* [PATCH net v2 1/2] ax25: change kfree in ax25_dev_free to ax25_dev_free
2024-05-02 23:36 [PATCH net v2 0/2] ax25: fix reference counting issue of ax25_dev Duoming Zhou
@ 2024-05-02 23:36 ` Duoming Zhou
2024-05-03 5:36 ` Markus Elfring
2024-05-02 23:36 ` [PATCH net v2 2/2] ax25: fix potential reference counting leak in ax25_addr_ax25dev Duoming Zhou
2024-05-03 5:10 ` [PATCH net v2 0/2] ax25: fix reference counting issue of ax25_dev Dan Carpenter
2 siblings, 1 reply; 9+ messages in thread
From: Duoming Zhou @ 2024-05-02 23:36 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, linux-hams, pabeni, kuba, edumazet, davem, jreuter,
horms, Markus.Elfring, dan.carpenter, lars, Duoming Zhou
The ax25_dev is managed by reference counting, so it should not be
deallocated directly by kfree() in ax25_dev_free(), replace it with
ax25_dev_put() instead.
Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
---
net/ax25/ax25_dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c
index 282ec581c07..07723095c60 100644
--- a/net/ax25/ax25_dev.c
+++ b/net/ax25/ax25_dev.c
@@ -208,7 +208,7 @@ void __exit ax25_dev_free(void)
s = ax25_dev;
netdev_put(ax25_dev->dev, &ax25_dev->dev_tracker);
ax25_dev = ax25_dev->next;
- kfree(s);
+ ax25_dev_put(s);
}
ax25_dev_list = NULL;
spin_unlock_bh(&ax25_dev_lock);
--
2.17.1
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [PATCH net v2 1/2] ax25: change kfree in ax25_dev_free to ax25_dev_free
2024-05-02 23:36 ` [PATCH net v2 1/2] ax25: change kfree in ax25_dev_free to ax25_dev_free Duoming Zhou
@ 2024-05-03 5:36 ` Markus Elfring
2024-05-03 11:33 ` Dan Carpenter
0 siblings, 1 reply; 9+ messages in thread
From: Markus Elfring @ 2024-05-03 5:36 UTC (permalink / raw)
To: Duoming Zhou, linux-hams, netdev, kernel-janitors,
David S. Miller, Eric Dumazet, Jakub Kicinski, Jörg Reuter,
Paolo Abeni
Cc: LKML, Dan Carpenter, Lars Kellogg-Stedman
> The ax25_dev is managed by reference counting, so it should not be
> deallocated directly by kfree() in ax25_dev_free(), replace it with
> ax25_dev_put() instead.
You repeated a wording mistake in the summary phrase from a previous cover letter.
Please avoid confusion about desired code replacements.
How do you think about to append parentheses to involved function names?
Would you find the following change description a bit nicer?
The object “ax25_dev” is managed by reference counting.
Thus it should not be directly released by a kfree() call in ax25_dev_free().
Replace it with a ax25_dev_put() call instead.
Would you like to extend patch version descriptions (or changelogs) accordingly?
Regards,
Markus
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH net v2 1/2] ax25: change kfree in ax25_dev_free to ax25_dev_free
2024-05-03 5:36 ` Markus Elfring
@ 2024-05-03 11:33 ` Dan Carpenter
0 siblings, 0 replies; 9+ messages in thread
From: Dan Carpenter @ 2024-05-03 11:33 UTC (permalink / raw)
To: Markus Elfring
Cc: Duoming Zhou, linux-hams, netdev, kernel-janitors,
David S. Miller, Eric Dumazet, Jakub Kicinski, Jörg Reuter,
Paolo Abeni, LKML, Lars Kellogg-Stedman
On Fri, May 03, 2024 at 07:36:54AM +0200, Markus Elfring wrote:
> > The ax25_dev is managed by reference counting, so it should not be
> > deallocated directly by kfree() in ax25_dev_free(), replace it with
> > ax25_dev_put() instead.
>
> You repeated a wording mistake in the summary phrase from a previous cover letter.
Yeah. That's true. The subject should be changed to:
Subject: [PATCH] ax25: change kfree() in ax25_dev_free() to ax25_dev_put()
Another option would be:
Subject: [PATCH] ax25: use ax25_dev_put() in ax25_dev_free()
Otherwise the commit message is okay as-is.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH net v2 2/2] ax25: fix potential reference counting leak in ax25_addr_ax25dev
2024-05-02 23:36 [PATCH net v2 0/2] ax25: fix reference counting issue of ax25_dev Duoming Zhou
2024-05-02 23:36 ` [PATCH net v2 1/2] ax25: change kfree in ax25_dev_free to ax25_dev_free Duoming Zhou
@ 2024-05-02 23:36 ` Duoming Zhou
2024-05-03 7:30 ` Markus Elfring
2024-05-03 5:10 ` [PATCH net v2 0/2] ax25: fix reference counting issue of ax25_dev Dan Carpenter
2 siblings, 1 reply; 9+ messages in thread
From: Duoming Zhou @ 2024-05-02 23:36 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, linux-hams, pabeni, kuba, edumazet, davem, jreuter,
horms, Markus.Elfring, dan.carpenter, lars, Duoming Zhou
The reference counting of ax25_dev potentially increase more
than once in ax25_addr_ax25dev(), which will cause memory leak.
In order to fix the above issue, only increase the reference
counting of ax25_dev once, when the res is not null.
Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
---
net/ax25/ax25_dev.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c
index 07723095c60..7c2ea7309b0 100644
--- a/net/ax25/ax25_dev.c
+++ b/net/ax25/ax25_dev.c
@@ -37,8 +37,9 @@ ax25_dev *ax25_addr_ax25dev(ax25_address *addr)
for (ax25_dev = ax25_dev_list; ax25_dev != NULL; ax25_dev = ax25_dev->next)
if (ax25cmp(addr, (const ax25_address *)ax25_dev->dev->dev_addr) == 0) {
res = ax25_dev;
- ax25_dev_hold(ax25_dev);
}
+ if (res)
+ ax25_dev_hold(res);
spin_unlock_bh(&ax25_dev_lock);
return res;
--
2.17.1
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [PATCH net v2 2/2] ax25: fix potential reference counting leak in ax25_addr_ax25dev
2024-05-02 23:36 ` [PATCH net v2 2/2] ax25: fix potential reference counting leak in ax25_addr_ax25dev Duoming Zhou
@ 2024-05-03 7:30 ` Markus Elfring
2024-05-03 11:38 ` Dan Carpenter
0 siblings, 1 reply; 9+ messages in thread
From: Markus Elfring @ 2024-05-03 7:30 UTC (permalink / raw)
To: Duoming Zhou, linux-hams, netdev, kernel-janitors,
David S. Miller, Eric Dumazet, Jakub Kicinski, Jörg Reuter,
Paolo Abeni
Cc: LKML, Dan Carpenter, Lars Kellogg-Stedman, Simon Horman
How do you think about to append parentheses to the function name
in the summary phrase?
> The reference counting of ax25_dev potentially increase more
> than once in ax25_addr_ax25dev(), which will cause memory leak.
>
> In order to fix the above issue, only increase the reference
> counting of ax25_dev once, when the res is not null.
Would you find the following change description a bit nicer?
The reference counter of the object “ax25_dev” can be increased multiple times
in ax25_addr_ax25dev(). This will cause a memory leak so far.
Thus move a needed function call behind a for loop
and increase the reference counter only when the local variable “res”
is not a null pointer.
…
> +++ b/net/ax25/ax25_dev.c
> @@ -37,8 +37,9 @@ ax25_dev *ax25_addr_ax25dev(ax25_address *addr)
…
Would you like to omit curly brackets in the affected function implementation?
Regards,
Markus
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH net v2 2/2] ax25: fix potential reference counting leak in ax25_addr_ax25dev
2024-05-03 7:30 ` Markus Elfring
@ 2024-05-03 11:38 ` Dan Carpenter
2024-05-03 13:39 ` [v2 " Markus Elfring
0 siblings, 1 reply; 9+ messages in thread
From: Dan Carpenter @ 2024-05-03 11:38 UTC (permalink / raw)
To: Markus Elfring
Cc: Duoming Zhou, linux-hams, netdev, kernel-janitors,
David S. Miller, Eric Dumazet, Jakub Kicinski, Jörg Reuter,
Paolo Abeni, LKML, Lars Kellogg-Stedman, Simon Horman
Yeah, it's true that we should delete the curly braces around the if
block. Otherwise checkpatch.pl -f will complain.
The commit message is fine as-is. Please stop nit-picking.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [v2 2/2] ax25: fix potential reference counting leak in ax25_addr_ax25dev
2024-05-03 11:38 ` Dan Carpenter
@ 2024-05-03 13:39 ` Markus Elfring
0 siblings, 0 replies; 9+ messages in thread
From: Markus Elfring @ 2024-05-03 13:39 UTC (permalink / raw)
To: Dan Carpenter, Duoming Zhou, linux-hams, netdev, kernel-janitors
Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Jörg Reuter,
Paolo Abeni, LKML, Lars Kellogg-Stedman, Simon Horman
> The commit message is fine as-is. Please stop nit-picking.
I dare to point recurring improvement possibilities out.
I became curious if the change acceptance will ever grow accordingly.
Regards,
Markus
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH net v2 0/2] ax25: fix reference counting issue of ax25_dev
2024-05-02 23:36 [PATCH net v2 0/2] ax25: fix reference counting issue of ax25_dev Duoming Zhou
2024-05-02 23:36 ` [PATCH net v2 1/2] ax25: change kfree in ax25_dev_free to ax25_dev_free Duoming Zhou
2024-05-02 23:36 ` [PATCH net v2 2/2] ax25: fix potential reference counting leak in ax25_addr_ax25dev Duoming Zhou
@ 2024-05-03 5:10 ` Dan Carpenter
2 siblings, 0 replies; 9+ messages in thread
From: Dan Carpenter @ 2024-05-03 5:10 UTC (permalink / raw)
To: Duoming Zhou
Cc: netdev, linux-kernel, linux-hams, pabeni, kuba, edumazet, davem,
jreuter, horms, Markus.Elfring, lars
On Fri, May 03, 2024 at 07:36:14AM +0800, Duoming Zhou wrote:
> The first patch changes kfree in ax25_dev_free to ax25_dev_put,
> because the ax25_dev is managed by reference counting.
>
> The second patch fixes potential reference counting leak issue
> in ax25_addr_ax25dev.
>
> You can see the former discussion in the following link:
> https://lore.kernel.org/netdev/20240501060218.32898-1-duoming@zju.edu.cn/
>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
regards,
dan carpenter
^ permalink raw reply [flat|nested] 9+ messages in thread