Re: Re: [PATCH 2/2] ax25: add refcount in ax25_dev to avoid UAF bugs

[PATCH 0/2] ax25: fix NPD and UAF bugs when detaching ax25 device · Duoming Zhou <hidden> · 2022-01-28
[PATCH 2/2] ax25: add refcount in ax25_dev to avoid UAF bugs · Duoming Zhou <hidden> · 2022-01-28
Re: [PATCH 2/2] ax25: add refcount in ax25_dev to avoid UAF bugs · Dan Carpenter <hidden> · 2022-01-31
Re: Re: [PATCH 2/2] ax25: add refcount in ax25_dev to avoid UAF bugs · 周多明 <hidden> · 2022-02-01
Re: [PATCH 2/2] ax25: add refcount in ax25_dev to avoid UAF bugs · Dan Carpenter <hidden> · 2022-01-31
Re: Re: [PATCH 2/2] ax25: add refcount in ax25_dev to avoid UAF bugs · 周多明 <hidden> · 2022-02-01
[PATCH 1/2] ax25: improve the incomplete fix to avoid UAF and NPD bugs · Duoming Zhou <hidden> · 2022-01-28
Re: [PATCH 0/2] ax25: fix NPD and UAF bugs when detaching ax25 device · patchwork-bot+netdevbpf@kernel.org · 2022-01-28

From: 周多明 <hidden>
Date: 2022-02-01 06:34:38
Also in: linux-hams, lkml

Thank you very much for your time and pointing out problems in my patch.

The decrement of ax25_bind() is in ax25_kill_by_device(). If we don't
call ax25_bind() before ax25_kill_by_device(), the ax25_list will be
empty and ax25_dev_put() in ax25_kill_by_device() will not execute.

quoted hunk ↗ jump to hunk

@@ -91,6 +91,7 @@ static void ax25_kill_by_device(struct net_device *dev)
 			spin_unlock_bh(&ax25_list_lock);
 			lock_sock(sk);
 			s->ax25_dev = NULL;
+			ax25_dev_put(ax25_dev);
 			release_sock(sk);
 			ax25_disconnect(s, ENETUNREACH);
 			spin_lock_bh(&ax25_list_lock);

I will send the improved patch as soon as possible.


Best wishes,
Duoming Zhou

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help