netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
@ 2020-07-29 13:06 Xin Xiong
  2020-07-31  0:36 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Xin Xiong @ 2020-07-29 13:06 UTC (permalink / raw)
  To: Chas Williams, linux-atm-general, netdev, linux-kernel
  Cc: Xin Xiong, Xiyu Yang, Xin Tan, yuanxzhang

atmtcp_remove_persistent() invokes atm_dev_lookup(), which returns a
reference of atm_dev with increased refcount or NULL if fails.

The refcount leaks issues occur in two error handling paths. If
dev_data->persist is zero or PRIV(dev)->vcc isn't NULL, the function
returns 0 without decreasing the refcount kept by a local variable,
resulting in refcount leaks.

Fix the issue by adding atm_dev_put() before returning 0 both when
dev_data->persist is zero or PRIV(dev)->vcc isn't NULL.

Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
---
 drivers/atm/atmtcp.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/atm/atmtcp.c b/drivers/atm/atmtcp.c
index d9fd70280482..7f814da3c2d0 100644
--- a/drivers/atm/atmtcp.c
+++ b/drivers/atm/atmtcp.c
@@ -433,9 +433,15 @@ static int atmtcp_remove_persistent(int itf)
 		return -EMEDIUMTYPE;
 	}
 	dev_data = PRIV(dev);
-	if (!dev_data->persist) return 0;
+	if (!dev_data->persist) {
+		atm_dev_put(dev);
+		return 0;
+	}
 	dev_data->persist = 0;
-	if (PRIV(dev)->vcc) return 0;
+	if (PRIV(dev)->vcc) {
+		atm_dev_put(dev);
+		return 0;
+	}
 	kfree(dev_data);
 	atm_dev_put(dev);
 	atm_dev_deregister(dev);
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
  2020-07-29 13:06 [PATCH] atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent Xin Xiong
@ 2020-07-31  0:36 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2020-07-31  0:36 UTC (permalink / raw)
  To: xiongx18
  Cc: 3chas3, linux-atm-general, netdev, linux-kernel, xiyuyang19,
	tanxin.ctf, yuanxzhang

From: Xin Xiong <xiongx18@fudan.edu.cn>
Date: Wed, 29 Jul 2020 21:06:59 +0800

> atmtcp_remove_persistent() invokes atm_dev_lookup(), which returns a
> reference of atm_dev with increased refcount or NULL if fails.
> 
> The refcount leaks issues occur in two error handling paths. If
> dev_data->persist is zero or PRIV(dev)->vcc isn't NULL, the function
> returns 0 without decreasing the refcount kept by a local variable,
> resulting in refcount leaks.
> 
> Fix the issue by adding atm_dev_put() before returning 0 both when
> dev_data->persist is zero or PRIV(dev)->vcc isn't NULL.
> 
> Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
> Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
> Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>

Applied, thank you.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-07-31  0:36 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-29 13:06 [PATCH] atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent Xin Xiong
2020-07-31  0:36 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).