From: Sven Eckelmann <sven@narfation.org>
To: WenTao Liang <vulab@iscas.ac.cn>,
linux-kernel@vger.kernel.org, b.a.t.m.a.n@lists.open-mesh.org
Subject: Fwd: Re: [PATCH] fix: net/batman-adv: batadv_interface_kill_vid: extra batadv_meshif_vlan_put after destroy
Date: Sun, 28 Jun 2026 06:48:16 +0200 [thread overview]
Message-ID: <2572903.ElGaqSPkdT@sven-desktop> (raw)
[-- Attachment #1: Type: text/plain, Size: 1631 bytes --]
---------- Forwarded Message ----------
[...]
New issues:
- [High] Removing the final `batadv_meshif_vlan_put()` call in `batadv_interface_kill_vid()` introduces a permanent reference count leak, preventing the VLAN object from ever being freed or unlinked from `meshif_vlan_list`.
[...]
--
commit 0818db7c27664fbdfdce2f408c5630f66e16ed4d
Author: WenTao Liang <vulab@iscas.ac.cn>
fix: net/batman-adv: batadv_interface_kill_vid: extra batadv_meshif_vlan_put after destroy
This commit removes a batadv_meshif_vlan_put() call in
batadv_interface_kill_vid() to address a suspected refcount underflow and
potential use-after-free.
> diff --git a/net/batman-adv/mesh-interface.c b/net/batman-adv/mesh-interface.c
> index 44026810b99ce..e39c9c0ffe46e 100644
> --- a/net/batman-adv/mesh-interface.c
> +++ b/net/batman-adv/mesh-interface.c
> @@ -693,9 +693,6 @@ static int batadv_interface_kill_vid(struct net_device *dev, __be16 proto,
>
> batadv_meshif_destroy_vlan(bat_priv, vlan);
>
> - /* finally free the vlan object */
> - batadv_meshif_vlan_put(vlan);
> -
[Severity: High]
Does removing this batadv_meshif_vlan_put() call introduce a permanent
reference count leak?
batadv_meshif_create_vlan() assigns a base refcount of 1 representing the
list's ownership. In batadv_interface_kill_vid(), batadv_meshif_vlan_get()
acquires a temporary reference, incrementing the count.
batadv_meshif_destroy_vlan() then drops the list's base reference.
Doesn't the caller still need to drop its temporary reference with this
second put() to reach a refcount of 0 and trigger
batadv_meshif_vlan_release()?
> return 0;
> }
[...]
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
reply other threads:[~2026-06-28 4:48 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2572903.ElGaqSPkdT@sven-desktop \
--to=sven@narfation.org \
--cc=b.a.t.m.a.n@lists.open-mesh.org \
--cc=linux-kernel@vger.kernel.org \
--cc=vulab@iscas.ac.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.