All of lore.kernel.org
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Duoming Zhou <duoming@zju.edu.cn>,
	Dan Carpenter <dan.carpenter@oracle.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Ovidiu Panait <ovidiu.panait@windriver.com>
Subject: [PATCH 4.14 36/43] ax25: fix reference count leaks of ax25_dev
Date: Tue, 26 Apr 2022 10:21:18 +0200	[thread overview]
Message-ID: <20220426081735.581664889@linuxfoundation.org> (raw)
In-Reply-To: <20220426081734.509314186@linuxfoundation.org>

From: Duoming Zhou <duoming@zju.edu.cn>

commit 87563a043cef044fed5db7967a75741cc16ad2b1 upstream.

The previous commit d01ffb9eee4a ("ax25: add refcount in ax25_dev
to avoid UAF bugs") introduces refcount into ax25_dev, but there
are reference leak paths in ax25_ctl_ioctl(), ax25_fwd_ioctl(),
ax25_rt_add(), ax25_rt_del() and ax25_rt_opt().

This patch uses ax25_dev_put() and adjusts the position of
ax25_addr_ax25dev() to fix reference cout leaks of ax25_dev.

Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20220203150811.42256-1-duoming@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[OP: backport to 4.14: adjust context]
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/ax25.h    |    8 +++++---
 net/ax25/af_ax25.c    |   12 ++++++++----
 net/ax25/ax25_dev.c   |   24 +++++++++++++++++-------
 net/ax25/ax25_route.c |   16 +++++++++++-----
 4 files changed, 41 insertions(+), 19 deletions(-)

--- a/include/net/ax25.h
+++ b/include/net/ax25.h
@@ -290,10 +290,12 @@ static __inline__ void ax25_cb_put(ax25_
 	}
 }
 
-#define ax25_dev_hold(__ax25_dev) \
-	refcount_inc(&((__ax25_dev)->refcount))
+static inline void ax25_dev_hold(ax25_dev *ax25_dev)
+{
+	refcount_inc(&ax25_dev->refcount);
+}
 
-static __inline__ void ax25_dev_put(ax25_dev *ax25_dev)
+static inline void ax25_dev_put(ax25_dev *ax25_dev)
 {
 	if (refcount_dec_and_test(&ax25_dev->refcount)) {
 		kfree(ax25_dev);
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -370,21 +370,25 @@ static int ax25_ctl_ioctl(const unsigned
 	if (copy_from_user(&ax25_ctl, arg, sizeof(ax25_ctl)))
 		return -EFAULT;
 
-	if ((ax25_dev = ax25_addr_ax25dev(&ax25_ctl.port_addr)) == NULL)
-		return -ENODEV;
-
 	if (ax25_ctl.digi_count > AX25_MAX_DIGIS)
 		return -EINVAL;
 
 	if (ax25_ctl.arg > ULONG_MAX / HZ && ax25_ctl.cmd != AX25_KILL)
 		return -EINVAL;
 
+	ax25_dev = ax25_addr_ax25dev(&ax25_ctl.port_addr);
+	if (!ax25_dev)
+		return -ENODEV;
+
 	digi.ndigi = ax25_ctl.digi_count;
 	for (k = 0; k < digi.ndigi; k++)
 		digi.calls[k] = ax25_ctl.digi_addr[k];
 
-	if ((ax25 = ax25_find_cb(&ax25_ctl.source_addr, &ax25_ctl.dest_addr, &digi, ax25_dev->dev)) == NULL)
+	ax25 = ax25_find_cb(&ax25_ctl.source_addr, &ax25_ctl.dest_addr, &digi, ax25_dev->dev);
+	if (!ax25) {
+		ax25_dev_put(ax25_dev);
 		return -ENOTCONN;
+	}
 
 	switch (ax25_ctl.cmd) {
 	case AX25_KILL:
--- a/net/ax25/ax25_dev.c
+++ b/net/ax25/ax25_dev.c
@@ -88,8 +88,8 @@ void ax25_dev_device_up(struct net_devic
 	spin_lock_bh(&ax25_dev_lock);
 	ax25_dev->next = ax25_dev_list;
 	ax25_dev_list  = ax25_dev;
-	ax25_dev_hold(ax25_dev);
 	spin_unlock_bh(&ax25_dev_lock);
+	ax25_dev_hold(ax25_dev);
 
 	ax25_register_dev_sysctl(ax25_dev);
 }
@@ -118,8 +118,8 @@ void ax25_dev_device_down(struct net_dev
 
 	if ((s = ax25_dev_list) == ax25_dev) {
 		ax25_dev_list = s->next;
-		ax25_dev_put(ax25_dev);
 		spin_unlock_bh(&ax25_dev_lock);
+		ax25_dev_put(ax25_dev);
 		dev->ax25_ptr = NULL;
 		dev_put(dev);
 		ax25_dev_put(ax25_dev);
@@ -129,8 +129,8 @@ void ax25_dev_device_down(struct net_dev
 	while (s != NULL && s->next != NULL) {
 		if (s->next == ax25_dev) {
 			s->next = ax25_dev->next;
-			ax25_dev_put(ax25_dev);
 			spin_unlock_bh(&ax25_dev_lock);
+			ax25_dev_put(ax25_dev);
 			dev->ax25_ptr = NULL;
 			dev_put(dev);
 			ax25_dev_put(ax25_dev);
@@ -153,25 +153,35 @@ int ax25_fwd_ioctl(unsigned int cmd, str
 
 	switch (cmd) {
 	case SIOCAX25ADDFWD:
-		if ((fwd_dev = ax25_addr_ax25dev(&fwd->port_to)) == NULL)
+		fwd_dev = ax25_addr_ax25dev(&fwd->port_to);
+		if (!fwd_dev) {
+			ax25_dev_put(ax25_dev);
 			return -EINVAL;
-		if (ax25_dev->forward != NULL)
+		}
+		if (ax25_dev->forward) {
+			ax25_dev_put(fwd_dev);
+			ax25_dev_put(ax25_dev);
 			return -EINVAL;
+		}
 		ax25_dev->forward = fwd_dev->dev;
 		ax25_dev_put(fwd_dev);
+		ax25_dev_put(ax25_dev);
 		break;
 
 	case SIOCAX25DELFWD:
-		if (ax25_dev->forward == NULL)
+		if (!ax25_dev->forward) {
+			ax25_dev_put(ax25_dev);
 			return -EINVAL;
+		}
 		ax25_dev->forward = NULL;
+		ax25_dev_put(ax25_dev);
 		break;
 
 	default:
+		ax25_dev_put(ax25_dev);
 		return -EINVAL;
 	}
 
-	ax25_dev_put(ax25_dev);
 	return 0;
 }
 
--- a/net/ax25/ax25_route.c
+++ b/net/ax25/ax25_route.c
@@ -78,11 +78,13 @@ static int __must_check ax25_rt_add(stru
 	ax25_dev *ax25_dev;
 	int i;
 
-	if ((ax25_dev = ax25_addr_ax25dev(&route->port_addr)) == NULL)
-		return -EINVAL;
 	if (route->digi_count > AX25_MAX_DIGIS)
 		return -EINVAL;
 
+	ax25_dev = ax25_addr_ax25dev(&route->port_addr);
+	if (!ax25_dev)
+		return -EINVAL;
+
 	write_lock_bh(&ax25_route_lock);
 
 	ax25_rt = ax25_route_list;
@@ -94,6 +96,7 @@ static int __must_check ax25_rt_add(stru
 			if (route->digi_count != 0) {
 				if ((ax25_rt->digipeat = kmalloc(sizeof(ax25_digi), GFP_ATOMIC)) == NULL) {
 					write_unlock_bh(&ax25_route_lock);
+					ax25_dev_put(ax25_dev);
 					return -ENOMEM;
 				}
 				ax25_rt->digipeat->lastrepeat = -1;
@@ -104,6 +107,7 @@ static int __must_check ax25_rt_add(stru
 				}
 			}
 			write_unlock_bh(&ax25_route_lock);
+			ax25_dev_put(ax25_dev);
 			return 0;
 		}
 		ax25_rt = ax25_rt->next;
@@ -111,6 +115,7 @@ static int __must_check ax25_rt_add(stru
 
 	if ((ax25_rt = kmalloc(sizeof(ax25_route), GFP_ATOMIC)) == NULL) {
 		write_unlock_bh(&ax25_route_lock);
+		ax25_dev_put(ax25_dev);
 		return -ENOMEM;
 	}
 
@@ -119,11 +124,11 @@ static int __must_check ax25_rt_add(stru
 	ax25_rt->dev          = ax25_dev->dev;
 	ax25_rt->digipeat     = NULL;
 	ax25_rt->ip_mode      = ' ';
-	ax25_dev_put(ax25_dev);
 	if (route->digi_count != 0) {
 		if ((ax25_rt->digipeat = kmalloc(sizeof(ax25_digi), GFP_ATOMIC)) == NULL) {
 			write_unlock_bh(&ax25_route_lock);
 			kfree(ax25_rt);
+			ax25_dev_put(ax25_dev);
 			return -ENOMEM;
 		}
 		ax25_rt->digipeat->lastrepeat = -1;
@@ -136,6 +141,7 @@ static int __must_check ax25_rt_add(stru
 	ax25_rt->next   = ax25_route_list;
 	ax25_route_list = ax25_rt;
 	write_unlock_bh(&ax25_route_lock);
+	ax25_dev_put(ax25_dev);
 
 	return 0;
 }
@@ -176,8 +182,8 @@ static int ax25_rt_del(struct ax25_route
 			}
 		}
 	}
-	ax25_dev_put(ax25_dev);
 	write_unlock_bh(&ax25_route_lock);
+	ax25_dev_put(ax25_dev);
 
 	return 0;
 }
@@ -219,8 +225,8 @@ static int ax25_rt_opt(struct ax25_route
 	}
 
 out:
-	ax25_dev_put(ax25_dev);
 	write_unlock_bh(&ax25_route_lock);
+	ax25_dev_put(ax25_dev);
 	return err;
 }
 



  parent reply	other threads:[~2022-04-26  8:30 UTC|newest]

Thread overview: 48+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-26  8:20 [PATCH 4.14 00/43] 4.14.277-rc1 review Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 01/43] etherdevice: Adjust ether_addr* prototypes to silence -Wstringop-overead Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 02/43] mm: page_alloc: fix building error on -Werror=array-compare Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 03/43] tracing: Have traceon and traceoff trigger honor the instance Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 04/43] tracing: Dump stacktrace trigger to the corresponding instance Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 05/43] can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error path Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 06/43] gfs2: assign rgrp glock before compute_bitstructs Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 07/43] ALSA: usb-audio: Clear MIDI port active flag after draining Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 08/43] tcp: fix race condition when creating child sockets from syncookies Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 09/43] tcp: Fix potential use-after-free due to double kfree() Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 10/43] dmaengine: imx-sdma: Fix error checking in sdma_event_remap Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 11/43] net/packet: fix packet_sock xmit return value checking Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 12/43] netlink: reset network and mac headers in netlink_dump() Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 13/43] ARM: vexpress/spc: Avoid negative array index when !SMP Greg Kroah-Hartman
2022-04-26  8:20   ` Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 14/43] platform/x86: samsung-laptop: Fix an unsigned comparison which can never be negative Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 15/43] ALSA: usb-audio: Fix undefined behavior due to shift overflowing the constant Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 16/43] vxlan: fix error return code in vxlan_fdb_append Greg Kroah-Hartman
2022-04-26  8:20 ` [PATCH 4.14 17/43] cifs: Check the IOCB_DIRECT flag, not O_DIRECT Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 18/43] brcmfmac: sdio: Fix undefined behavior due to shift overflowing the constant Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 19/43] drm/msm/mdp5: check the return of kzalloc() Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 20/43] net: macb: Restart tx only if queue pointer is lagging Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 21/43] stat: fix inconsistency between struct stat and struct compat_stat Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 22/43] ata: pata_marvell: Check the bmdma_addr beforing reading Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 23/43] dma: at_xdmac: fix a missing check on list iterator Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 24/43] powerpc/perf: Fix power9 event alternatives Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 25/43] openvswitch: fix OOB access in reserve_sfa_size() Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 26/43] ASoC: soc-dapm: fix two incorrect uses of list iterator Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 27/43] e1000e: Fix possible overflow in LTR decoding Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 28/43] ARC: entry: fix syscall_trace_exit argument Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 29/43] ext4: fix symlink file size not match to file content Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 30/43] ext4: limit length to bitmap_maxbytes - blocksize in punch_hole Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 31/43] ext4: fix overhead calculation to account for the reserved gdt blocks Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 32/43] ext4: force overhead calculation if the s_overhead_cluster makes no sense Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 33/43] staging: ion: Prevent incorrect reference counting behavour Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 34/43] block/compat_ioctl: fix range check in BLKGETSIZE Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 35/43] ax25: add refcount in ax25_dev to avoid UAF bugs Greg Kroah-Hartman
2022-04-26  8:21 ` Greg Kroah-Hartman [this message]
2022-04-26  8:21 ` [PATCH 4.14 37/43] ax25: fix UAF bugs of net_device caused by rebinding operation Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 38/43] ax25: Fix refcount leaks caused by ax25_cb_del() Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 39/43] ax25: fix UAF bug in ax25_send_control() Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 40/43] ax25: fix NPD bug in ax25_disconnect Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 41/43] ax25: Fix NULL pointer dereferences in ax25 timers Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 42/43] ax25: Fix UAF bugs " Greg Kroah-Hartman
2022-04-26  8:21 ` [PATCH 4.14 43/43] Revert "net: micrel: fix KS8851_MLL Kconfig" Greg Kroah-Hartman
2022-04-26 16:20 ` [PATCH 4.14 00/43] 4.14.277-rc1 review Jon Hunter
2022-04-26 20:11 ` Guenter Roeck
2022-04-27  8:52 ` Naresh Kamboju

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220426081735.581664889@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=dan.carpenter@oracle.com \
    --cc=duoming@zju.edu.cn \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=ovidiu.panait@windriver.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.