lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 11 Mar 2022 00:01:20 +0800 (GMT+08:00)
From:   周多明 <duoming@....edu.cn>
To:     "Dan Carpenter" <dan.carpenter@...cle.com>
Cc:     linux-hams@...r.kernel.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, jreuter@...na.de, kuba@...nel.org,
        davem@...emloft.net, ralf@...ux-mips.org, thomas@...erried.de
Subject: Re: Re: [PATCH] ax25: Fix memory leaks caused by ax25_cb_del()

Hello,

Thank you very much for pointing the wrong places in my patch.

> This is a very frustrating patch because you make a lot of unnecessary
> white space changes and you didn't run checkpatch on your patch.
> 
> The whole approach feels like the wrong thing...

I will fix it.

> I have read your commit message, but I don't understand why we can't
> just use normal refcounting.  It sounds like there is a layering
> violation somewhere?

The root cause of refcount leak is shown below:

     (Thread 1)                          |      (Thread 2)
ax25_bind()                              |
 ...                                     |
 ax25_addr_ax25dev()                     | 
  ax25_dev_hold()   //(1)                |
 ...                                     |
 dev_hold_track()   //(2)                | 
 ...                                     | ax25_destroy_socket()
                                         |  ax25_cb_del()   
                                         |   ... 
                                         |   spin_lock_bh(&ax25_list_lock);
                                         |   hlist_del_init(&ax25->ax25_node); //(3) 
                                         |   spin_unlock_bh(&ax25_list_lock);
                                    
     (thread 3)                                          
ax25_kill_by_device()                    |
 spin_lock_bh(&ax25_list_lock);          |
 ax25_for_each(s, &ax25_list) {          |
  if (s->ax25_dev == ax25_dev)  //(4)    |   
  ...                                    |
  (the following code could not execute) |

Firstly, we use ax25_bind() to increase the refcount of ax25_dev in 
position (1) and increase the refcount of net_device in position (2).

Then, we use ax25_cb_del() invoked by ax25_destroy_socket()
to delete ax25_cb in hlist in position (3) before calling ax25_kill_by_device().
 
Finally, the decrements of refcounts in ax25_kill_by_device() will not be executed,
because no s->ax25_dev equals to ax25_dev in position (4).

My patch adds two flags in ax25_dev in order to prevent reference count leaks. 
If the above condition happens, the two "test_bit" checks in ax25_kill_by_device()
could pass and the refcounts could be decreased properly.

> Even if we go with this approach ->kill_flag and ->bind_flag should be
> booleans.  It makes no sense to have a unsigned long where only BIT(2)
> can be set.

I will change kill_flag and bind_flag to booleans.

Best wishes,
Duoming Zhou

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ