summaryrefslogtreecommitdiffstats
path: root/net/ax25
diff options
context:
space:
mode:
authorDuoming Zhou <duoming@zju.edu.cn>2024-05-09 11:37:02 +0200
committerJakub Kicinski <kuba@kernel.org>2024-05-14 01:09:38 +0200
commit36e56b1b002bb26440403053f19f9e1a8bc075b2 (patch)
tree023eee5e51da1a8265604386d12404705367eac8 /net/ax25
parentax25: Fix reference count leak issues of ax25_dev (diff)
downloadlinux-36e56b1b002bb26440403053f19f9e1a8bc075b2.tar.xz
linux-36e56b1b002bb26440403053f19f9e1a8bc075b2.zip
ax25: Fix reference count leak issue of net_device
There is a reference count leak issue of the object "net_device" in ax25_dev_device_down(). When the ax25 device is shutting down, the ax25_dev_device_down() drops the reference count of net_device one or zero times depending on if we goto unlock_put or not, which will cause memory leak. In order to solve the above issue, decrease the reference count of net_device after dev->ax25_ptr is set to null. Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") Suggested-by: Dan Carpenter <dan.carpenter@linaro.org> Signed-off-by: Duoming Zhou <duoming@zju.edu.cn> Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org> Link: https://lore.kernel.org/r/7ce3b23a40d9084657ba1125432f0ecc380cbc80.1715247018.git.duoming@zju.edu.cn Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net/ax25')
-rw-r--r--net/ax25/ax25_dev.c7
1 files changed, 1 insertions, 6 deletions
diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c
index 52ccc37d5687..c9d55b99a7a5 100644
--- a/net/ax25/ax25_dev.c
+++ b/net/ax25/ax25_dev.c
@@ -118,15 +118,10 @@ void ax25_dev_device_down(struct net_device *dev)
list_for_each_entry(s, &ax25_dev_list, list) {
if (s == ax25_dev) {
list_del(&s->list);
- goto unlock_put;
+ break;
}
}
- dev->ax25_ptr = NULL;
- spin_unlock_bh(&ax25_dev_lock);
- ax25_dev_put(ax25_dev);
- return;
-unlock_put:
dev->ax25_ptr = NULL;
spin_unlock_bh(&ax25_dev_lock);
netdev_put(dev, &ax25_dev->dev_tracker);