Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp969685pxk;
        Thu, 17 Sep 2020 23:33:46 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzMW5+q8nUfZOFqnabZ1iAM2Rf7xH6oJlpfPalN8SZzEjuhrE7/HCncKTgIVXp74YVS2lYs
X-Received: by 2002:aa7:d4d0:: with SMTP id t16mr37095483edr.83.1600410826499;
        Thu, 17 Sep 2020 23:33:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1600410826; cv=none;
        d=google.com; s=arc-20160816;
        b=AElz30w48oxzIX4QGAGAn5zrhXVU1YbGDTe04R3sMHEApOAGX6w8CYKQgFdzl90ZIP
         iocuy1xsJBZZPrExMxhRHAlZxTdxV+QX4nxiCeVa5JnL33Yx7awHjfakaHvdbmNgWlfG
         WEGb40Ke7MqKnept5qhkP0NkbvA3iKHidFZPNM9Pm4qdCEN1jvOJkSkhYoc5AtcjPQ9B
         lcGoN3/Z/x1WDLRdFsSd7gqMLadpQIMuofAfn2C6um9MfY+Vn/fBkKKjI00X2V7J+cdD
         xdD1miOtxTE8wCu/e8+sbnN97pFAz4cyK0Rqd69X7QeeGKIw6pD07AsCodaxzHnMOc5a
         wPew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=J7DOruZAPYo1Ziyj0KQ/CLpIQiG4PiroPi3tQfV9R4A=;
        b=ue6XPc/Wv2keV5FIoAOCkXXQbX2LqPTxQh9apTKkfuXKsNZ2+pjDazv4Bng5ZZedZa
         lZlRJ281NhTmfbpnheL/L1SVVpC3U1iaev/D6P0Ngumb52vkGRsgOxkkcagp5qSL9WJd
         rb7B96/2wsSTwqR48vRGIvE11mxXi34Akjc3+r1EBV2k5/YH6bTrUuNUJbLZjvcj9q+q
         QhFvJcHyqUbeB7eyKlqFWo5HbLEnf24nqhJIiD9fDoLad/cQgWhYb7t1pViErqlmKeHy
         B35wsTkTWCCIjYRMWOapar6LhrKweYB5I97/XuHYbcW/PUSRtQcV//WuJG+StIE04N5Z
         x1iA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@narfation.org header.s=20121 header.b=up203ko1;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=narfation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id ga5si1912628ejb.547.2020.09.17.23.33.22;
        Thu, 17 Sep 2020 23:33:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@narfation.org header.s=20121 header.b=up203ko1;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=narfation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726402AbgIRGbT (ORCPT <rfc822;7819ynot@gmail.com> + 99 others);
        Fri, 18 Sep 2020 02:31:19 -0400
Received: from dvalin.narfation.org ([213.160.73.56]:42618 "EHLO
        dvalin.narfation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726218AbgIRGbT (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 18 Sep 2020 02:31:19 -0400
X-Greylist: delayed 511 seconds by postgrey-1.27 at vger.kernel.org; Fri, 18 Sep 2020 02:31:18 EDT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=narfation.org;
        s=20121; t=1600410166;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=J7DOruZAPYo1Ziyj0KQ/CLpIQiG4PiroPi3tQfV9R4A=;
        b=up203ko1vwx17X+A1tHjX6Esz3Zx2KzqkgJ07D3TCdHXaTpQaCWPv6NsuUt3xnoCN0DQuA
        ZE2FsRz/z/Y6qcAtlu8AiZk/zzxQGaFlG9uPY8bM7PQB9eMsWgSNACFwwc/t5lxS0NK7gr
        I+BbgaLv1Kag4Y2coGLVSpgB/ucQl1k=
From:   Sven Eckelmann <sven@narfation.org>
To:     Marek Lindner <mareklindner@neomailbox.ch>,
        Simon Wunderlich <sw@simonwunderlich.de>,
        Antonio Quartulli <a@unstable.cc>,
        "David S. Miller" <davem@davemloft.net>,
        Jakub Kicinski <kuba@kernel.org>,
        b.a.t.m.a.n@lists.open-mesh.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, Xiyu Yang <xiyuyang19@fudan.edu.cn>
Cc:     yuanxzhang@fudan.edu.cn, kjlu@umn.edu,
        Xiyu Yang <xiyuyang19@fudan.edu.cn>,
        Xin Tan <tanxin.ctf@gmail.com>
Subject: Re: [PATCH] batman-adv: Fix orig node refcnt leak when creating neigh node
Date:   Fri, 18 Sep 2020 08:22:43 +0200
Message-ID: <3173635.NQHa8YD4nL@ripper>
In-Reply-To: <1600398200-8198-1-git-send-email-xiyuyang19@fudan.edu.cn>
References: <1600398200-8198-1-git-send-email-xiyuyang19@fudan.edu.cn>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart3372165.47aDjYEo1S"; micalg="pgp-sha512"; protocol="application/pgp-signature"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

--nextPart3372165.47aDjYEo1S
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"

On Friday, 18 September 2020 05:03:19 CEST Xiyu Yang wrote:
> batadv_neigh_node_create() is used to create a neigh node object, whose
> fields will be initialized with the specific object. When a new
> reference of the specific object is created during the initialization,
> its refcount should be increased.
> 
> However, when "neigh_node" object initializes its orig_node field with
> the "orig_node" object, the function forgets to hold the refcount of the
> "orig_node", causing a potential refcount leak and use-after-free issue
> for the reason that the object can be freed in other places.
> 
> Fix this issue by increasing the refcount of orig_node object during the
> initialization and adding corresponding batadv_orig_node_put() in
> batadv_neigh_node_release().


I will most likely not add this patch because I have concerns that this would 
need an active garbage collector to fix the reference counter loop.

Please check batadv_neigh_node::orig_node (whose reference counter you've just 
incremented) and batadv_orig_node::neigh_list (with batadv_neigh_node). And at 
the same time the batadv_neigh_node_release and batadv_orig_node_release. So 
the originator will only free the reference (and thus potentially call 
batadv_neigh_node_release) when its own reference counter is zero. But it 
cannot become zero because the neigh_node is holding a reference to this 
originator.

Kind regards,
	Sven

--nextPart3372165.47aDjYEo1S
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part.
Content-Transfer-Encoding: 7Bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEF10rh2Elc9zjMuACXYcKB8Eme0YFAl9kUjMACgkQXYcKB8Em
e0Z1hw/9Hhq8F/9JHS0zWSv7J58oJSa2gi0ONWuLkTN6XX2g0qY/w9Kn1vbPTIK1
VCI2bDDDTbZxk51mxJO0kpE6Q5r8wrFrV+ESoQE/ccFDy6OxtUxCveL6jsfwXIWw
zgQY44iumPlxrjnc0uOCR+7vbAFXjz2u9EekF/gv4etbDTvp0ZNt0QM4hAvDXsBH
q3RHY6ywuwUu7nRlXPNcmGWNrCpUrindQiRUB4vZXoLckjRgD3MerFjSnd1kp32B
Wd3WPqb+nggqNX8eCX4GGsLXk+wsstIDhtG/aLwNpJWd2kAkfq2zeWQ0GltzdUQk
Z17hIPOGEqKCgGmC7akHunAo9M3TFkglnO1NgYL36j6RcRgQV6VLClovP6Qk8Iin
kPyrUWXOH9slZnIH+enp1vggkepKmI8kMG+5OVVNXfMoRMbVSyboiKuyI5+Tig3A
8U+9Z6H29fhNv7E7BSCRg+VfEZXInjBcKuwSD6bZ4IE8RA3HFh0ZcOIjBiWUekUm
tP890PFNb2mTJzOHZ8cFbyxuJ64o2R8pEQvVNdw8y2oth01QEzVVsaAL0QFQG8g/
rtBKpZqog0kC+PIysIaFhGupjrZzb/+hvHpamo1JDcdGzZ5Ve8U0bmJPOc4CfeRA
r8RZz31EgGebqlbdGPvWPhZAY3NcMVq0LBS78WCDUNOiPc589Co=
=5J+s
-----END PGP SIGNATURE-----

--nextPart3372165.47aDjYEo1S--