diff mbox series

[net,V2] net/x25: Fix null-ptr-deref caused by x25_disconnect

Message ID 20220326104346.91790-1-duoming@zju.edu.cn (mailing list archive)
State Accepted
Commit 7781607938c8371d4c2b243527430241c62e39c2
Delegated to: Netdev Maintainers
Headers show
Series [net,V2] net/x25: Fix null-ptr-deref caused by x25_disconnect | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers success CCed 8 of 8 maintainers
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 18 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Duoming Zhou March 26, 2022, 10:43 a.m. UTC 
When the link layer is terminating, x25->neighbour will be set to NULL
in x25_disconnect(). As a result, it could cause null-ptr-deref bugs in
x25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is
shown below.

    (Thread 1)                 |  (Thread 2)
x25_link_terminated()          | x25_recvmsg()
 x25_kill_by_neigh()           |  ...
  x25_disconnect()             |  lock_sock(sk)
   ...                         |  ...
   x25->neighbour = NULL //(1) |
   ...                         |  x25->neighbour->extended //(2)

The code sets NULL to x25->neighbour in position (1) and dereferences
x25->neighbour in position (2), which could cause null-ptr-deref bug.

This patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize
with x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the
sock held by lock_sock() is not NULL, because it is extracted from x25_list
and uses x25_list_lock to synchronize.

Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Reviewed-by: Lin Ma <linma@zju.edu.cn>
---
Changes in V2:
  - Add lock_sock() in x25_kill_by_neigh().
  - Make commit message more clearer.

 net/x25/af_x25.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

Comments

patchwork-bot+netdevbpf@kernel.org March 26, 2022, 6:50 p.m. UTC | #1 
Hello:

This patch was applied to netdev/net.git (master)
by David S. Miller <davem@davemloft.net>:

On Sat, 26 Mar 2022 18:43:46 +0800 you wrote:
> When the link layer is terminating, x25->neighbour will be set to NULL
> in x25_disconnect(). As a result, it could cause null-ptr-deref bugs in
> x25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is
> shown below.
> 
>     (Thread 1)                 |  (Thread 2)
> x25_link_terminated()          | x25_recvmsg()
>  x25_kill_by_neigh()           |  ...
>   x25_disconnect()             |  lock_sock(sk)
>    ...                         |  ...
>    x25->neighbour = NULL //(1) |
>    ...                         |  x25->neighbour->extended //(2)
> 
> [...]

Here is the summary with links:
  - [net,V2] net/x25: Fix null-ptr-deref caused by x25_disconnect
    https://git.kernel.org/netdev/net/c/7781607938c8

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index 3583354a7d7..3a171828638 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -1765,10 +1765,15 @@  void x25_kill_by_neigh(struct x25_neigh *nb)
 
 	write_lock_bh(&x25_list_lock);
 
-	sk_for_each(s, &x25_list)
-		if (x25_sk(s)->neighbour == nb)
+	sk_for_each(s, &x25_list) {
+		if (x25_sk(s)->neighbour == nb) {
+			write_unlock_bh(&x25_list_lock);
+			lock_sock(s);
 			x25_disconnect(s, ENETUNREACH, 0, 0);
-
+			release_sock(s);
+			write_lock_bh(&x25_list_lock);
+		}
+	}
 	write_unlock_bh(&x25_list_lock);
 
 	/* Remove any related forwards */