On 2024-05-07 at 12:33:42, Duoming Zhou ([email protected]) wrote:
> The object "ax25_dev" is managed by reference counting. Thus it should
> not be directly released by a kfree() call in ax25_dev_free(). Replace
> it with a ax25_dev_put() call instead.
>
> Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs")
> Suggested-by: Dan Carpenter <[email protected]>
> Signed-off-by: Duoming Zhou <[email protected]>
> ---
> net/ax25/ax25_dev.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c
> index c6ab9b0f0be..2a40c78f6a0 100644
> --- a/net/ax25/ax25_dev.c
> +++ b/net/ax25/ax25_dev.c
> @@ -195,7 +195,7 @@ void __exit ax25_dev_free(void)
> list_for_each_entry_safe(s, n, &ax25_dev_list, list) {
> netdev_put(s->dev, &s->dev_tracker);
> list_del(&s->list);
> - kfree(s);
> + ax25_dev_put(s);
The commit message "The object "ax25_dev" is managed by reference counting"
seems be not making sense here. in case ref > 0 after the ax25_dev_put().
ax25_dev_put(s) is not initiating any mechanism to come back and recheck.
> }
> spin_unlock_bh(&ax25_dev_lock);
> }
> --
> 2.17.1
>