On Wed, Nov 11, 2020 at 3:41 AM Martin Schiller <m...@dev.tdt.de> wrote: > > > 1) When we receive a connection, the x25_rx_call_request function in > > af_x25.c does not increase the refcount when it assigns the pointer. > > When we disconnect, x25_disconnect is called and the struct's refcount > > is decreased without being increased in the first place. > > Yes, this is a problem and should be fixed. As an alternative to your > approach, you could also go the way to prevent the call of > x25_neigh_put(nb) in x25_lapb_receive_frame() in case of a Call Request. > However, this would require more effort.
Yes, right. I think my approach is easier. > > This causes frequent kernel crashes when using AF_X25 sockets. > > > > 2) When we initiate a connection but the connection is refused by the > > remote side, x25_disconnect is called which decreases the refcount and > > resets the pointer to NULL. But the x25_connect function in af_x25.c, > > which is waiting for the connection to be established, notices the > > failure and then tries to decrease the refcount again, resulting in a > > NULL-pointer-dereference error. > > > > This crashes the kernel every time a connection is refused by the > > remote > > side. > > For this bug I already sent a fix some time ago (last time I sent a > RESEND yesterday), but unfortunately it was not merged yet: > https://lore.kernel.org/patchwork/patch/1334917/ I see. Thanks! Hope it will be merged soon! I'll re-submit my patch without your part after your patch is merged.
