[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5f92dba3.4404.18f524bb7a6.Coremail.duoming@zju.edu.cn>
Date: Tue, 7 May 2024 17:04:05 +0800 (GMT+08:00)
From: duoming@....edu.cn
To: "Dan Carpenter" <dan.carpenter@...aro.org>
Cc: "Lars Kellogg-Stedman" <lars@...bit.com>, linux-hams@...r.kernel.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
pabeni@...hat.com, kuba@...nel.org, edumazet@...gle.com,
davem@...emloft.net, jreuter@...na.de
Subject: Re: [PATCH net] ax25: Fix refcount leak issues of ax25_dev
On Tue, 7 May 2024 11:08:14 +0300 Dan Carpenter wrote:
> I have reviewed this code some more. My theory is:
>
> ax25_dev_device_up() <- sets refcount to 1
> ax25_dev_device_down() <- set refcount to 0 and frees it
>
> If the refcount is not 1 at ax25_dev_device_down() then something is
> screwed up. So why do we even need more refcounting than that? But
> apparently we do. I don't really understand networking that well so
> maybe we can have lingering connections after the device is down.
We do need more reference count. Because there is a race condition
between ax25_bind() and the cleanup routine.
The cleanup routine is consisted of three parts: ax25_kill_by_device(),
ax25_rt_device_down() and ax25_dev_device_down(). The ax25_kill_by_device()
is used to cleanup the connections and the ax25_dev_device_down() is used
to cleanup the device. If we call ax25_bind() and ax25_connect() between
the window of ax25_kill_by_device() and ax25_dev_device_down(), the ax25_dev
is freed in ax25_dev_device_down(). When we call ax25_release() to release
the connections, the UAF bugs will happen.
Best regards,
Duoming Zhou
Powered by blists - more mailing lists