Re: Re: [PATCH 2/2] ax25: add refcount in ax25_dev to avoid UAF bugs

From: 周多明
Date: Tue Feb 01 2022 - 01:34:38 EST

Next message: Ron Economos: "Re: [PATCH 5.16 000/200] 5.16.5-rc1 review"
Previous message: Song Liu: "[PATCH v8 bpf-next 3/9] bpf: use size instead of pages in bpf_binary_header"
Next in thread: 周多明: "Re: Re: [PATCH 2/2] ax25: add refcount in ax25_dev to avoid UAF bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thank you very much for your time and pointing out problems in my patch.

The decrement of ax25_bind() is in ax25_kill_by_device(). If we don't
call ax25_bind() before ax25_kill_by_device(), the ax25_list will be
empty and ax25_dev_put() in ax25_kill_by_device() will not execute.

> @@ -91,6 +91,7 @@ static void ax25_kill_by_device(struct net_device *dev)
> spin_unlock_bh(&ax25_list_lock);
> lock_sock(sk);
> s->ax25_dev = NULL;
> + ax25_dev_put(ax25_dev);
> release_sock(sk);
> ax25_disconnect(s, ENETUNREACH);
> spin_lock_bh(&ax25_list_lock);

I will send the improved patch as soon as possible.

Best wishes,
Duoming Zhou

Next message: Ron Economos: "Re: [PATCH 5.16 000/200] 5.16.5-rc1 review"
Previous message: Song Liu: "[PATCH v8 bpf-next 3/9] bpf: use size instead of pages in bpf_binary_header"
Next in thread: 周多明: "Re: Re: [PATCH 2/2] ax25: add refcount in ax25_dev to avoid UAF bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]