Re: [PATCH net] ax25: Fix refcount leak issues of ax25_dev

From: Dan Carpenter
Date: Sat May 04 2024 - 07:04:43 EST

Next message: syzbot: "[syzbot] [kernel?] WARNING in pwq_release_workfn"
Previous message: Simon Horman: "Re: [PATCH] [PATCH v2 net-next] mptcp: fix typos in comments"
In reply to: Dan Carpenter: "Re: [PATCH net] ax25: Fix refcount leak issues of ax25_dev"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, May 01, 2024 at 02:02:18PM +0800, Duoming Zhou wrote:
> @@ -58,7 +59,6 @@ void ax25_dev_device_up(struct net_device *dev)
> return;
> }
>
> - refcount_set(&ax25_dev->refcount, 1);

Let's keep this here, and just delete the ax25_dev_hold(). It makes
the diff smaller and I like setting the refcount earlier anyway.

> dev->ax25_ptr = ax25_dev;

Let's move this assignment under the spinlock where ax25_dev_hold() was.

> ax25_dev->dev = dev;
> netdev_hold(dev, &ax25_dev->dev_tracker, GFP_KERNEL);
> @@ -88,7 +88,7 @@ void ax25_dev_device_up(struct net_device *dev)
> ax25_dev->next = ax25_dev_list;
> ax25_dev_list = ax25_dev;
> spin_unlock_bh(&ax25_dev_lock);
> - ax25_dev_hold(ax25_dev);
> + refcount_set(&ax25_dev->refcount, 1);
>
> ax25_register_dev_sysctl(ax25_dev);
> }
> @@ -135,7 +135,6 @@ void ax25_dev_device_down(struct net_device *dev)
>
> unlock_put:
> spin_unlock_bh(&ax25_dev_lock);
> - ax25_dev_put(ax25_dev);
> dev->ax25_ptr = NULL;
> netdev_put(dev, &ax25_dev->dev_tracker);
> ax25_dev_put(ax25_dev);

So far as I can see, the ax25_dev should be on the list. Also, I think
the dev->ax25_ptr = NULL; assignment should be under the lock. So this
code should just look like:

list_for_each_entry(s, &ax25_dev_list, list) {
if (s->forward == dev)
s->forward = NULL;
}

list_for_each_entry(s, &ax25_dev_list, list) {
if (s == ax25_dev) {
list_del(&s->list);
break;
}
}
dev->ax25_ptr = NULL;
spin_unlock_bh(&ax25_dev_lock);
netdev_put(dev, &ax25_dev->dev_tracker);
ax25_dev_put(ax25_dev);
}

Also it should just be on the list once... In fact, it's impossible for
one pointer to be on a list twice. So it would be nice to add a break;
in ax25_addr_ax25dev(). It doesn't change the code, it just makes it
more obvious.

ax25_dev *ax25_addr_ax25dev(ax25_address *addr)
{
ax25_dev *ax25_dev, *res = NULL;

spin_lock_bh(&ax25_dev_lock);
list_for_each_entry(ax25_dev, &ax25_dev_list, list) {
if (ax25cmp(addr, (const ax25_address *)ax25_dev->dev->dev_addr) == 0) {
res = ax25_dev;
ax25_dev_hold(res);
break;
}
}
spin_unlock_bh(&ax25_dev_lock);

return res;
}

regards,
dan carpenter

Next message: syzbot: "[syzbot] [kernel?] WARNING in pwq_release_workfn"
Previous message: Simon Horman: "Re: [PATCH] [PATCH v2 net-next] mptcp: fix typos in comments"
In reply to: Dan Carpenter: "Re: [PATCH net] ax25: Fix refcount leak issues of ax25_dev"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]