() {
int sck_x25;
sck_x25 = socket(AF_X25, SOCK_SEQPACKET, 0);
close(sck_x25);
return 0;
}
BUG: kernel NULL pointer dereference, address: 00000000000000d8
CPU: 0 PID: 4817 Comm: t2 Not tainted 5.7.0-rc3+ #159
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-
RIP: 0010:x25_disconnect+0x91/0xe0
Call Trace:
x25_release+0x18a/0x1b0
__sock_release+0x3d/0xc0
sock_close+0x13/0x20
__fput+0x107/0x270
____fput+0x9/0x10
task_work_run+0x6d/0xb0
exit_to_usermode_loop+0x102/0x110
do_syscall_64+0x23c/0x260
entry_SYSCALL_64_after_hwframe+0x49/0xb3
Reported-by: syzbot+6db548b615e5aeefdce2@syzkaller.appspotmail.com
Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/x25/x25_subr.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/net/x25/x25_subr.c
+++ b/net/x25/x25_subr.c
@@ -363,10 +363,12 @@ void x25_disconnect(struct sock *sk, int
sk->sk_state_change(sk);
sock_set_flag(sk, SOCK_DEAD);
}
- read_lock_bh(&x25_list_lock);
- x25_neigh_put(x25->neighbour);
- x25->neighbour = NULL;
- read_unlock_bh(&x25_list_lock);
+ if (x25->neighbour) {
+ read_lock_bh(&x25_list_lock);
+ x25_neigh_put(x25->neighbour);
+ x25->neighbour = NULL;
+ read_unlock_bh(&x25_list_lock);
+ }
}
/*
next prev parent reply other threads:[~2020-08-03 12:34 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-03 12:19 [PATCH 4.14 00/51] 4.14.192-rc1 review Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 01/51] scsi: libsas: direct call probe and destruct Greg Kroah-Hartman
2020-08-03 12:57 ` John Garry
2020-08-05 9:52 ` Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 02/51] net: phy: mdio-bcm-unimac: fix potential NULL dereference in unimac_mdio_probe() Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 03/51] crypto: ccp - Release all allocated memory if sha type is invalid Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 04/51] media: rc: prevent memory leak in cx23888_ir_probe Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 05/51] iio: imu: adis16400: fix memory leak Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 06/51] ath9k_htc: release allocated buffer if timed out Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 07/51] ath9k: " Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 08/51] x86/kvm: Be careful not to clear KVM_VCPU_FLUSH_TLB bit Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 09/51] PCI/ASPM: Disable ASPM on ASMedia ASM1083/1085 PCIe-to-PCI bridge Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 10/51] wireless: Use offsetof instead of custom macro Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 11/51] ARM: 8986/1: hw_breakpoint: Dont invoke overflow handler on uaccess watchpoints Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 12/51] random32: update the net random state on interrupt and activity Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 13/51] ARM: percpu.h: fix build error Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 4.14 14/51] drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl() Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 15/51] drm: hold gem reference until object is no longer accessed Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 16/51] f2fs: check memory boundary by insane namelen Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 17/51] f2fs: check if file namelen exceeds max value Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 18/51] random: fix circular include dependency on arm64 after addition of percpu.h Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 19/51] random32: remove net_rand_state from the latent entropy gcc plugin Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 20/51] 9p/trans_fd: abort p9_read_work if req status changed Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 21/51] 9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 22/51] x86/build/lto: Fix truncated .bss with -fdata-sections Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 23/51] x86, vmlinux.lds: Page-align end of ..page_aligned sections Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 24/51] rds: Prevent kernel-infoleak in rds_notify_queue_get() Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 25/51] xfs: fix missed wakeup on l_flush_wait Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 26/51] net/x25: Fix x25_neigh refcnt leak when x25 disconnect Greg Kroah-Hartman
2020-08-03 12:20 ` Greg Kroah-Hartman [this message]
2020-08-03 12:20 ` [PATCH 4.14 28/51] selftests/net: rxtimestamp: fix clang issues for target arch PowerPC Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 29/51] sh: Fix validation of system call number Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 30/51] net: lan78xx: add missing endpoint sanity check Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 31/51] net: lan78xx: fix transfer-buffer memory leak Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 32/51] mlx4: disable device on shutdown Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 33/51] mlxsw: core: Increase scope of RCU read-side critical section Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 34/51] mlxsw: core: Free EMAD transactions using kfree_rcu() Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 35/51] ibmvnic: Fix IRQ mapping disposal in error path Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 36/51] bpf: Fix map leak in HASH_OF_MAPS map Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 37/51] mac80211: mesh: Free ie data when leaving mesh Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 38/51] mac80211: mesh: Free pending skb when destroying a mpath Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 39/51] arm64/alternatives: move length validation inside the subsection Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 40/51] arm64: csum: Fix handling of bad packets Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 41/51] usb: hso: Fix debug compile warning on sparc32 Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 42/51] qed: Disable "MFW indication via attention" SPAM every 5 minutes Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 43/51] nfc: s3fwrn5: add missing release on skb in s3fwrn5_recv_frame Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 44/51] parisc: add support for cmpxchg on u8 pointers Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 45/51] net: ethernet: ravb: exit if re-initialization fails in tx timeout Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 46/51] Revert "i2c: cadence: Fix the hold bit setting" Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 47/51] x86/unwind/orc: Fix ORC for newly forked tasks Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 48/51] cxgb4: add missing release on skb in uld_send() Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 49/51] xen-netfront: fix potential deadlock in xennet_remove() Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 50/51] KVM: LAPIC: Prevent setting the tscdeadline timer if the lapic is hw disabled Greg Kroah-Hartman
2020-08-03 12:20 ` [PATCH 4.14 51/51] x86/i8259: Use printk_deferred() to prevent deadlock Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200803121850.842132215@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+6db548b615e5aeefdce2@syzkaller.appspotmail.com \
--cc=yuehaibing@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).