--- /dev/null
+From 8999dc89497ab1c80d0718828e838c7cd5f6bffe Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 28 Apr 2020 16:12:08 +0800
+Subject: net/x25: Fix null-ptr-deref in x25_disconnect
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit 8999dc89497ab1c80d0718828e838c7cd5f6bffe upstream.
+
+We should check null before do x25_neigh_put in x25_disconnect,
+otherwise may cause null-ptr-deref like this:
+
+ #include <sys/socket.h>
+ #include <linux/x25.h>
+
+ int main() {
+ int sck_x25;
+ sck_x25 = socket(AF_X25, SOCK_SEQPACKET, 0);
+ close(sck_x25);
+ return 0;
+ }
+
+BUG: kernel NULL pointer dereference, address: 00000000000000d8
+CPU: 0 PID: 4817 Comm: t2 Not tainted 5.7.0-rc3+ #159
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-
+RIP: 0010:x25_disconnect+0x91/0xe0
+Call Trace:
+ x25_release+0x18a/0x1b0
+ __sock_release+0x3d/0xc0
+ sock_close+0x13/0x20
+ __fput+0x107/0x270
+ ____fput+0x9/0x10
+ task_work_run+0x6d/0xb0
+ exit_to_usermode_loop+0x102/0x110
+ do_syscall_64+0x23c/0x260
+ entry_SYSCALL_64_after_hwframe+0x49/0xb3
+
+Reported-by: syzbot+6db548b615e5aeefdce2@syzkaller.appspotmail.com
+Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/x25/x25_subr.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/x25/x25_subr.c
++++ b/net/x25/x25_subr.c
+@@ -357,10 +357,12 @@ void x25_disconnect(struct sock *sk, int
+ sk->sk_state_change(sk);
+ sock_set_flag(sk, SOCK_DEAD);
+ }
+- read_lock_bh(&x25_list_lock);
+- x25_neigh_put(x25->neighbour);
+- x25->neighbour = NULL;
+- read_unlock_bh(&x25_list_lock);
++ if (x25->neighbour) {
++ read_lock_bh(&x25_list_lock);
++ x25_neigh_put(x25->neighbour);
++ x25->neighbour = NULL;
++ read_unlock_bh(&x25_list_lock);
++ }
+ }
+
+ /*
--- /dev/null
+From 4becb7ee5b3d2829ed7b9261a245a77d5b7de902 Mon Sep 17 00:00:00 2001
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Sat, 25 Apr 2020 21:06:25 +0800
+Subject: net/x25: Fix x25_neigh refcnt leak when x25 disconnect
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+commit 4becb7ee5b3d2829ed7b9261a245a77d5b7de902 upstream.
+
+x25_connect() invokes x25_get_neigh(), which returns a reference of the
+specified x25_neigh object to "x25->neighbour" with increased refcnt.
+
+When x25 connect success and returns, the reference still be hold by
+"x25->neighbour", so the refcount should be decreased in
+x25_disconnect() to keep refcount balanced.
+
+The reference counting issue happens in x25_disconnect(), which forgets
+to decrease the refcnt increased by x25_get_neigh() in x25_connect(),
+causing a refcnt leak.
+
+Fix this issue by calling x25_neigh_put() before x25_disconnect()
+returns.
+
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/x25/x25_subr.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/x25/x25_subr.c
++++ b/net/x25/x25_subr.c
+@@ -357,6 +357,10 @@ void x25_disconnect(struct sock *sk, int
+ sk->sk_state_change(sk);
+ sock_set_flag(sk, SOCK_DEAD);
+ }
++ read_lock_bh(&x25_list_lock);
++ x25_neigh_put(x25->neighbour);
++ x25->neighbour = NULL;
++ read_unlock_bh(&x25_list_lock);
+ }
+
+ /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
