Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp969685pxk; Thu, 17 Sep 2020 23:33:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzMW5+q8nUfZOFqnabZ1iAM2Rf7xH6oJlpfPalN8SZzEjuhrE7/HCncKTgIVXp74YVS2lYs X-Received: by 2002:aa7:d4d0:: with SMTP id t16mr37095483edr.83.1600410826499; Thu, 17 Sep 2020 23:33:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600410826; cv=none; d=google.com; s=arc-20160816; b=AElz30w48oxzIX4QGAGAn5zrhXVU1YbGDTe04R3sMHEApOAGX6w8CYKQgFdzl90ZIP iocuy1xsJBZZPrExMxhRHAlZxTdxV+QX4nxiCeVa5JnL33Yx7awHjfakaHvdbmNgWlfG WEGb40Ke7MqKnept5qhkP0NkbvA3iKHidFZPNM9Pm4qdCEN1jvOJkSkhYoc5AtcjPQ9B lcGoN3/Z/x1WDLRdFsSd7gqMLadpQIMuofAfn2C6um9MfY+Vn/fBkKKjI00X2V7J+cdD xdD1miOtxTE8wCu/e8+sbnN97pFAz4cyK0Rqd69X7QeeGKIw6pD07AsCodaxzHnMOc5a wPew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=J7DOruZAPYo1Ziyj0KQ/CLpIQiG4PiroPi3tQfV9R4A=; b=ue6XPc/Wv2keV5FIoAOCkXXQbX2LqPTxQh9apTKkfuXKsNZ2+pjDazv4Bng5ZZedZa lZlRJ281NhTmfbpnheL/L1SVVpC3U1iaev/D6P0Ngumb52vkGRsgOxkkcagp5qSL9WJd rb7B96/2wsSTwqR48vRGIvE11mxXi34Akjc3+r1EBV2k5/YH6bTrUuNUJbLZjvcj9q+q QhFvJcHyqUbeB7eyKlqFWo5HbLEnf24nqhJIiD9fDoLad/cQgWhYb7t1pViErqlmKeHy B35wsTkTWCCIjYRMWOapar6LhrKweYB5I97/XuHYbcW/PUSRtQcV//WuJG+StIE04N5Z x1iA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@narfation.org header.s=20121 header.b=up203ko1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=narfation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ga5si1912628ejb.547.2020.09.17.23.33.22; Thu, 17 Sep 2020 23:33:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@narfation.org header.s=20121 header.b=up203ko1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=narfation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726402AbgIRGbT (ORCPT + 99 others); Fri, 18 Sep 2020 02:31:19 -0400 Received: from dvalin.narfation.org ([213.160.73.56]:42618 "EHLO dvalin.narfation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726218AbgIRGbT (ORCPT ); Fri, 18 Sep 2020 02:31:19 -0400 X-Greylist: delayed 511 seconds by postgrey-1.27 at vger.kernel.org; Fri, 18 Sep 2020 02:31:18 EDT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org; s=20121; t=1600410166; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=J7DOruZAPYo1Ziyj0KQ/CLpIQiG4PiroPi3tQfV9R4A=; b=up203ko1vwx17X+A1tHjX6Esz3Zx2KzqkgJ07D3TCdHXaTpQaCWPv6NsuUt3xnoCN0DQuA ZE2FsRz/z/Y6qcAtlu8AiZk/zzxQGaFlG9uPY8bM7PQB9eMsWgSNACFwwc/t5lxS0NK7gr I+BbgaLv1Kag4Y2coGLVSpgB/ucQl1k= From: Sven Eckelmann To: Marek Lindner , Simon Wunderlich , Antonio Quartulli , "David S. Miller" , Jakub Kicinski , b.a.t.m.a.n@lists.open-mesh.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Xiyu Yang Cc: yuanxzhang@fudan.edu.cn, kjlu@umn.edu, Xiyu Yang , Xin Tan Subject: Re: [PATCH] batman-adv: Fix orig node refcnt leak when creating neigh node Date: Fri, 18 Sep 2020 08:22:43 +0200 Message-ID: <3173635.NQHa8YD4nL@ripper> In-Reply-To: <1600398200-8198-1-git-send-email-xiyuyang19@fudan.edu.cn> References: <1600398200-8198-1-git-send-email-xiyuyang19@fudan.edu.cn> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3372165.47aDjYEo1S"; micalg="pgp-sha512"; protocol="application/pgp-signature" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --nextPart3372165.47aDjYEo1S Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" On Friday, 18 September 2020 05:03:19 CEST Xiyu Yang wrote: > batadv_neigh_node_create() is used to create a neigh node object, whose > fields will be initialized with the specific object. When a new > reference of the specific object is created during the initialization, > its refcount should be increased. > > However, when "neigh_node" object initializes its orig_node field with > the "orig_node" object, the function forgets to hold the refcount of the > "orig_node", causing a potential refcount leak and use-after-free issue > for the reason that the object can be freed in other places. > > Fix this issue by increasing the refcount of orig_node object during the > initialization and adding corresponding batadv_orig_node_put() in > batadv_neigh_node_release(). I will most likely not add this patch because I have concerns that this would need an active garbage collector to fix the reference counter loop. Please check batadv_neigh_node::orig_node (whose reference counter you've just incremented) and batadv_orig_node::neigh_list (with batadv_neigh_node). And at the same time the batadv_neigh_node_release and batadv_orig_node_release. So the originator will only free the reference (and thus potentially call batadv_neigh_node_release) when its own reference counter is zero. But it cannot become zero because the neigh_node is holding a reference to this originator. Kind regards, Sven --nextPart3372165.47aDjYEo1S Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEF10rh2Elc9zjMuACXYcKB8Eme0YFAl9kUjMACgkQXYcKB8Em e0Z1hw/9Hhq8F/9JHS0zWSv7J58oJSa2gi0ONWuLkTN6XX2g0qY/w9Kn1vbPTIK1 VCI2bDDDTbZxk51mxJO0kpE6Q5r8wrFrV+ESoQE/ccFDy6OxtUxCveL6jsfwXIWw zgQY44iumPlxrjnc0uOCR+7vbAFXjz2u9EekF/gv4etbDTvp0ZNt0QM4hAvDXsBH q3RHY6ywuwUu7nRlXPNcmGWNrCpUrindQiRUB4vZXoLckjRgD3MerFjSnd1kp32B Wd3WPqb+nggqNX8eCX4GGsLXk+wsstIDhtG/aLwNpJWd2kAkfq2zeWQ0GltzdUQk Z17hIPOGEqKCgGmC7akHunAo9M3TFkglnO1NgYL36j6RcRgQV6VLClovP6Qk8Iin kPyrUWXOH9slZnIH+enp1vggkepKmI8kMG+5OVVNXfMoRMbVSyboiKuyI5+Tig3A 8U+9Z6H29fhNv7E7BSCRg+VfEZXInjBcKuwSD6bZ4IE8RA3HFh0ZcOIjBiWUekUm tP890PFNb2mTJzOHZ8cFbyxuJ64o2R8pEQvVNdw8y2oth01QEzVVsaAL0QFQG8g/ rtBKpZqog0kC+PIysIaFhGupjrZzb/+hvHpamo1JDcdGzZ5Ve8U0bmJPOc4CfeRA r8RZz31EgGebqlbdGPvWPhZAY3NcMVq0LBS78WCDUNOiPc589Co= =5J+s -----END PGP SIGNATURE----- --nextPart3372165.47aDjYEo1S--