Received: by 2002:ac2:464d:0:0:0:0:0 with SMTP id s13csp1991674lfo; Sat, 28 May 2022 12:58:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw1sUoKvrnKhQNEeFWqkXK84uNBEqNChyEpM3/b5g5TZ2JO+ut/HK5qMrjJWPrwBnIIf6N/ X-Received: by 2002:a65:57ce:0:b0:3fb:d4fa:9a94 with SMTP id q14-20020a6557ce000000b003fbd4fa9a94mr4109647pgr.559.1653767902172; Sat, 28 May 2022 12:58:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1653767902; cv=none; d=google.com; s=arc-20160816; b=m1nPhM8kOei6GzatOKPdmmMDqOSiggPDQTDjuQwDmjguCA4RY5/M0qXHVeA7rQx3xQ YVZMo0UFuVhtgYQq6UK4jrSa4B4O94KFXQdyh77w8XDBz7Nj2IOSN1na07l9DH48uzYp QJPSRRKtlsRjudhB8dEJzeqMsWFl8EKdlrmSHfy3WkAaaPtt2RwSi5XYf5U0w/LUFCTU U9WxAy9n9qOLpR1qI4moYPBhKuRmMmb0EPUdVuHqjB1AHdj7XIwGnmGCHNLYDEJzNb7n hPh/LzWxIAfpEXWBbO8V46eud7gety4ZI6lYzZs/ucj6g+hBJu2IIii9YaL4tEe6y7Su WZug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=U5CQa5qoNo3dbpklBnP8HfWS34Y6AoV7KS7B1Nbtsps=; b=E6QNs3sicMndjkA6Cf5fxwlRpF6eQe0lQN6HUb2wO38h/ULAWVKm999sVK2NTsxfxr fGsTBDg0FaGew6e/34yGoRD932yMmPtDaIvHmwbZckkcTzjolW/XCMQ/hmmP8DHxN5Xg bb1vVD63klHhGBQrJKEZQyu55KKZjh5sRvWeZgC9VDYpn2I2xAxxHS+8nMpTx34bd8iC mJNi1NVFjKgwFMQYfScQzR8FS6ETztT1OLcajop5Et9YOoCKgJDxt6KZYfv3wNxpDS49 XjGLN+HH9PG5DVkQS9CZxCXcbOttJRZXQ5dB+1rTLXgAaHPNWk2RN/86VPOLGGKY0gpV Vdlw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id s17-20020a170902a51100b001569af11990si9765650plq.507.2022.05.28.12.58.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 May 2022 12:58:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id DA8FF9D04D; Sat, 28 May 2022 12:17:13 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348760AbiE0IMG (ORCPT + 99 others); Fri, 27 May 2022 04:12:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34838 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348552AbiE0IMC (ORCPT ); Fri, 27 May 2022 04:12:02 -0400 Received: from einhorn-mail-out.in-berlin.de (einhorn.in-berlin.de [192.109.42.8]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0FDFAFF583 for ; Fri, 27 May 2022 01:12:00 -0700 (PDT) X-Envelope-From: thomas@x-berg.in-berlin.de Received: from x-berg.in-berlin.de (x-change.in-berlin.de [217.197.86.40]) by einhorn.in-berlin.de with ESMTPS id 24R8BXrA2041257 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Fri, 27 May 2022 10:11:34 +0200 Received: from thomas by x-berg.in-berlin.de with local (Exim 4.94.2) (envelope-from ) id 1nuV4H-0002o2-H9; Fri, 27 May 2022 10:11:33 +0200 Date: Fri, 27 May 2022 10:11:33 +0200 From: Thomas Osterried To: Duoming Zhou Cc: netdev@vger.kernel.org, jreuter@yaina.de, ralf@linux-mips.org, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, linux-kernel@vger.kernel.org, linux-hams@vger.kernel.org, thomas@osterried.de Subject: Re: [PATCH net] ax25: Fix ax25 session cleanup problem in ax25_release Message-ID: References: <20220525112850.102363-1-duoming@zju.edu.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220525112850.102363-1-duoming@zju.edu.cn> Sender: Thomas Osterried X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,MAILING_LIST_MULTI, RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I Tested several cases: this patch works as expected. Anyone else testet it? vy 73, - Thomas dl9sau On Wed, May 25, 2022 at 07:28:50PM +0800, Duoming Zhou wrote: > The timers of ax25 are used for correct session cleanup. > If we use ax25_release() to close ax25 sessions and > ax25_dev is not null, the del_timer_sync() functions in > ax25_release() will execute. As a result, the sessions > could not be cleaned up correctly, because the timers > have stopped. > > This patch adds a device_up flag in ax25_dev in order to > judge whether the device is up. If there are sessions to > be cleaned up, the del_timer_sync() in ax25_release() will > not execute. As a result the sessions could be cleaned up > correctly. > > Fixes: 82e31755e55f ("ax25: Fix UAF bugs in ax25 timers") > Reported-by: Thomas Osterried > Signed-off-by: Duoming Zhou > --- > include/net/ax25.h | 1 + > net/ax25/af_ax25.c | 13 ++++++++----- > net/ax25/ax25_dev.c | 1 + > 3 files changed, 10 insertions(+), 5 deletions(-) > > diff --git a/include/net/ax25.h b/include/net/ax25.h > index 0f9790c455b..a427a05672e 100644 > --- a/include/net/ax25.h > +++ b/include/net/ax25.h > @@ -228,6 +228,7 @@ typedef struct ax25_dev { > ax25_dama_info dama; > #endif > refcount_t refcount; > + bool device_up; > } ax25_dev; > > typedef struct ax25_cb { > diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c > index 363d47f9453..47ce6b630cc 100644 > --- a/net/ax25/af_ax25.c > +++ b/net/ax25/af_ax25.c > @@ -81,6 +81,7 @@ static void ax25_kill_by_device(struct net_device *dev) > > if ((ax25_dev = ax25_dev_ax25dev(dev)) == NULL) > return; > + ax25_dev->device_up = false; > > spin_lock_bh(&ax25_list_lock); > again: > @@ -1053,11 +1054,13 @@ static int ax25_release(struct socket *sock) > ax25_destroy_socket(ax25); > } > if (ax25_dev) { > - del_timer_sync(&ax25->timer); > - del_timer_sync(&ax25->t1timer); > - del_timer_sync(&ax25->t2timer); > - del_timer_sync(&ax25->t3timer); > - del_timer_sync(&ax25->idletimer); > + if (!ax25_dev->device_up) { > + del_timer_sync(&ax25->timer); > + del_timer_sync(&ax25->t1timer); > + del_timer_sync(&ax25->t2timer); > + del_timer_sync(&ax25->t3timer); > + del_timer_sync(&ax25->idletimer); > + } > dev_put_track(ax25_dev->dev, &ax25_dev->dev_tracker); > ax25_dev_put(ax25_dev); > } > diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c > index d2a244e1c26..5451be15e07 100644 > --- a/net/ax25/ax25_dev.c > +++ b/net/ax25/ax25_dev.c > @@ -62,6 +62,7 @@ void ax25_dev_device_up(struct net_device *dev) > ax25_dev->dev = dev; > dev_hold_track(dev, &ax25_dev->dev_tracker, GFP_ATOMIC); > ax25_dev->forward = NULL; > + ax25_dev->device_up = true; > > ax25_dev->values[AX25_VALUES_IPDEFMODE] = AX25_DEF_IPDEFMODE; > ax25_dev->values[AX25_VALUES_AXDEFMODE] = AX25_DEF_AXDEFMODE; > -- > 2.17.1 >