system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-10-15 15:59:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
linux/net
History
Duoming Zhou 7d8a3a477b ax25: Fix ax25 session cleanup problems 
There are session cleanup problems in ax25_release() and
ax25_disconnect(). If we setup a session and then disconnect,
the disconnected session is still in "LISTENING" state that
is shown below.

Active AX.25 sockets
Dest       Source     Device  State        Vr/Vs    Send-Q  Recv-Q
DL9SAU-4   DL9SAU-3   ???     LISTENING    000/000  0       0
DL9SAU-3   DL9SAU-4   ???     LISTENING    000/000  0       0

The first reason is caused by del_timer_sync() in ax25_release().
The timers of ax25 are used for correct session cleanup. If we use
ax25_release() to close ax25 sessions and ax25_dev is not null,
the del_timer_sync() functions in ax25_release() will execute.
As a result, the sessions could not be cleaned up correctly,
because the timers have stopped.

In order to solve this problem, this patch adds a device_up flag
in ax25_dev in order to judge whether the device is up. If there
are sessions to be cleaned up, the del_timer_sync() in
ax25_release() will not execute. What's more, we add ax25_cb_del()
in ax25_kill_by_device(), because the timers have been stopped
and there are no functions that could delete ax25_cb if we do not
call ax25_release(). Finally, we reorder the position of
ax25_list_lock in ax25_cb_del() in order to synchronize among
different functions that call ax25_cb_del().

The second reason is caused by improper check in ax25_disconnect().
The incoming ax25 sessions which ax25->sk is null will close
heartbeat timer, because the check "if(!ax25->sk || ..)" is
satisfied. As a result, the session could not be cleaned up properly.

In order to solve this problem, this patch changes the improper
check to "if(ax25->sk && ..)" in ax25_disconnect().

What`s more, the ax25_disconnect() may be called twice, which is
not necessary. For example, ax25_kill_by_device() calls
ax25_disconnect() and sets ax25->state to AX25_STATE_0, but
ax25_release() calls ax25_disconnect() again.

In order to solve this problem, this patch add a check in
ax25_release(). If the flag of ax25->sk equals to SOCK_DEAD,
the ax25_disconnect() in ax25_release() should not be executed.

Fixes: 82e31755e5 ("ax25: Fix UAF bugs in ax25 timers")
Fixes: 8a367e74c0 ("ax25: Fix segfault after sock connection timeout")
Reported-and-tested-by: Thomas Osterried <thomas@osterried.de>
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Link: https://lore.kernel.org/r/20220530152158.108619-1-duoming@zju.edu.cn
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2022-06-02 10:37:57 +02:00
..
6lowpan
9p
802
8021q
appletalk
atm
ax25 ax25: Fix ax25 session cleanup problems 2022-06-02 10:37:57 +02:00
batman-adv net: wrap the wireless pointers in struct net_device in an ifdef 2022-05-22 21:51:54 +01:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-05-23 21:19:17 -07:00
bpf Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2022-05-23 16:07:14 -07:00
bpfilter
bridge Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-05-19 11:23:59 -07:00
caif
can can: isotp: isotp_bind(): do not validate unused address information 2022-05-19 22:11:28 +02:00
ceph libceph: fix misleading ceph_osdc_cancel_request() comment 2022-05-18 21:21:29 +02:00
core net, neigh: Set lower cap for neigh_managed_work rearming 2022-05-25 22:00:48 -07:00
dcb
dccp net: Add a second bind table hashed by port and address 2022-05-20 18:16:24 -07:00
decnet dn_route: set rt neigh to blackhole_netdev instead of loopback_dev in ifdown 2022-05-17 18:03:23 -07:00
dns_resolver
dsa net: dsa: OF-ware slave_mii_bus 2022-05-23 12:27:53 +01:00
ethernet
ethtool
hsr
ieee802154
ife
ipv4 tcp: tcp_rtx_synack() can be called from process context 2022-05-31 21:40:10 -07:00
ipv6 net: ping6: Fix ping -6 with interface name 2022-06-01 12:44:42 +02:00
iucv
kcm
key Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2022-06-01 17:44:04 -07:00
l2tp l2tp: use add READ_ONCE() to fetch sk->sk_bound_dev_if 2022-05-16 10:31:06 +01:00
l3mdev
lapb
llc
mac80211 wifi: mac80211: fix use-after-free in chanctx code 2022-06-01 12:41:41 +03:00
mac802154
mctp Networking changes for 5.19. 2022-05-25 12:22:58 -07:00
mpls
mptcp Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2022-05-23 16:07:14 -07:00
ncsi
netfilter netfilter: flowtable: fix nft_flow_route source address for nat case 2022-05-31 23:32:53 +02:00
netlabel
netlink
netrom
nfc net: nfc: Directly use ida_alloc()/free() 2022-05-28 15:28:47 +01:00
nsh
openvswitch
packet
phonet
psample
qrtr
rds
rfkill
rose
rxrpc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-05-23 21:19:17 -07:00
sched net/sched: act_api: fix error code in tcf_ct_flow_table_fill_tuple_ipv6() 2022-06-01 13:32:04 +02:00
sctp stcp: Use memset_after() to zero sctp_stream_out_ext 2022-05-20 17:42:53 -07:00
smc net/smc: fixes for converting from "struct smc_cdc_tx_pend **" to "struct smc_wr_tx_pend_priv *" 2022-05-28 12:36:26 +01:00
strparser
sunrpc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-05-19 11:23:59 -07:00
switchdev
tipc
tls net: tls: fix messing up lists when bpf enabled 2022-05-19 17:55:06 -07:00
unix Networking changes for 5.19. 2022-05-25 12:22:58 -07:00
vmw_vsock
wireless wireless-next patches for v5.19 2022-05-19 13:01:08 -07:00
x25
xdp
xfrm Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2022-06-01 17:44:04 -07:00
compat.c
devres.c
Kconfig
Kconfig.debug
Makefile
socket.c Networking changes for 5.19. 2022-05-25 12:22:58 -07:00
sysctl_net.c