DragonFlyBSD Kernel Audit
← dashboard
DF-0539

ieee80211_node_dectestref implements non-atomic decrement-and-test: latent UAF trap

Summary

ieee80211_node_dectestref(:497-503): contract is atomic dec-and-test return 1 if hit zero. Implementation does atomic_subtract_int then atomic_cmpset_int(0,1) — two separate atomics with window between. cmpset also bumps 0->1 (spurious refcnt==1 on object about to be freed). Currently safe only because all callers hold IEEE80211_NODE_LOCK. Plain incref/decref (header:106-109) are lockless. Future lockless caller -> UAF on ieee80211_node. Defense-in-depth. Fix: single atomic cmpset loop old->old-1 return old==1.