Received: by 2002:ab2:60d1:0:b0:1f7:5705:b850 with SMTP id i17csp277388lqm; Tue, 30 Apr 2024 23:03:11 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWFYXB2YnI7zhvi2YkiDEsoZ7Gp6yaU506xSS2UbzDweZGik/NktUcCXE/46p8o4jLHYGv61Nav5xAOxbL9zjwUb8bDADH4geAukr7hXg== X-Google-Smtp-Source: AGHT+IGgSkTEPf4IuIHXMWcj4AdLdgp0njriyJflvfMcMqgj4M3JFTfSchQ6PGrqbXURTk+n9d6s X-Received: by 2002:a50:c341:0:b0:56f:e5dc:e6e8 with SMTP id q1-20020a50c341000000b0056fe5dce6e8mr1211632edb.27.1714543391165; Tue, 30 Apr 2024 23:03:11 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714543391; cv=pass; d=google.com; s=arc-20160816; b=xhehTzX7NreSVhU3DVdW9H2F8xQ1NUiqnAxRtqjGVP2JsqXhB+F6KiCFo9UPfvy9ip fFCMD7EG5HA4gZqWpMW2XchriBTAHBqGFnMwT5gCyiwuIm3It8GwrMyCoGdlc+6g13xC UOlELC1MaDrRkHxlpr18epAuPxGl4bAqb1dbSeGGZNcYi5f/Sn7QDDI2rJ/niNSY5NLf 5JB0xp4bRcURDbtxZYHmhExIcD/HQPwm97qOAbAkrvrf7IQaZZdb/LvicIQNnFaqJqjA ngXHZsjIZ24ZVRsyajXb7W9KxLrmhQhDOSS1yQROuoYPRYBGigsJMcQ6J+1TlHHrZfPJ XufQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-id:precedence:message-id:date :subject:cc:to:from; bh=Uk+/Ul2MecRMXrQd3ZHe2iD6OlQ5S0BMb50POc32MRM=; fh=RyGezckjjQ+MrGEIrlR4Cu50nScUmPbWGZdnpkEb338=; b=PSlFpir8xloZ6t1mioKmqJbQVgGQ1VEaoVe7C0rgp3B1LJYfehQn82cim06jA27a1A Ee1OgKukrsrWZhO4Pgih3VgIUkWRQU3mOtVtM/7/F7gnHAvZMeLACsCnKzdEP/EEM4ur 64tYQes8v1v3HgoZUmZJS2oD94i9HTbYec2ke6pCOc/oplq7Z93H98xE7Gi3zdyO2dxL Bq/bDudUv1RTrv+calZ60ckTzAoOz5g6IwvwPwY+qF4raWWIsMF5Gkc8Gc2TvAVhVkod C3AlmQQACmV/gB6aSSR9K4eG2YBpCfV55wDdt39J1LG5lzh1IxpsG9ITAlpxnhJ4Zlj5 R9zw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=zju.edu.cn); spf=pass (google.com: domain of linux-kernel+bounces-164962-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-164962-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id w21-20020aa7d295000000b00572a231814fsi972300edq.75.2024.04.30.23.03.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Apr 2024 23:03:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-164962-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=zju.edu.cn); spf=pass (google.com: domain of linux-kernel+bounces-164962-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-164962-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id A6C081F21F3F for ; Wed, 1 May 2024 06:03:10 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0B6C04CB2E; Wed, 1 May 2024 06:03:01 +0000 (UTC) Received: from azure-sdnproxy.icoremail.net (azure-sdnproxy.icoremail.net [52.237.72.81]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2F7F24AEF0; Wed, 1 May 2024 06:02:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=52.237.72.81 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714543380; cv=none; b=awL1VTOOi+g/aRKjXjbVMUNzQC3q263O1OjEEzi4BdxQs0IXcUJR312OXtl2UDR2Neq6pCPS5cldVlle3Ydz1qSYzImZdkeOkLKQRDyX1mhFLPN+aamp35Whw+fv15cVR2Lla9e6MTJpBUevl+8Xtix0AhJ1wiJBUQy53DcOx10= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714543380; c=relaxed/simple; bh=NsSHWAOnJLPmfESyYmOLz4+6u3ckmWGYVWl6cypFpRA=; h=From:To:Cc:Subject:Date:Message-Id; b=LU44NqzI+swHCwq+KsEvEoIgLSdbplx7CUlgSi9uESLH3V7EAAWXkKfyX8UJbjsMoztSwkUwXKWzJwh9qPQt01QdamngFzc4lEa6hcFYRSjkw9zFmo8W8MNtmo0PIfQi4FqjBy/crqQvVS0q01hFqTgXLFs97PNnydEz+qK+7yI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zju.edu.cn; spf=pass smtp.mailfrom=zju.edu.cn; arc=none smtp.client-ip=52.237.72.81 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zju.edu.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=zju.edu.cn Received: from ubuntu.localdomain (unknown [221.192.181.32]) by mail-app3 (Coremail) with SMTP id cC_KCgAHK+7w2jFmSZ6tAQ--.16749S2; Wed, 01 May 2024 14:02:27 +0800 (CST) From: Duoming Zhou To: linux-hams@vger.kernel.org Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, pabeni@redhat.com, kuba@kernel.org, edumazet@google.com, davem@davemloft.net, jreuter@yaina.de, dan.carpenter@linaro.org, lars@oddbit.com, Duoming Zhou Subject: [PATCH net] ax25: Fix refcount leak issues of ax25_dev Date: Wed, 1 May 2024 14:02:18 +0800 Message-Id: <20240501060218.32898-1-duoming@zju.edu.cn> X-Mailer: git-send-email 2.17.1 X-CM-TRANSID:cC_KCgAHK+7w2jFmSZ6tAQ--.16749S2 X-Coremail-Antispam: 1UD129KBjvJXoWxZrWfGF45AFWfCFyDJw47urg_yoW5Ww1rpF WY9F45Ar97Jr1xJr4DG34xWr1UZryjqw4kAry5ZF1Ikw13X3s8Jr18KryUJryUJrWfJF18 Xw1DWr4DZF4kuaUanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUU9E14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U JVWxJr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Gc CE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E 2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJV W8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lFIxGxcIEc7CjxVA2 Y2ka0xkIwI1lc7CjxVAaw2AFwI0_Jw0_GFylc2xSY4AK67AK6r47MxAIw28IcxkI7VAKI4 8JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xv wVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI42IY6xIIjx v20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AKxVW8JVWxJwCI42IY6xAIw20E Y4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267 AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7VUjmiiDUUUUU== X-CM-SenderInfo: qssqjiasttq6lmxovvfxof0/1tbiAwUHAWYw9x0FNgA7s0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: There are two scenarios that might cause refcount leak issues of ax25_dev. Scenario one: The refcount of ax25_dev potentially increase more than once in ax25_addr_ax25dev(), which will cause memory leak. In order to fix the above issue, only increase the refcount of ax25_dev once, when the res is not null. Scenario two: The original code sets the refcount of ax25_dev to 1 in the initial stage and then increase the refcount when the ax25_dev is added to the ax25_dev_list. As a result, the refcount of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the refcount once or twice depending on if we goto unlock_put or not, which will cause memory leak. In order to mitigate the above issues, only increase the refcount of ax25_dev when the ax25_dev is added to the ax25_dev_list and decrease the refcount of ax25_dev after it is removed from the ax25_dev_list. What's more, the ax25_dev should not be deallocated directly by kfree() in ax25_dev_free(), replace it with ax25_dev_put() instead. Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") Reported by: Dan Carpenter Signed-off-by: Duoming Zhou --- net/ax25/ax25_dev.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index 282ec581c07..0e6dd98d3fa 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -37,8 +37,9 @@ ax25_dev *ax25_addr_ax25dev(ax25_address *addr) for (ax25_dev = ax25_dev_list; ax25_dev != NULL; ax25_dev = ax25_dev->next) if (ax25cmp(addr, (const ax25_address *)ax25_dev->dev->dev_addr) == 0) { res = ax25_dev; - ax25_dev_hold(ax25_dev); } + if (res) + ax25_dev_hold(res); spin_unlock_bh(&ax25_dev_lock); return res; @@ -58,7 +59,6 @@ void ax25_dev_device_up(struct net_device *dev) return; } - refcount_set(&ax25_dev->refcount, 1); dev->ax25_ptr = ax25_dev; ax25_dev->dev = dev; netdev_hold(dev, &ax25_dev->dev_tracker, GFP_KERNEL); @@ -88,7 +88,7 @@ void ax25_dev_device_up(struct net_device *dev) ax25_dev->next = ax25_dev_list; ax25_dev_list = ax25_dev; spin_unlock_bh(&ax25_dev_lock); - ax25_dev_hold(ax25_dev); + refcount_set(&ax25_dev->refcount, 1); ax25_register_dev_sysctl(ax25_dev); } @@ -135,7 +135,6 @@ void ax25_dev_device_down(struct net_device *dev) unlock_put: spin_unlock_bh(&ax25_dev_lock); - ax25_dev_put(ax25_dev); dev->ax25_ptr = NULL; netdev_put(dev, &ax25_dev->dev_tracker); ax25_dev_put(ax25_dev); @@ -208,7 +207,7 @@ void __exit ax25_dev_free(void) s = ax25_dev; netdev_put(ax25_dev->dev, &ax25_dev->dev_tracker); ax25_dev = ax25_dev->next; - kfree(s); + ax25_dev_put(s); } ax25_dev_list = NULL; spin_unlock_bh(&ax25_dev_lock); -- 2.17.1