net: sctp: possible dereference after freeing

net: sctp: possible dereference after freeing

[Geyslan Gregório Bem]

Hi maintainers,

I would like to know if these are catches:

/net/sctp/endpointola.c (281)
static void sctp_endpoint_destroy(struct sctp_endpoint *ep)
{
    struct sock *sk;
...
    kfree(ep);
    SCTP_DBG_OBJCNT_DEC(ep);
}

The 'ep' object counter is being decremented?! Is the kfree to be there indeed?
Let me know what was intended here.

Same here:
/net/sctp/endpointola.c (165)
static void sctp_transport_destroy_rcu(struct rcu_head *head)
{
    struct sctp_transport *transport;
...
    kfree(transport);
    SCTP_DBG_OBJCNT_DEC(transport);
}

Regards,

Geyslan Gregório Bem
hackingbits.com

Re: net: sctp: possible dereference after freeing

[Geyslan Gregório Bem]

2013/10/19 Geyslan Gregório Bem <geyslan@gmail.com>:
> Hi maintainers,
>
> I would like to know if these are catches:
>
> /net/sctp/endpointola.c (281)
> static void sctp_endpoint_destroy(struct sctp_endpoint *ep)
> {
>     struct sock *sk;
> ...
>     kfree(ep);
>     SCTP_DBG_OBJCNT_DEC(ep);
> }
>
> The 'ep' object counter is being decremented?! Is the kfree to be there indeed?
> Let me know what was intended here.
>
> Same here:
> /net/sctp/endpointola.c (165)
> static void sctp_transport_destroy_rcu(struct rcu_head *head)
> {
>     struct sctp_transport *transport;
> ...
>     kfree(transport);
>     SCTP_DBG_OBJCNT_DEC(transport);
> }
>
> Regards,
>
> Geyslan Gregório Bem
> hackingbits.com

Oops. I got it. ;)

extern atomic_t sctp_dbg_objcnt_ep;
http://lxr.free-electrons.com/source/include/net/sctp/sctp.h#L269
extern atomic_t sctp_dbg_objcnt_transport;
http://lxr.free-electrons.com/source/arch/x86/include/asm/atomic.h#L105

Cheers.

Re: net: sctp: possible dereference after freeing

[Vlad Yasevich]

On Oct 19, 2013, at 7:49 AM, Geyslan Gregório Bem <geyslan@gmail.com> wrote:

> 2013/10/19 Geyslan Gregório Bem <geyslan@gmail.com>:
>> Hi maintainers,
>> 
>> I would like to know if these are catches:
>> 
>> /net/sctp/endpointola.c (281)
>> static void sctp_endpoint_destroy(struct sctp_endpoint *ep)
>> {
>>    struct sock *sk;
>> ...
>>    kfree(ep);
>>    SCTP_DBG_OBJCNT_DEC(ep);
>> }
>> 
>> The 'ep' object counter is being decremented?! Is the kfree to be there indeed?
>> Let me know what was intended here.
>> 
>> Same here:
>> /net/sctp/endpointola.c (165)
>> static void sctp_transport_destroy_rcu(struct rcu_head *head)
>> {
>>    struct sctp_transport *transport;
>> ...
>>    kfree(transport);
>>    SCTP_DBG_OBJCNT_DEC(transport);
>> }
>> 
>> Regards,
>> 
>> Geyslan Gregório Bem
>> hackingbits.com
> 
> Oops. I got it. ;)
> 
> extern atomic_t sctp_dbg_objcnt_ep;
> http://lxr.free-electrons.com/source/include/net/sctp/sctp.h#L269
> extern atomic_t sctp_dbg_objcnt_transport;
> http://lxr.free-electrons.com/source/arch/x86/include/asm/atomic.h#L105
> 
> Cheers.

There is no reference here since the macro turns variable name to string using ## name.
So the order doesn't matter really.

-vlad