atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent

Message ID	20200729130659.GA7712@xin-virtual-machine
State	Accepted
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> Date: Wed, 29 Jul 2020 21:06:59 +0800 From: Xin Xiong <xiongx18@fudan.edu.cn> To: Chas Williams <3chas3@gmail.com>, linux-atm-general@lists.sourceforge.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Xin Xiong <xiongx18@fudan.edu.cn>, Xiyu Yang <xiyuyang19@fudan.edu.cn>, Xin Tan <tanxin.ctf@gmail.com>, yuanxzhang@fudan.edu.cn Subject: [PATCH] atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent Message-ID: <20200729130659.GA7712@xin-virtual-machine> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: netdev-owner@vger.kernel.org Precedence: bulk
Series	atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent \| expand atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent

Message ID

20200729130659.GA7712@xin-virtual-machine

State

Accepted

Delegated to:

David Miller

Headers

Date: Wed, 29 Jul 2020 21:06:59 +0800
From: Xin Xiong <xiongx18@fudan.edu.cn>
To: Chas Williams <3chas3@gmail.com>,
        linux-atm-general@lists.sourceforge.net, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org
Cc: Xin Xiong <xiongx18@fudan.edu.cn>,
        Xiyu Yang <xiyuyang19@fudan.edu.cn>,
        Xin Tan <tanxin.ctf@gmail.com>, yuanxzhang@fudan.edu.cn
Subject: [PATCH] atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
Message-ID: <20200729130659.GA7712@xin-virtual-machine>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Series

atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent | expand

Commit Message

Xin Xiong July 29, 2020, 1:06 p.m. UTC

atmtcp_remove_persistent() invokes atm_dev_lookup(), which returns a
reference of atm_dev with increased refcount or NULL if fails.

The refcount leaks issues occur in two error handling paths. If
dev_data->persist is zero or PRIV(dev)->vcc isn't NULL, the function
returns 0 without decreasing the refcount kept by a local variable,
resulting in refcount leaks.

Fix the issue by adding atm_dev_put() before returning 0 both when
dev_data->persist is zero or PRIV(dev)->vcc isn't NULL.

Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
---
 drivers/atm/atmtcp.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

Comments

David Miller July 31, 2020, 12:36 a.m. UTC | #1

From: Xin Xiong <xiongx18@fudan.edu.cn>
Date: Wed, 29 Jul 2020 21:06:59 +0800

> atmtcp_remove_persistent() invokes atm_dev_lookup(), which returns a
> reference of atm_dev with increased refcount or NULL if fails.
> 
> The refcount leaks issues occur in two error handling paths. If
> dev_data->persist is zero or PRIV(dev)->vcc isn't NULL, the function
> returns 0 without decreasing the refcount kept by a local variable,
> resulting in refcount leaks.
> 
> Fix the issue by adding atm_dev_put() before returning 0 both when
> dev_data->persist is zero or PRIV(dev)->vcc isn't NULL.
> 
> Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
> Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
> Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>

Applied, thank you.

diff --git a/drivers/atm/atmtcp.c b/drivers/atm/atmtcp.c
index d9fd70280482..7f814da3c2d0 100644
--- a/drivers/atm/atmtcp.c
+++ b/drivers/atm/atmtcp.c
@@ -433,9 +433,15 @@  static int atmtcp_remove_persistent(int itf)
 		return -EMEDIUMTYPE;
 	}
 	dev_data = PRIV(dev);
-	if (!dev_data->persist) return 0;
+	if (!dev_data->persist) {
+		atm_dev_put(dev);
+		return 0;
+	}
 	dev_data->persist = 0;
-	if (PRIV(dev)->vcc) return 0;
+	if (PRIV(dev)->vcc) {
+		atm_dev_put(dev);
+		return 0;
+	}
 	kfree(dev_data);
 	atm_dev_put(dev);
 	atm_dev_deregister(dev);

atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent

Commit Message

Comments

Patch