diff mbox series

[net,v5,4/4] ax25: Change kfree() in ax25_dev_free() to ax25_dev_put()

Message ID 5c61fea1b20f3c1596e4fb46282c3dedc54513a3.1715065005.git.duoming@zju.edu.cn (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series ax25: Fix issues of ax25_dev and net_device | expand

Checks

Context Check Description
netdev/series_format success Posting correctly formatted
netdev/tree_selection success Clearly marked for net, async
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 926 this patch: 926
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 7 of 7 maintainers
netdev/build_clang success Errors and warnings before: 937 this patch: 937
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 937 this patch: 937
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest fail net-next-2024-05-07--21-00 (tests: 1010)

Commit Message

Duoming Zhou May 7, 2024, 7:03 a.m. UTC 
The object "ax25_dev" is managed by reference counting. Thus it should
not be directly released by a kfree() call in ax25_dev_free(). Replace
it with a ax25_dev_put() call instead.

Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs")
Suggested-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
---
 net/ax25/ax25_dev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Markus Elfring May 7, 2024, 9:42 a.m. UTC | #1 
>                                          … in ax25_dev_free(). Replace
…

Can word wrapping look a bit nicer if a single word at the end will be moved
into the subsequent text line?

Regards,
Markus
Ratheesh Kannoth May 7, 2024, 2:13 p.m. UTC | #2 
On 2024-05-07 at 12:33:42, Duoming Zhou (duoming@zju.edu.cn) wrote:
> The object "ax25_dev" is managed by reference counting. Thus it should
> not be directly released by a kfree() call in ax25_dev_free(). Replace
> it with a ax25_dev_put() call instead.
>
> Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs")
> Suggested-by: Dan Carpenter <dan.carpenter@linaro.org>
> Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
> ---
>  net/ax25/ax25_dev.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c
> index c6ab9b0f0be..2a40c78f6a0 100644
> --- a/net/ax25/ax25_dev.c
> +++ b/net/ax25/ax25_dev.c
> @@ -195,7 +195,7 @@ void __exit ax25_dev_free(void)
>  	list_for_each_entry_safe(s, n, &ax25_dev_list, list) {
>  		netdev_put(s->dev, &s->dev_tracker);
>  		list_del(&s->list);
> -		kfree(s);
> +		ax25_dev_put(s);
The commit message "The object "ax25_dev" is managed by reference counting"
seems be not making sense here.  in case ref > 0 after the ax25_dev_put().
ax25_dev_put(s) is not initiating any mechanism to come back and recheck.

>  	}
>  	spin_unlock_bh(&ax25_dev_lock);
>  }
> --
> 2.17.1
>
diff mbox series

Patch

diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c
index c6ab9b0f0be..2a40c78f6a0 100644
--- a/net/ax25/ax25_dev.c
+++ b/net/ax25/ax25_dev.c
@@ -195,7 +195,7 @@  void __exit ax25_dev_free(void)
 	list_for_each_entry_safe(s, n, &ax25_dev_list, list) {
 		netdev_put(s->dev, &s->dev_tracker);
 		list_del(&s->list);
-		kfree(s);
+		ax25_dev_put(s);
 	}
 	spin_unlock_bh(&ax25_dev_lock);
 }