From patchwork Tue May 7 05:52:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Duoming Zhou X-Patchwork-Id: 13656270 X-Patchwork-Delegate: kuba@kernel.org Received: from zg8tmja2lje4os43os4xodqa.icoremail.net (zg8tmja2lje4os43os4xodqa.icoremail.net [206.189.79.184]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 213476BB20; Tue, 7 May 2024 05:52:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=206.189.79.184 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715061151; cv=none; b=KXCgAdZbPPAmpCgM/1sR87kFXBf/y6GSwgJCp6vMwUrgK6ICkQuDCsZjTAdzDOVEsiUzv1PSjgY1269OooJaOaKr7hkdhit9SFE/abYg6dZaxNMhuGyuXsbR5hDe8Na/8Sx1uElHKLzp/1efYWlLwkO7F19cnrh62ezxI4NzpQo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715061151; c=relaxed/simple; bh=iPoHwd0Unl4KmoAupFeQEy87jbtpri5U8RLKSUTq3xE=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References; b=AKpWmNIuia7nAr6KY78HtjfpN4osKd+UCJGtrKprV0qBmzTCoxBA2wng250RjuzGDDZ2nACXtL5L9GEiezo2k+J5XEMEcujLK+NSeal1rugYZvxJTb7gPpmXs1cxMitCJr6xiQzlbEQ7N8DM6jipJ2NKdpT22VoiHQEAVTTrtrg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zju.edu.cn; spf=pass smtp.mailfrom=zju.edu.cn; arc=none smtp.client-ip=206.189.79.184 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zju.edu.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=zju.edu.cn Received: from ubuntu.localdomain (unknown [221.192.179.90]) by mail-app2 (Coremail) with SMTP id by_KCgD3FKSNwTlmWzFDAA--.40357S2; Tue, 07 May 2024 13:52:16 +0800 (CST) From: Duoming Zhou To: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org, linux-hams@vger.kernel.org, pabeni@redhat.com, kuba@kernel.org, edumazet@google.com, davem@davemloft.net, jreuter@yaina.de, horms@kernel.org, Markus.Elfring@web.de, dan.carpenter@linaro.org, lars@oddbit.com, Duoming Zhou Subject: [PATCH net v4 1/4] ax25: Use kernel universal linked list to implement ax25_dev_list Date: Tue, 7 May 2024 13:52:12 +0800 Message-Id: <5022fa6a280c3fa852bf3724149251c41ee8303f.1715059894.git.duoming@zju.edu.cn> X-Mailer: git-send-email 2.17.1 In-Reply-To: References: X-CM-TRANSID: by_KCgD3FKSNwTlmWzFDAA--.40357S2 X-Coremail-Antispam: 1UD129KBjvJXoW3GFyfGF1fury3AFWrAr1UWrg_yoW7WFWDpF ZIkF1rArZ7Jr1UAr4DWF1xWr1YyryUt3yDAry5uFySkw1DX3s8Jr1ktryUJryUGrW3Ar18 J34UWr4DAr48ZF7anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUU9K14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26F4U JVW0owA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oV Cq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv7VC0 I7IYx2IY67AKxVWUGVWUXwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r1j6r 4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwACI402YVCY1x02628v n2kIc2xKxwCY1x0262kKe7AKxVWUtVW8ZwCY02Avz4vE14v_GrWl42xK82IYc2Ij64vIr4 1l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK 67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI 8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42xK8VAv wI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14 v26r4j6r4UJbIYCTnIWIevJa73UjIFyTuYvjfUra9-UUUUU X-CM-SenderInfo: qssqjiasttq6lmxovvfxof0/1tbiAwMOAWY4-AkEPQA8sh Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: X-Patchwork-Delegate: kuba@kernel.org The origin ax25_dev_list implements its own single linked list, which is complicated and error-prone. For example, when deleting the node of ax25_dev_list in ax25_dev_device_down(), we have to operate on the head node and other nodes separately. This patch uses kernel universal linked list to replace original ax25_dev_list, which make the operation of ax25_dev_list easier. There are two points that need to notice: [1] We should add a check to judge whether the list is empty before INIT_LIST_HEAD in ax25_dev_device_up(), otherwise it will empty the list for each new ax25_dev added. [2] We should do "dev->ax25_ptr = ax25_dev;" and "dev->ax25_ptr = NULL;" while holding the spinlock, otherwise the ax25_dev_device_up() and ax25_dev_device_down() could race, we're not guaranteed to find a match ax25_dev in ax25_dev_device_down(). Suggested-by: Dan Carpenter Signed-off-by: Duoming Zhou --- Changes in v4: - Make the linux list API as a separate update step. - Add a check before INIT_LIST_HEAD. - Do "dev->ax25_ptr = ax25_dev;" while holding the spinlock. include/net/ax25.h | 4 ++-- net/ax25/ax25_dev.c | 42 +++++++++++++++++------------------------- 2 files changed, 19 insertions(+), 27 deletions(-) diff --git a/include/net/ax25.h b/include/net/ax25.h index 0d939e5aee4..92c6aa4f9a6 100644 --- a/include/net/ax25.h +++ b/include/net/ax25.h @@ -216,7 +216,7 @@ typedef struct { struct ctl_table; typedef struct ax25_dev { - struct ax25_dev *next; + struct list_head list; struct net_device *dev; netdevice_tracker dev_tracker; @@ -330,7 +330,7 @@ int ax25_addr_size(const ax25_digi *); void ax25_digi_invert(const ax25_digi *, ax25_digi *); /* ax25_dev.c */ -extern ax25_dev *ax25_dev_list; +static struct list_head ax25_dev_list; extern spinlock_t ax25_dev_lock; #if IS_ENABLED(CONFIG_AX25) diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index 282ec581c07..d4e1e36a6a8 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -22,11 +22,11 @@ #include #include #include +#include #include #include #include -ax25_dev *ax25_dev_list; DEFINE_SPINLOCK(ax25_dev_lock); ax25_dev *ax25_addr_ax25dev(ax25_address *addr) @@ -34,7 +34,7 @@ ax25_dev *ax25_addr_ax25dev(ax25_address *addr) ax25_dev *ax25_dev, *res = NULL; spin_lock_bh(&ax25_dev_lock); - for (ax25_dev = ax25_dev_list; ax25_dev != NULL; ax25_dev = ax25_dev->next) + list_for_each_entry(ax25_dev, &ax25_dev_list, list) if (ax25cmp(addr, (const ax25_address *)ax25_dev->dev->dev_addr) == 0) { res = ax25_dev; ax25_dev_hold(ax25_dev); @@ -52,6 +52,9 @@ void ax25_dev_device_up(struct net_device *dev) { ax25_dev *ax25_dev; + /* Initialized the list for the first entry */ + if (!ax25_dev_list.next) + INIT_LIST_HEAD(&ax25_dev_list); ax25_dev = kzalloc(sizeof(*ax25_dev), GFP_KERNEL); if (!ax25_dev) { printk(KERN_ERR "AX.25: ax25_dev_device_up - out of memory\n"); @@ -59,7 +62,6 @@ void ax25_dev_device_up(struct net_device *dev) } refcount_set(&ax25_dev->refcount, 1); - dev->ax25_ptr = ax25_dev; ax25_dev->dev = dev; netdev_hold(dev, &ax25_dev->dev_tracker, GFP_KERNEL); ax25_dev->forward = NULL; @@ -85,8 +87,8 @@ void ax25_dev_device_up(struct net_device *dev) #endif spin_lock_bh(&ax25_dev_lock); - ax25_dev->next = ax25_dev_list; - ax25_dev_list = ax25_dev; + list_add(&ax25_dev->list, &ax25_dev_list); + dev->ax25_ptr = ax25_dev; spin_unlock_bh(&ax25_dev_lock); ax25_dev_hold(ax25_dev); @@ -111,32 +113,25 @@ void ax25_dev_device_down(struct net_device *dev) /* * Remove any packet forwarding that points to this device. */ - for (s = ax25_dev_list; s != NULL; s = s->next) + list_for_each_entry(s, &ax25_dev_list, list) if (s->forward == dev) s->forward = NULL; - if ((s = ax25_dev_list) == ax25_dev) { - ax25_dev_list = s->next; - goto unlock_put; - } - - while (s != NULL && s->next != NULL) { - if (s->next == ax25_dev) { - s->next = ax25_dev->next; + list_for_each_entry(s, &ax25_dev_list, list) { + if (s == ax25_dev) { + list_del(&s->list); goto unlock_put; } - - s = s->next; } - spin_unlock_bh(&ax25_dev_lock); dev->ax25_ptr = NULL; + spin_unlock_bh(&ax25_dev_lock); ax25_dev_put(ax25_dev); return; unlock_put: + dev->ax25_ptr = NULL; spin_unlock_bh(&ax25_dev_lock); ax25_dev_put(ax25_dev); - dev->ax25_ptr = NULL; netdev_put(dev, &ax25_dev->dev_tracker); ax25_dev_put(ax25_dev); } @@ -200,16 +195,13 @@ struct net_device *ax25_fwd_dev(struct net_device *dev) */ void __exit ax25_dev_free(void) { - ax25_dev *s, *ax25_dev; + ax25_dev *s, *n; spin_lock_bh(&ax25_dev_lock); - ax25_dev = ax25_dev_list; - while (ax25_dev != NULL) { - s = ax25_dev; - netdev_put(ax25_dev->dev, &ax25_dev->dev_tracker); - ax25_dev = ax25_dev->next; + list_for_each_entry_safe(s, n, &ax25_dev_list, list) { + netdev_put(s->dev, &s->dev_tracker); + list_del(&s->list); kfree(s); } - ax25_dev_list = NULL; spin_unlock_bh(&ax25_dev_lock); } From patchwork Tue May 7 05:52:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Duoming Zhou X-Patchwork-Id: 13656271 X-Patchwork-Delegate: kuba@kernel.org Received: from azure-sdnproxy.icoremail.net (azure-sdnproxy.icoremail.net [52.237.72.81]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2846F6CDAF; Tue, 7 May 2024 05:52:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=52.237.72.81 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715061166; cv=none; b=OUiYqBUkTDR+T39uxylGQhUfVP91muG1Fh4khNUEXbtvczJqhKxtxcKkm1MCMf6McOeD2i6l3YDmnTD76csbktzaJjQQkq2V1381I+TSC1+Bo+3Dtdk1MnC/CnrQ4fv6e1D12E3tavYTsqJSy7ZYAmD7NApa8VsLMoAsvgJFJuQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715061166; c=relaxed/simple; bh=YjkmmEfXWCaLJD7QxPp6Hwb51t98Ph3yh4aNnsAL6o0=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References; b=a6CyNsCJvvPRfeS+D+r0E0fvqVNNMqsbKsvZqXfqsgkwSEz5T05hBLPo2rNT26Ug7b0AitmwnJWk0+0T6B931TOnzRoHktr/11Fzhx7wJWdI3OTgixI5lJ4RUqTjNgM1jw06G8AZV4O/YbutoSirFMeuL0QxbSkOgqBwGnheax0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zju.edu.cn; spf=pass smtp.mailfrom=zju.edu.cn; arc=none smtp.client-ip=52.237.72.81 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zju.edu.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=zju.edu.cn Received: from ubuntu.localdomain (unknown [221.192.179.90]) by mail-app2 (Coremail) with SMTP id by_KCgCnw6KdwTlmejJDAA--.29603S2; Tue, 07 May 2024 13:52:32 +0800 (CST) From: Duoming Zhou To: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org, linux-hams@vger.kernel.org, pabeni@redhat.com, kuba@kernel.org, edumazet@google.com, davem@davemloft.net, jreuter@yaina.de, horms@kernel.org, Markus.Elfring@web.de, dan.carpenter@linaro.org, lars@oddbit.com, Duoming Zhou Subject: [PATCH net v4 2/4] ax25: Fix reference count leak issues of ax25_dev Date: Tue, 7 May 2024 13:52:28 +0800 Message-Id: <873a4f366024c151442c7306902b16957f623c11.1715059894.git.duoming@zju.edu.cn> X-Mailer: git-send-email 2.17.1 In-Reply-To: References: X-CM-TRANSID: by_KCgCnw6KdwTlmejJDAA--.29603S2 X-Coremail-Antispam: 1UD129KBjvJXoW7ZF4rXr4Utr1rur1UtFykGrg_yoW8KF1kpF Wa9FW5ArWktr4Utr4DWr1xWr1jvryqk393AryUuF1Ikw1rX3sxJr1rtr4DXryUGryfZF48 Xw17Wrs8ZFWkuaDanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUU9K14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26F4U JVW0owA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oV Cq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv7VC0 I7IYx2IY67AKxVWUXVWUAwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r1j6r 4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwACI402YVCY1x02628v n2kIc2xKxwCY1x0262kKe7AKxVWUtVW8ZwCY02Avz4vE14v_GrWl42xK82IYc2Ij64vIr4 1l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK 67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI 8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42xK8VAv wI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14 v26r4j6r4UJbIYCTnIWIevJa73UjIFyTuYvjfUOHUqUUUUU X-CM-SenderInfo: qssqjiasttq6lmxovvfxof0/1tbiAwMOAWY4-AkEPQA+sj Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: X-Patchwork-Delegate: kuba@kernel.org The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object "ax25_dev". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object "ax25_dev" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak so far. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list. Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") Suggested-by: Dan Carpenter Signed-off-by: Duoming Zhou --- Changes in v4: - Make the fix procedure of ax25_dev as a separate update steps. net/ax25/ax25_dev.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index d4e1e36a6a8..6a572fe1046 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -38,6 +38,7 @@ ax25_dev *ax25_addr_ax25dev(ax25_address *addr) if (ax25cmp(addr, (const ax25_address *)ax25_dev->dev->dev_addr) == 0) { res = ax25_dev; ax25_dev_hold(ax25_dev); + break; } spin_unlock_bh(&ax25_dev_lock); @@ -90,7 +91,6 @@ void ax25_dev_device_up(struct net_device *dev) list_add(&ax25_dev->list, &ax25_dev_list); dev->ax25_ptr = ax25_dev; spin_unlock_bh(&ax25_dev_lock); - ax25_dev_hold(ax25_dev); ax25_register_dev_sysctl(ax25_dev); } @@ -131,7 +131,6 @@ void ax25_dev_device_down(struct net_device *dev) unlock_put: dev->ax25_ptr = NULL; spin_unlock_bh(&ax25_dev_lock); - ax25_dev_put(ax25_dev); netdev_put(dev, &ax25_dev->dev_tracker); ax25_dev_put(ax25_dev); } From patchwork Tue May 7 05:52:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Duoming Zhou X-Patchwork-Id: 13656272 X-Patchwork-Delegate: kuba@kernel.org Received: from azure-sdnproxy.icoremail.net (azure-sdnproxy.icoremail.net [52.237.72.81]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 76CCD6BFA9; Tue, 7 May 2024 05:53:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=52.237.72.81 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715061187; cv=none; b=FnrrixnJiKVs2ezFvKpWhDpGcUc7oo5DZR8UGvf4Gv/ekaaSekwSeFbHcF5U3HBXD76vlX/NF0kdhSSebmIFeokE+alNg2uZY+v3pOZQbxd6/mFKyo3Gryaqk76tQdMxoohtqurMt1/WEoQHSuTvBBGkYvBqWrur9Xe7HfbowBM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715061187; c=relaxed/simple; bh=5eM5W6ze1j1mLPSQUbYA7MyvceG+JiOuYyGAGTYb/88=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References; b=tB0gQIsoPYJtLptoigjZqx+X8Qik6GF1y9+ifdGvGzinVCxiVwYwA2I8dkZmRBEfeDd4lc7RfMjUAT3GAlmm1ExWxDNIzv0RvPjFkIkjGOO/2tZgnVElIrrqyOhxjNNucVIHGLKC3Gx50y+gJ3fb5M4TX6bVq7A7hdyyL+XbWyI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zju.edu.cn; spf=pass smtp.mailfrom=zju.edu.cn; arc=none smtp.client-ip=52.237.72.81 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zju.edu.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=zju.edu.cn Received: from ubuntu.localdomain (unknown [221.192.179.90]) by mail-app2 (Coremail) with SMTP id by_KCgA356arwTlmxjNDAA--.29804S2; Tue, 07 May 2024 13:52:46 +0800 (CST) From: Duoming Zhou To: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org, linux-hams@vger.kernel.org, pabeni@redhat.com, kuba@kernel.org, edumazet@google.com, davem@davemloft.net, jreuter@yaina.de, horms@kernel.org, Markus.Elfring@web.de, dan.carpenter@linaro.org, lars@oddbit.com, Duoming Zhou Subject: [PATCH net v4 3/4] ax25: Fix reference count leak issues of net_device Date: Tue, 7 May 2024 13:52:43 +0800 Message-Id: <02697d01b0d95859a9caf45f6b37af2d2b9959d8.1715059894.git.duoming@zju.edu.cn> X-Mailer: git-send-email 2.17.1 In-Reply-To: References: X-CM-TRANSID: by_KCgA356arwTlmxjNDAA--.29804S2 X-Coremail-Antispam: 1UD129KBjvJXoW7WFyxZry8AFy8Gry3XF18Xwb_yoW8GrWUpF W2gFW3ArZ7Jr1DGr4DWr97Wr10vryq93yrur15u3WIk3s5X3sxJryrKrWDXry7KrW3ZF18 u347Wrs5uF1kZaDanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUU9E14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26F4U JVW0owA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oV Cq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv7VC0 I7IYx2IY67AKxVWUXVWUAwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r1j6r 4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwACI402YVCY1x02628v n2kIc2xKxwCY1x0262kKe7AKxVWUtVW8ZwCY02Avz4vE14v_GrWl42xK82IYc2Ij64vIr4 1l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK 67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI 8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26F4j6r4UJwCI42IY6xAIw20E Y4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267 AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7VUbQJ57UUUUU== X-CM-SenderInfo: qssqjiasttq6lmxovvfxof0/1tbiAwMOAWY4-AkEPQBBsc Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: X-Patchwork-Delegate: kuba@kernel.org The ax25_dev_device_down() exists reference count leak issues of the object "net_device". When the ax25 device is shutting down. The ax25_dev_device_down() drops the reference count of net_device one or zero times depending on if we goto unlock_put or not, which will cause memory leak. In order to solve the above issue, decrease the reference count of net_device after dev->ax25_ptr is set to null. Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") Suggested-by: Dan Carpenter Signed-off-by: Duoming Zhou --- Changes in v4: - Make the fix procedure of net_device as a separate update steps. net/ax25/ax25_dev.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index 6a572fe1046..05e556cdc2b 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -120,15 +120,9 @@ void ax25_dev_device_down(struct net_device *dev) list_for_each_entry(s, &ax25_dev_list, list) { if (s == ax25_dev) { list_del(&s->list); - goto unlock_put; + break; } } - dev->ax25_ptr = NULL; - spin_unlock_bh(&ax25_dev_lock); - ax25_dev_put(ax25_dev); - return; - -unlock_put: dev->ax25_ptr = NULL; spin_unlock_bh(&ax25_dev_lock); netdev_put(dev, &ax25_dev->dev_tracker); From patchwork Tue May 7 05:52:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Duoming Zhou X-Patchwork-Id: 13656273 X-Patchwork-Delegate: kuba@kernel.org Received: from zg8tmtu5ljy1ljeznc42.icoremail.net (zg8tmtu5ljy1ljeznc42.icoremail.net [159.65.134.6]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 688EE6BFA9; Tue, 7 May 2024 05:53:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.65.134.6 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715061196; cv=none; b=Kj6stmRptagxePBVAUA9Um5Sj6dt7BehIPL6qNG4BwD8Fz/OMGWuUWyUttFGlVd1ciRJhgIlES65v9lxUV8eFRyXYyEeH5edj83fG51CI1yOO7ON34QPy9nk9l4W1mGp5BQLjAAm3FoIotMv7zWwGT5r/ZXKbHfLZu9UMm+LGB8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715061196; c=relaxed/simple; bh=uY/f2XxADkXUxf5Kne/3qFuas5cvVQzyqm+DbipD+Vw=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References; b=tTztVvw4HoBEjcVzDxUGSUJAOHnRZC9y0+8VOdy2ZogJZUs2LnVA6DtMRvGLsdClyxSr6Rx4PYCp9Ckq0l3vTsVfNfMnBQ0ETkrfogCw1Bf72qKIggZ68Ia4OHDqC+YcglLDyOOGgLGtSHipj8jv8fblsYeJiGI2dIqOM/E+c7I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zju.edu.cn; spf=pass smtp.mailfrom=zju.edu.cn; arc=none smtp.client-ip=159.65.134.6 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zju.edu.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=zju.edu.cn Received: from ubuntu.localdomain (unknown [221.192.179.90]) by mail-app2 (Coremail) with SMTP id by_KCgBH0Z+3wTlmoTRDAA--.41006S2; Tue, 07 May 2024 13:52:58 +0800 (CST) From: Duoming Zhou To: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org, linux-hams@vger.kernel.org, pabeni@redhat.com, kuba@kernel.org, edumazet@google.com, davem@davemloft.net, jreuter@yaina.de, horms@kernel.org, Markus.Elfring@web.de, dan.carpenter@linaro.org, lars@oddbit.com, Duoming Zhou Subject: [PATCH net v4 4/4] ax25: Change kfree() in ax25_dev_free() to ax25_dev_put() Date: Tue, 7 May 2024 13:52:55 +0800 Message-Id: <7fdad05adf75ab7e2f6aad4d4c596e0361ce55dd.1715059894.git.duoming@zju.edu.cn> X-Mailer: git-send-email 2.17.1 In-Reply-To: References: X-CM-TRANSID: by_KCgBH0Z+3wTlmoTRDAA--.41006S2 X-Coremail-Antispam: 1UD129KBjvdXoWrZFy3Gr4DGFWrJw4kGFW3KFg_yoWfXFg_uF ykCF4xWw1UJFyUCw1rCF4rJrW3Ww1Ygwn3JryfAFZ7t34jya4UJrWkWr1kXF1UWrW2krWS qrn5ZrWfAr43tjkaLaAFLSUrUUUUjb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUbTAFF20E14v26r4j6ryUM7CY07I20VC2zVCF04k26cxKx2IYs7xG 6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4vEj48ve4kI8w A2z4x0Y4vE2Ix0cI8IcVAFwI0_tr0E3s1l84ACjcxK6xIIjxv20xvEc7CjxVAFwI0_Cr1j 6rxdM28EF7xvwVC2z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s 0DM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj6xII jxv20xvE14v26r126r1DMcIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr 1lF7xvr2IYc2Ij64vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7M4IIrI8v6xkF7I0E8cxa n2IY04v7MxkF7I0En4kS14v26r1q6r43MxkIecxEwVAFwVW8WwCF04k20xvY0x0EwIxGrw CFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4vE 14v26r106r1rMI8E67AF67kF1VAFwI0_Jw0_GFylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2 IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI0_Cr0_Gr1UMIIF0xvE42xK8VAv wI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14 v26r4j6r4UJbIYCTnIWIevJa73UjIFyTuYvjfUO3kuDUUUU X-CM-SenderInfo: qssqjiasttq6lmxovvfxof0/1tbiAwMOAWY4-AkEPQBDse Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: X-Patchwork-Delegate: kuba@kernel.org The object "ax25_dev" is managed by reference counting. Thus it should not be directly released by a kfree() call in ax25_dev_free(). Replace it with a ax25_dev_put() call instead. Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") Suggested-by: Dan Carpenter Signed-off-by: Duoming Zhou --- net/ax25/ax25_dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index 05e556cdc2b..d4d29879df2 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -194,7 +194,7 @@ void __exit ax25_dev_free(void) list_for_each_entry_safe(s, n, &ax25_dev_list, list) { netdev_put(s->dev, &s->dev_tracker); list_del(&s->list); - kfree(s); + ax25_dev_put(s) } spin_unlock_bh(&ax25_dev_lock); }