From patchwork Fri Sep 18 03:03:19 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xiyu Yang X-Patchwork-Id: 18182 X-Patchwork-Delegate: sw@simonwunderlich.de Return-Path: X-Original-To: patchwork@open-mesh.org Delivered-To: patchwork@open-mesh.org Received: from diktynna.open-mesh.org (localhost [IPv6:::1]) by diktynna.open-mesh.org (Postfix) with ESMTP id 4FFB880781; Fri, 18 Sep 2020 08:03:49 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=open-mesh.org; s=20121; t=1600409029; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: list-id:list-help:list-unsubscribe:list-subscribe:list-post; bh=WwtSSdhnu6ZpEwZmUWuY9vinaOMaxB2Yt4J9vpXO6RQ=; b=Wtz0fSHNK8LMRid0DekgqQnUmw7j8W6VFlmPEUx2OpNcifS8s+UxqnxiiHuvNBPghy/F9F TCc1D3RbNWcO9X6e3xrfiJB9O62wttDelIW6t8W44hRLlhu94vqUzqxRW5bHWvRkmBmnic awA+IGSmpZ5MNrNOPkV+ydggRdqCOPI= To: Marek Lindner , Simon Wunderlich , Antonio Quartulli , Sven Eckelmann , "David S. Miller" , Jakub Kicinski , b.a.t.m.a.n@lists.open-mesh.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] batman-adv: Fix orig node refcnt leak when creating neigh node Date: Fri, 18 Sep 2020 11:03:19 +0800 X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-b.a.t.m.a.n.lists.open-mesh.org-0; header-match-b.a.t.m.a.n.lists.open-mesh.org-1 X-Mailman-Approved-At: Fri, 18 Sep 2020 06:03:47 +0200 X-Mailman-Version: 3.2.1 Precedence: list List-Id: The list for a Better Approach To Mobile Ad-hoc Networking Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-ID: <160040902762.1255.6053670722640713794@diktynna.open-mesh.org> X-Patchwork-Original-From: "Xiyu Yang via B.A.T.M.A.N" From: Xiyu Yang Cc: yuanxzhang@fudan.edu.cn, kjlu@umn.edu, Xiyu Yang , Xin Tan The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. batadv_neigh_node_create() is used to create a neigh node object, whose fields will be initialized with the specific object. When a new reference of the specific object is created during the initialization, its refcount should be increased. However, when "neigh_node" object initializes its orig_node field with the "orig_node" object, the function forgets to hold the refcount of the "orig_node", causing a potential refcount leak and use-after-free issue for the reason that the object can be freed in other places. Fix this issue by increasing the refcount of orig_node object during the initialization and adding corresponding batadv_orig_node_put() in batadv_neigh_node_release(). Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan --- net/batman-adv/originator.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/batman-adv/originator.c b/net/batman-adv/originator.c index 805d8969bdfb..d6c2296f8e35 100644 --- a/net/batman-adv/originator.c +++ b/net/batman-adv/originator.c @@ -306,6 +306,8 @@ static void batadv_neigh_node_release(struct kref *ref) batadv_hardif_put(neigh_node->if_incoming); + batadv_orig_node_put(neigh_node->orig_node); + kfree_rcu(neigh_node, rcu); } @@ -685,6 +687,7 @@ batadv_neigh_node_create(struct batadv_orig_node *orig_node, kref_get(&hard_iface->refcount); ether_addr_copy(neigh_node->addr, neigh_addr); neigh_node->if_incoming = hard_iface; + kref_get(&orig_node->refcount); neigh_node->orig_node = orig_node; neigh_node->last_seen = jiffies;