* [PATCH 1/1] ax25: Fix segfault when receiving an iframe with net2kiss loaded
@ 2016-11-30 19:15 Basil Gunn
2016-12-02 16:05 ` David Miller
0 siblings, 1 reply; 2+ messages in thread
From: Basil Gunn @ 2016-11-30 19:15 UTC (permalink / raw)
To: Joerg Reuter, Ralf Baechle, David S. Miller, linux-hams, netdev,
linux-kernel
Cc: stable, Edouard Lafargue, Jeremy McDermond
AX.25 uses sock_queue_rcv_skb() to queue an iframe received packet.
This routine writes NULL to the socket buffer device structure
pointer. The socket buffer is subsequently serviced by
__netif_receiv_skb_core() which dereferences the device structure
pointer & segfaults.
The fix puts the ax25 device structure pointer back in the socket
buffer struct after sock_queue_rcv_skb() is called.
To trigger the segfault setup an ax.25 device (ax0) then run net2kiss
(net2kiss -v -i ax0 /dev/ptmx). In another console make an ax.25
connection (call udr0 jnbbs). Within 2 received packets a segfault
will occur.
Please submit to -stable.
Signed-off-by: Basil Gunn <basil@pacabunga.com>
---
net/ax25/ax25_in.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c
index bb5a0e4..417f21a 100644
--- a/net/ax25/ax25_in.c
+++ b/net/ax25/ax25_in.c
@@ -144,10 +144,15 @@ int ax25_rx_iframe(ax25_cb *ax25, struct sk_buff *skb)
if (ax25->sk != NULL && ax25->ax25_dev->values[AX25_VALUES_CONMODE] == 2) {
if ((!ax25->pidincl && ax25->sk->sk_protocol == pid) ||
ax25->pidincl) {
+ /* Will set socket buffer device struct pointer,
+ * skb->dev to NULL
+ */
if (sock_queue_rcv_skb(ax25->sk, skb) == 0)
queued = 1;
else
ax25->condition |= AX25_COND_OWN_RX_BUSY;
+
+ skb->dev = ax25->ax25_dev->dev;
}
}
--
2.1.4
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH 1/1] ax25: Fix segfault when receiving an iframe with net2kiss loaded
2016-11-30 19:15 [PATCH 1/1] ax25: Fix segfault when receiving an iframe with net2kiss loaded Basil Gunn
@ 2016-12-02 16:05 ` David Miller
0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2016-12-02 16:05 UTC (permalink / raw)
To: basil; +Cc: jreuter, ralf, linux-hams, netdev, linux-kernel, stable, ed,
mcdermj
From: Basil Gunn <basil@pacabunga.com>
Date: Wed, 30 Nov 2016 11:15:25 -0800
> AX.25 uses sock_queue_rcv_skb() to queue an iframe received packet.
> This routine writes NULL to the socket buffer device structure
> pointer. The socket buffer is subsequently serviced by
> __netif_receiv_skb_core() which dereferences the device structure
> pointer & segfaults.
>
> The fix puts the ax25 device structure pointer back in the socket
> buffer struct after sock_queue_rcv_skb() is called.
You cannot do this.
We have no reference count held on the device object, therefore once
access to this SKB leaves the receive packet processing path and thus
the RCU protected region, we must set skb->dev to NULL.
Queueing the SKB to the socket causes the SKB to leave the receive
processing path.
You will have to find another way to propagate this device pointer
to the code that needs it.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-12-02 16:05 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-30 19:15 [PATCH 1/1] ax25: Fix segfault when receiving an iframe with net2kiss loaded Basil Gunn
2016-12-02 16:05 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).