From: Jakub Kicinski <kuba@kernel.org>
To: Minseong Kim <ii4gsp@gmail.com>
Cc: "David S . Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH net v3 1/1] atm: mpoa: Fix UAF on qos_head list in procfs
Date: Thu, 11 Dec 2025 18:50:02 +0900 [thread overview]
Message-ID: <20251211185002.44e4aee3@kernel.org> (raw)
In-Reply-To: <20251204062421.96986-2-ii4gsp@gmail.com>
On Thu, 4 Dec 2025 15:24:21 +0900 Minseong Kim wrote:
> Reported-by: Minseong Kim <ii4gsp@gmail.com>
> Closes: https://lore.kernel.org/netdev/CAKrymDR1X3XTX_1ZW3XXXnuYH+kzsnv7Av5uivzR1sto+5BFQg@mail.gmail.com/
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Signed-off-by: Minseong Kim <ii4gsp@gmail.com>
The tags are wrong. Reported-by is only used when it's not the same as
author. And you're pointing Closes at previous version? I don't get it.
> -int atm_mpoa_delete_qos(struct atm_mpoa_qos *entry)
> +static int __atm_mpoa_delete_qos_locked(struct atm_mpoa_qos *entry)
> {
> struct atm_mpoa_qos *curr;
>
> - if (entry == NULL)
> + if (!entry)
> return 0;
> +
please avoid unrelated code cleanups in fixes
> if (entry == qos_head) {
> - qos_head = qos_head->next;
> - kfree(entry);
> + qos_head = entry->next;
> return 1;
> }
>
> curr = qos_head;
> - while (curr != NULL) {
> + while (curr) {
> if (curr->next == entry) {
> curr->next = entry->next;
> - kfree(entry);
> return 1;
> }
> curr = curr->next;
> + * Overwrites the old entry or makes a new one.
> + */
> +struct atm_mpoa_qos *atm_mpoa_add_qos(__be32 dst_ip, struct atm_qos *qos)
> +{
> + struct atm_mpoa_qos *entry;
> + struct atm_mpoa_qos *new;
> +
> + /* Fast path: update existing entry */
> + mutex_lock(&qos_mutex);
> + entry = __atm_mpoa_search_qos(dst_ip);
> + if (entry) {
> + entry->qos = *qos;
> + mutex_unlock(&qos_mutex);
> + return entry;
> + }
> + mutex_unlock(&qos_mutex);
> +
> + /* Allocate outside lock */
Why allocate outside the lock? It makes the code more complicated,
keep it simple unless you can prove real life benefits.
> + new = kmalloc(sizeof(*new), GFP_KERNEL);
> + if (!new)
> + return NULL;
next prev parent reply other threads:[~2025-12-11 9:50 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-04 6:24 [PATCH net v3 0/1] atm: mpoa: Fix UAF on qos_head list in procfs Minseong Kim
2025-12-04 6:24 ` [PATCH net v3 1/1] " Minseong Kim
2025-12-11 9:50 ` Jakub Kicinski [this message]
2025-12-16 12:09 ` [PATCH net v4] " Minseong Kim
2025-12-16 16:59 ` Simon Horman
2025-12-04 13:27 ` [PATCH net v3 0/1] " Simon Horman
2025-12-04 13:35 ` Minseong Kim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251211185002.44e4aee3@kernel.org \
--to=kuba@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=ii4gsp@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).