xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ax25: fix reference count leaks of ax25_dev

Browse Source 
commit 87563a043cef044fed5db7967a75741cc16ad2b1 upstream.

The previous commit d01ffb9eee4a ("ax25: add refcount in ax25_dev
to avoid UAF bugs") introduces refcount into ax25_dev, but there
are reference leak paths in ax25_ctl_ioctl(), ax25_fwd_ioctl(),
ax25_rt_add(), ax25_rt_del() and ax25_rt_opt().

This patch uses ax25_dev_put() and adjusts the position of
ax25_addr_ax25dev() to fix reference cout leaks of ax25_dev.

Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20220203150811.42256-1-duoming@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[OP: backport to 5.10: adjust context]
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Duoming Zhou
2022-04-15 20:49:27 +03:00
committed by Greg Kroah-Hartman
parent 5ea00fc606
commit 5ddae8d064
4 changed files with 41 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
net/ax25/ax25_dev.c
View File

@@ -85,8 +85,8 @@ void ax25_dev_device_up(struct net_device *dev)
spin_lock_bh(&ax25_dev_lock);
ax25_dev->next = ax25_dev_list;
ax25_dev_list = ax25_dev;
ax25_dev_hold(ax25_dev);
spin_unlock_bh(&ax25_dev_lock);
ax25_dev_hold(ax25_dev);
ax25_register_dev_sysctl(ax25_dev);
}
@@ -115,8 +115,8 @@ void ax25_dev_device_down(struct net_device *dev)
if ((s = ax25_dev_list) == ax25_dev) {
ax25_dev_list = s->next;
ax25_dev_put(ax25_dev);
spin_unlock_bh(&ax25_dev_lock);
ax25_dev_put(ax25_dev);
dev->ax25_ptr = NULL;
dev_put(dev);
ax25_dev_put(ax25_dev);
@@ -126,8 +126,8 @@ void ax25_dev_device_down(struct net_device *dev)
while (s != NULL && s->next != NULL) {
if (s->next == ax25_dev) {
s->next = ax25_dev->next;
ax25_dev_put(ax25_dev);
spin_unlock_bh(&ax25_dev_lock);
ax25_dev_put(ax25_dev);
dev->ax25_ptr = NULL;
dev_put(dev);
ax25_dev_put(ax25_dev);
@@ -150,25 +150,35 @@ int ax25_fwd_ioctl(unsigned int cmd, struct ax25_fwd_struct *fwd)
switch (cmd) {
case SIOCAX25ADDFWD:
if ((fwd_dev = ax25_addr_ax25dev(&fwd->port_to)) == NULL)
fwd_dev = ax25_addr_ax25dev(&fwd->port_to);
if (!fwd_dev) {
ax25_dev_put(ax25_dev);
return -EINVAL;
if (ax25_dev->forward != NULL)
}
if (ax25_dev->forward) {
ax25_dev_put(fwd_dev);
ax25_dev_put(ax25_dev);
return -EINVAL;
}
ax25_dev->forward = fwd_dev->dev;
ax25_dev_put(fwd_dev);
ax25_dev_put(ax25_dev);
break;
case SIOCAX25DELFWD:
if (ax25_dev->forward == NULL)
if (!ax25_dev->forward) {
ax25_dev_put(ax25_dev);
return -EINVAL;
}
ax25_dev->forward = NULL;
ax25_dev_put(ax25_dev);
break;
default:
ax25_dev_put(ax25_dev);
return -EINVAL;
}
ax25_dev_put(ax25_dev);
return 0;
}