* [PATCH] atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
@ 2020-07-29 13:06 Xin Xiong
2020-07-31 0:36 ` David Miller
0 siblings, 1 reply; 2+ messages in thread
From: Xin Xiong @ 2020-07-29 13:06 UTC (permalink / raw)
To: Chas Williams, linux-atm-general, netdev, linux-kernel
Cc: Xin Xiong, Xiyu Yang, Xin Tan, yuanxzhang
atmtcp_remove_persistent() invokes atm_dev_lookup(), which returns a
reference of atm_dev with increased refcount or NULL if fails.
The refcount leaks issues occur in two error handling paths. If
dev_data->persist is zero or PRIV(dev)->vcc isn't NULL, the function
returns 0 without decreasing the refcount kept by a local variable,
resulting in refcount leaks.
Fix the issue by adding atm_dev_put() before returning 0 both when
dev_data->persist is zero or PRIV(dev)->vcc isn't NULL.
Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
---
drivers/atm/atmtcp.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/atm/atmtcp.c b/drivers/atm/atmtcp.c
index d9fd70280482..7f814da3c2d0 100644
--- a/drivers/atm/atmtcp.c
+++ b/drivers/atm/atmtcp.c
@@ -433,9 +433,15 @@ static int atmtcp_remove_persistent(int itf)
return -EMEDIUMTYPE;
}
dev_data = PRIV(dev);
- if (!dev_data->persist) return 0;
+ if (!dev_data->persist) {
+ atm_dev_put(dev);
+ return 0;
+ }
dev_data->persist = 0;
- if (PRIV(dev)->vcc) return 0;
+ if (PRIV(dev)->vcc) {
+ atm_dev_put(dev);
+ return 0;
+ }
kfree(dev_data);
atm_dev_put(dev);
atm_dev_deregister(dev);
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
2020-07-29 13:06 [PATCH] atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent Xin Xiong
@ 2020-07-31 0:36 ` David Miller
0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2020-07-31 0:36 UTC (permalink / raw)
To: xiongx18
Cc: 3chas3, linux-atm-general, netdev, linux-kernel, xiyuyang19,
tanxin.ctf, yuanxzhang
From: Xin Xiong <xiongx18@fudan.edu.cn>
Date: Wed, 29 Jul 2020 21:06:59 +0800
> atmtcp_remove_persistent() invokes atm_dev_lookup(), which returns a
> reference of atm_dev with increased refcount or NULL if fails.
>
> The refcount leaks issues occur in two error handling paths. If
> dev_data->persist is zero or PRIV(dev)->vcc isn't NULL, the function
> returns 0 without decreasing the refcount kept by a local variable,
> resulting in refcount leaks.
>
> Fix the issue by adding atm_dev_put() before returning 0 both when
> dev_data->persist is zero or PRIV(dev)->vcc isn't NULL.
>
> Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
> Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
> Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
Applied, thank you.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-07-31 0:36 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-29 13:06 [PATCH] atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent Xin Xiong
2020-07-31 0:36 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).