diff options
author | Duoming Zhou <duoming@zju.edu.cn> | 2024-05-09 11:37:02 +0200 |
---|---|---|
committer | Jakub Kicinski <kuba@kernel.org> | 2024-05-14 01:09:38 +0200 |
commit | 36e56b1b002bb26440403053f19f9e1a8bc075b2 (patch) | |
tree | 023eee5e51da1a8265604386d12404705367eac8 /net/ax25 | |
parent | ax25: Fix reference count leak issues of ax25_dev (diff) | |
download | linux-36e56b1b002bb26440403053f19f9e1a8bc075b2.tar.xz linux-36e56b1b002bb26440403053f19f9e1a8bc075b2.zip |
ax25: Fix reference count leak issue of net_device
There is a reference count leak issue of the object "net_device" in
ax25_dev_device_down(). When the ax25 device is shutting down, the
ax25_dev_device_down() drops the reference count of net_device one
or zero times depending on if we goto unlock_put or not, which will
cause memory leak.
In order to solve the above issue, decrease the reference count of
net_device after dev->ax25_ptr is set to null.
Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs")
Suggested-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/7ce3b23a40d9084657ba1125432f0ecc380cbc80.1715247018.git.duoming@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net/ax25')
-rw-r--r-- | net/ax25/ax25_dev.c | 7 |
1 files changed, 1 insertions, 6 deletions
diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index 52ccc37d5687..c9d55b99a7a5 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -118,15 +118,10 @@ void ax25_dev_device_down(struct net_device *dev) list_for_each_entry(s, &ax25_dev_list, list) { if (s == ax25_dev) { list_del(&s->list); - goto unlock_put; + break; } } - dev->ax25_ptr = NULL; - spin_unlock_bh(&ax25_dev_lock); - ax25_dev_put(ax25_dev); - return; -unlock_put: dev->ax25_ptr = NULL; spin_unlock_bh(&ax25_dev_lock); netdev_put(dev, &ax25_dev->dev_tracker); |