* [PATCH net] ax25: fix incorrect dev_tracker usage
@ 2022-07-28 5:18 Eric Dumazet
2022-07-29 5:30 ` patchwork-bot+netdevbpf
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Eric Dumazet @ 2022-07-28 5:18 UTC (permalink / raw)
To: David S . Miller, Jakub Kicinski, Paolo Abeni
Cc: netdev, Eric Dumazet, Eric Dumazet, Bernard F6BVP, Duoming Zhou
From: Eric Dumazet <edumazet@google.com>
While investigating a separate rose issue [1], and enabling
CONFIG_NET_DEV_REFCNT_TRACKER=y, Bernard reported an orthogonal ax25 issue [2]
An ax25_dev can be used by one (or many) struct ax25_cb.
We thus need different dev_tracker, one per struct ax25_cb.
After this patch is applied, we are able to focus on rose.
[1] https://lore.kernel.org/netdev/fb7544a1-f42e-9254-18cc-c9b071f4ca70@free.fr/
[2]
[ 205.798723] reference already released.
[ 205.798732] allocated in:
[ 205.798734] ax25_bind+0x1a2/0x230 [ax25]
[ 205.798747] __sys_bind+0xea/0x110
[ 205.798753] __x64_sys_bind+0x18/0x20
[ 205.798758] do_syscall_64+0x5c/0x80
[ 205.798763] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 205.798768] freed in:
[ 205.798770] ax25_release+0x115/0x370 [ax25]
[ 205.798778] __sock_release+0x42/0xb0
[ 205.798782] sock_close+0x15/0x20
[ 205.798785] __fput+0x9f/0x260
[ 205.798789] ____fput+0xe/0x10
[ 205.798792] task_work_run+0x64/0xa0
[ 205.798798] exit_to_user_mode_prepare+0x18b/0x190
[ 205.798804] syscall_exit_to_user_mode+0x26/0x40
[ 205.798808] do_syscall_64+0x69/0x80
[ 205.798812] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 205.798827] ------------[ cut here ]------------
[ 205.798829] WARNING: CPU: 2 PID: 2605 at lib/ref_tracker.c:136 ref_tracker_free.cold+0x60/0x81
[ 205.798837] Modules linked in: rose netrom mkiss ax25 rfcomm cmac algif_hash algif_skcipher af_alg bnep snd_hda_codec_hdmi nls_iso8859_1 i915 rtw88_8821ce rtw88_8821c x86_pkg_temp_thermal rtw88_pci intel_powerclamp rtw88_core snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio coretemp snd_hda_intel kvm_intel snd_intel_dspcfg mac80211 snd_hda_codec kvm i2c_algo_bit drm_buddy drm_dp_helper btusb drm_kms_helper snd_hwdep btrtl snd_hda_core btbcm joydev crct10dif_pclmul btintel crc32_pclmul ghash_clmulni_intel mei_hdcp btmtk intel_rapl_msr aesni_intel bluetooth input_leds snd_pcm crypto_simd syscopyarea processor_thermal_device_pci_legacy sysfillrect cryptd intel_soc_dts_iosf snd_seq sysimgblt ecdh_generic fb_sys_fops rapl libarc4 processor_thermal_device intel_cstate processor_thermal_rfim cec snd_timer ecc snd_seq_device cfg80211 processor_thermal_mbox mei_me processor_thermal_rapl mei rc_core at24 snd intel_pch_thermal intel_rapl_common ttm soundcore int340x_thermal_zone video
[ 205.798948] mac_hid acpi_pad sch_fq_codel ipmi_devintf ipmi_msghandler drm msr parport_pc ppdev lp parport ramoops pstore_blk reed_solomon pstore_zone efi_pstore ip_tables x_tables autofs4 hid_generic usbhid hid i2c_i801 i2c_smbus r8169 xhci_pci ahci libahci realtek lpc_ich xhci_pci_renesas [last unloaded: ax25]
[ 205.798992] CPU: 2 PID: 2605 Comm: ax25ipd Not tainted 5.18.11-F6BVP #3
[ 205.798996] Hardware name: To be filled by O.E.M. To be filled by O.E.M./CK3, BIOS 5.011 09/16/2020
[ 205.798999] RIP: 0010:ref_tracker_free.cold+0x60/0x81
[ 205.799005] Code: e8 d2 01 9b ff 83 7b 18 00 74 14 48 c7 c7 2f d7 ff 98 e8 10 6e fc ff 8b 7b 18 e8 b8 01 9b ff 4c 89 ee 4c 89 e7 e8 5d fd 07 00 <0f> 0b b8 ea ff ff ff e9 30 05 9b ff 41 0f b6 f7 48 c7 c7 a0 fa 4e
[ 205.799008] RSP: 0018:ffffaf5281073958 EFLAGS: 00010286
[ 205.799011] RAX: 0000000080000000 RBX: ffff9a0bd687ebe0 RCX: 0000000000000000
[ 205.799014] RDX: 0000000000000001 RSI: 0000000000000282 RDI: 00000000ffffffff
[ 205.799016] RBP: ffffaf5281073a10 R08: 0000000000000003 R09: fffffffffffd5618
[ 205.799019] R10: 0000000000ffff10 R11: 000000000000000f R12: ffff9a0bc53384d0
[ 205.799022] R13: 0000000000000282 R14: 00000000ae000001 R15: 0000000000000001
[ 205.799024] FS: 0000000000000000(0000) GS:ffff9a0d0f300000(0000) knlGS:0000000000000000
[ 205.799028] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 205.799031] CR2: 00007ff6b8311554 CR3: 000000001ac10004 CR4: 00000000001706e0
[ 205.799033] Call Trace:
[ 205.799035] <TASK>
[ 205.799038] ? ax25_dev_device_down+0xd9/0x1b0 [ax25]
[ 205.799047] ? ax25_device_event+0x9f/0x270 [ax25]
[ 205.799055] ? raw_notifier_call_chain+0x49/0x60
[ 205.799060] ? call_netdevice_notifiers_info+0x52/0xa0
[ 205.799065] ? dev_close_many+0xc8/0x120
[ 205.799070] ? unregister_netdevice_many+0x13d/0x890
[ 205.799073] ? unregister_netdevice_queue+0x90/0xe0
[ 205.799076] ? unregister_netdev+0x1d/0x30
[ 205.799080] ? mkiss_close+0x7c/0xc0 [mkiss]
[ 205.799084] ? tty_ldisc_close+0x2e/0x40
[ 205.799089] ? tty_ldisc_hangup+0x137/0x210
[ 205.799092] ? __tty_hangup.part.0+0x208/0x350
[ 205.799098] ? tty_vhangup+0x15/0x20
[ 205.799103] ? pty_close+0x127/0x160
[ 205.799108] ? tty_release+0x139/0x5e0
[ 205.799112] ? __fput+0x9f/0x260
[ 205.799118] ax25_dev_device_down+0xd9/0x1b0 [ax25]
[ 205.799126] ax25_device_event+0x9f/0x270 [ax25]
[ 205.799135] raw_notifier_call_chain+0x49/0x60
[ 205.799140] call_netdevice_notifiers_info+0x52/0xa0
[ 205.799146] dev_close_many+0xc8/0x120
[ 205.799152] unregister_netdevice_many+0x13d/0x890
[ 205.799157] unregister_netdevice_queue+0x90/0xe0
[ 205.799161] unregister_netdev+0x1d/0x30
[ 205.799165] mkiss_close+0x7c/0xc0 [mkiss]
[ 205.799170] tty_ldisc_close+0x2e/0x40
[ 205.799173] tty_ldisc_hangup+0x137/0x210
[ 205.799178] __tty_hangup.part.0+0x208/0x350
[ 205.799184] tty_vhangup+0x15/0x20
[ 205.799188] pty_close+0x127/0x160
[ 205.799193] tty_release+0x139/0x5e0
[ 205.799199] __fput+0x9f/0x260
[ 205.799203] ____fput+0xe/0x10
[ 205.799208] task_work_run+0x64/0xa0
[ 205.799213] do_exit+0x33b/0xab0
[ 205.799217] ? __handle_mm_fault+0xc4f/0x15f0
[ 205.799224] do_group_exit+0x35/0xa0
[ 205.799228] __x64_sys_exit_group+0x18/0x20
[ 205.799232] do_syscall_64+0x5c/0x80
[ 205.799238] ? handle_mm_fault+0xba/0x290
[ 205.799242] ? debug_smp_processor_id+0x17/0x20
[ 205.799246] ? fpregs_assert_state_consistent+0x26/0x50
[ 205.799251] ? exit_to_user_mode_prepare+0x49/0x190
[ 205.799256] ? irqentry_exit_to_user_mode+0x9/0x20
[ 205.799260] ? irqentry_exit+0x33/0x40
[ 205.799263] ? exc_page_fault+0x87/0x170
[ 205.799268] ? asm_exc_page_fault+0x8/0x30
[ 205.799273] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 205.799277] RIP: 0033:0x7ff6b80eaca1
[ 205.799281] Code: Unable to access opcode bytes at RIP 0x7ff6b80eac77.
[ 205.799283] RSP: 002b:00007fff6dfd4738 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 205.799287] RAX: ffffffffffffffda RBX: 00007ff6b8215a00 RCX: 00007ff6b80eaca1
[ 205.799290] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
[ 205.799293] RBP: 0000000000000001 R08: ffffffffffffff80 R09: 0000000000000028
[ 205.799295] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff6b8215a00
[ 205.799298] R13: 0000000000000000 R14: 00007ff6b821aee8 R15: 00007ff6b821af00
[ 205.799304] </TASK>
Fixes: feef318c855a ("ax25: fix UAF bugs of net_device caused by rebinding operation")
Reported-by: Bernard F6BVP <f6bvp@free.fr>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Duoming Zhou <duoming@zju.edu.cn>
---
include/net/ax25.h | 1 +
net/ax25/af_ax25.c | 4 ++--
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/include/net/ax25.h b/include/net/ax25.h
index a427a05672e2aab158efd44381fe2190d9cb8969..f8cf3629a41934f96f33e5d70ad90cc8ae796d38 100644
--- a/include/net/ax25.h
+++ b/include/net/ax25.h
@@ -236,6 +236,7 @@ typedef struct ax25_cb {
ax25_address source_addr, dest_addr;
ax25_digi *digipeat;
ax25_dev *ax25_dev;
+ netdevice_tracker dev_tracker;
unsigned char iamdigi;
unsigned char state, modulus, pidincl;
unsigned short vs, vr, va;
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index 4c7030ed8d3319448f6cb158417c650308e341b8..5b5363c99ed50c2b8baad246d3ec1757e0afd0d9 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -1065,7 +1065,7 @@ static int ax25_release(struct socket *sock)
del_timer_sync(&ax25->t3timer);
del_timer_sync(&ax25->idletimer);
}
- dev_put_track(ax25_dev->dev, &ax25_dev->dev_tracker);
+ dev_put_track(ax25_dev->dev, &ax25->dev_tracker);
ax25_dev_put(ax25_dev);
}
@@ -1146,7 +1146,7 @@ static int ax25_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
if (ax25_dev) {
ax25_fillin_cb(ax25, ax25_dev);
- dev_hold_track(ax25_dev->dev, &ax25_dev->dev_tracker, GFP_ATOMIC);
+ dev_hold_track(ax25_dev->dev, &ax25->dev_tracker, GFP_ATOMIC);
}
done:
--
2.37.1.359.gd136c6c3e2-goog
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH net] ax25: fix incorrect dev_tracker usage
2022-07-28 5:18 [PATCH net] ax25: fix incorrect dev_tracker usage Eric Dumazet
@ 2022-07-29 5:30 ` patchwork-bot+netdevbpf
2022-07-29 17:32 ` Matthieu Baerts
2022-08-03 6:23 ` Paolo Abeni
2 siblings, 0 replies; 10+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-07-29 5:30 UTC (permalink / raw)
To: Eric Dumazet; +Cc: davem, kuba, pabeni, netdev, edumazet, f6bvp, duoming
Hello:
This patch was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@kernel.org>:
On Wed, 27 Jul 2022 22:18:21 -0700 you wrote:
> From: Eric Dumazet <edumazet@google.com>
>
> While investigating a separate rose issue [1], and enabling
> CONFIG_NET_DEV_REFCNT_TRACKER=y, Bernard reported an orthogonal ax25 issue [2]
>
> An ax25_dev can be used by one (or many) struct ax25_cb.
> We thus need different dev_tracker, one per struct ax25_cb.
>
> [...]
Here is the summary with links:
- [net] ax25: fix incorrect dev_tracker usage
https://git.kernel.org/netdev/net/c/d7c4c9e075f8
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH net] ax25: fix incorrect dev_tracker usage
2022-07-28 5:18 [PATCH net] ax25: fix incorrect dev_tracker usage Eric Dumazet
2022-07-29 5:30 ` patchwork-bot+netdevbpf
@ 2022-07-29 17:32 ` Matthieu Baerts
2022-08-03 6:23 ` Paolo Abeni
2 siblings, 0 replies; 10+ messages in thread
From: Matthieu Baerts @ 2022-07-29 17:32 UTC (permalink / raw)
To: Eric Dumazet, David S . Miller, Jakub Kicinski, Paolo Abeni
Cc: netdev, Eric Dumazet, Bernard F6BVP, Duoming Zhou, MPTCP Upstream
[-- Attachment #1: Type: text/plain, Size: 1037 bytes --]
Hello,
On 28/07/2022 07:18, Eric Dumazet wrote:
> From: Eric Dumazet <edumazet@google.com>
>
> While investigating a separate rose issue [1], and enabling
> CONFIG_NET_DEV_REFCNT_TRACKER=y, Bernard reported an orthogonal ax25 issue [2]
>
> An ax25_dev can be used by one (or many) struct ax25_cb.
> We thus need different dev_tracker, one per struct ax25_cb.
>
> After this patch is applied, we are able to focus on rose.
FYI, we got a small conflict when merging -net in net-next in the MPTCP
tree due to this patch applied in -net:
d7c4c9e075f8 ("ax25: fix incorrect dev_tracker usage")
and this one from net-next:
d62607c3fe45 ("net: rename reference+tracking helpers")
The conflict has been resolved on our side[1] and the resolution we
suggest is attached to this email.
I'm sharing this thinking it can help others but if it only creates
noise, please tell me! :-)
Cheers,
Matt
[1] https://github.com/multipath-tcp/mptcp_net-next/commit/b01791aa6b6c
--
Tessares | Belgium | Hybrid Access Solutions
www.tessares.net
[-- Attachment #2: b01791aa6b6c783778b534f91997581a0e3caeb6.patch --]
[-- Type: text/x-patch, Size: 820 bytes --]
diff --cc net/ax25/af_ax25.c
index bbac3cb4dc99,5b5363c99ed5..d82a51e69386
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@@ -1066,7 -1065,7 +1066,7 @@@ static int ax25_release(struct socket *
del_timer_sync(&ax25->t3timer);
del_timer_sync(&ax25->idletimer);
}
- netdev_put(ax25_dev->dev, &ax25_dev->dev_tracker);
- dev_put_track(ax25_dev->dev, &ax25->dev_tracker);
++ netdev_put(ax25_dev->dev, &ax25->dev_tracker);
ax25_dev_put(ax25_dev);
}
@@@ -1147,7 -1146,7 +1147,7 @@@ static int ax25_bind(struct socket *soc
if (ax25_dev) {
ax25_fillin_cb(ax25, ax25_dev);
- netdev_hold(ax25_dev->dev, &ax25_dev->dev_tracker, GFP_ATOMIC);
- dev_hold_track(ax25_dev->dev, &ax25->dev_tracker, GFP_ATOMIC);
++ netdev_hold(ax25_dev->dev, &ax25->dev_tracker, GFP_ATOMIC);
}
done:
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH net] ax25: fix incorrect dev_tracker usage
2022-07-28 5:18 [PATCH net] ax25: fix incorrect dev_tracker usage Eric Dumazet
2022-07-29 5:30 ` patchwork-bot+netdevbpf
2022-07-29 17:32 ` Matthieu Baerts
@ 2022-08-03 6:23 ` Paolo Abeni
2022-08-03 6:46 ` Eric Dumazet
2 siblings, 1 reply; 10+ messages in thread
From: Paolo Abeni @ 2022-08-03 6:23 UTC (permalink / raw)
To: Eric Dumazet, David S . Miller, Jakub Kicinski
Cc: netdev, Eric Dumazet, Bernard F6BVP, Duoming Zhou
On Wed, 2022-07-27 at 22:18 -0700, Eric Dumazet wrote:
> From: Eric Dumazet <edumazet@google.com>
>
> While investigating a separate rose issue [1], and enabling
> CONFIG_NET_DEV_REFCNT_TRACKER=y, Bernard reported an orthogonal ax25 issue [2]
>
> An ax25_dev can be used by one (or many) struct ax25_cb.
> We thus need different dev_tracker, one per struct ax25_cb.
>
> After this patch is applied, we are able to focus on rose.
>
> [1] https://lore.kernel.org/netdev/fb7544a1-f42e-9254-18cc-c9b071f4ca70@free.fr/
>
> [2]
> [ 205.798723] reference already released.
> [ 205.798732] allocated in:
> [ 205.798734] ax25_bind+0x1a2/0x230 [ax25]
> [ 205.798747] __sys_bind+0xea/0x110
> [ 205.798753] __x64_sys_bind+0x18/0x20
> [ 205.798758] do_syscall_64+0x5c/0x80
> [ 205.798763] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 205.798768] freed in:
> [ 205.798770] ax25_release+0x115/0x370 [ax25]
> [ 205.798778] __sock_release+0x42/0xb0
> [ 205.798782] sock_close+0x15/0x20
> [ 205.798785] __fput+0x9f/0x260
> [ 205.798789] ____fput+0xe/0x10
> [ 205.798792] task_work_run+0x64/0xa0
> [ 205.798798] exit_to_user_mode_prepare+0x18b/0x190
> [ 205.798804] syscall_exit_to_user_mode+0x26/0x40
> [ 205.798808] do_syscall_64+0x69/0x80
> [ 205.798812] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 205.798827] ------------[ cut here ]------------
> [ 205.798829] WARNING: CPU: 2 PID: 2605 at lib/ref_tracker.c:136 ref_tracker_free.cold+0x60/0x81
> [ 205.798837] Modules linked in: rose netrom mkiss ax25 rfcomm cmac algif_hash algif_skcipher af_alg bnep snd_hda_codec_hdmi nls_iso8859_1 i915 rtw88_8821ce rtw88_8821c x86_pkg_temp_thermal rtw88_pci intel_powerclamp rtw88_core snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio coretemp snd_hda_intel kvm_intel snd_intel_dspcfg mac80211 snd_hda_codec kvm i2c_algo_bit drm_buddy drm_dp_helper btusb drm_kms_helper snd_hwdep btrtl snd_hda_core btbcm joydev crct10dif_pclmul btintel crc32_pclmul ghash_clmulni_intel mei_hdcp btmtk intel_rapl_msr aesni_intel bluetooth input_leds snd_pcm crypto_simd syscopyarea processor_thermal_device_pci_legacy sysfillrect cryptd intel_soc_dts_iosf snd_seq sysimgblt ecdh_generic fb_sys_fops rapl libarc4 processor_thermal_device intel_cstate processor_thermal_rfim cec snd_timer ecc snd_seq_device cfg80211 processor_thermal_mbox mei_me processor_thermal_rapl mei rc_core at24 snd intel_pch_thermal intel_rapl_common ttm soundcore int340x_thermal_zone video
> [ 205.798948] mac_hid acpi_pad sch_fq_codel ipmi_devintf ipmi_msghandler drm msr parport_pc ppdev lp parport ramoops pstore_blk reed_solomon pstore_zone efi_pstore ip_tables x_tables autofs4 hid_generic usbhid hid i2c_i801 i2c_smbus r8169 xhci_pci ahci libahci realtek lpc_ich xhci_pci_renesas [last unloaded: ax25]
> [ 205.798992] CPU: 2 PID: 2605 Comm: ax25ipd Not tainted 5.18.11-F6BVP #3
> [ 205.798996] Hardware name: To be filled by O.E.M. To be filled by O.E.M./CK3, BIOS 5.011 09/16/2020
> [ 205.798999] RIP: 0010:ref_tracker_free.cold+0x60/0x81
> [ 205.799005] Code: e8 d2 01 9b ff 83 7b 18 00 74 14 48 c7 c7 2f d7 ff 98 e8 10 6e fc ff 8b 7b 18 e8 b8 01 9b ff 4c 89 ee 4c 89 e7 e8 5d fd 07 00 <0f> 0b b8 ea ff ff ff e9 30 05 9b ff 41 0f b6 f7 48 c7 c7 a0 fa 4e
> [ 205.799008] RSP: 0018:ffffaf5281073958 EFLAGS: 00010286
> [ 205.799011] RAX: 0000000080000000 RBX: ffff9a0bd687ebe0 RCX: 0000000000000000
> [ 205.799014] RDX: 0000000000000001 RSI: 0000000000000282 RDI: 00000000ffffffff
> [ 205.799016] RBP: ffffaf5281073a10 R08: 0000000000000003 R09: fffffffffffd5618
> [ 205.799019] R10: 0000000000ffff10 R11: 000000000000000f R12: ffff9a0bc53384d0
> [ 205.799022] R13: 0000000000000282 R14: 00000000ae000001 R15: 0000000000000001
> [ 205.799024] FS: 0000000000000000(0000) GS:ffff9a0d0f300000(0000) knlGS:0000000000000000
> [ 205.799028] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 205.799031] CR2: 00007ff6b8311554 CR3: 000000001ac10004 CR4: 00000000001706e0
> [ 205.799033] Call Trace:
> [ 205.799035] <TASK>
> [ 205.799038] ? ax25_dev_device_down+0xd9/0x1b0 [ax25]
> [ 205.799047] ? ax25_device_event+0x9f/0x270 [ax25]
> [ 205.799055] ? raw_notifier_call_chain+0x49/0x60
> [ 205.799060] ? call_netdevice_notifiers_info+0x52/0xa0
> [ 205.799065] ? dev_close_many+0xc8/0x120
> [ 205.799070] ? unregister_netdevice_many+0x13d/0x890
> [ 205.799073] ? unregister_netdevice_queue+0x90/0xe0
> [ 205.799076] ? unregister_netdev+0x1d/0x30
> [ 205.799080] ? mkiss_close+0x7c/0xc0 [mkiss]
> [ 205.799084] ? tty_ldisc_close+0x2e/0x40
> [ 205.799089] ? tty_ldisc_hangup+0x137/0x210
> [ 205.799092] ? __tty_hangup.part.0+0x208/0x350
> [ 205.799098] ? tty_vhangup+0x15/0x20
> [ 205.799103] ? pty_close+0x127/0x160
> [ 205.799108] ? tty_release+0x139/0x5e0
> [ 205.799112] ? __fput+0x9f/0x260
> [ 205.799118] ax25_dev_device_down+0xd9/0x1b0 [ax25]
> [ 205.799126] ax25_device_event+0x9f/0x270 [ax25]
> [ 205.799135] raw_notifier_call_chain+0x49/0x60
> [ 205.799140] call_netdevice_notifiers_info+0x52/0xa0
> [ 205.799146] dev_close_many+0xc8/0x120
> [ 205.799152] unregister_netdevice_many+0x13d/0x890
> [ 205.799157] unregister_netdevice_queue+0x90/0xe0
> [ 205.799161] unregister_netdev+0x1d/0x30
> [ 205.799165] mkiss_close+0x7c/0xc0 [mkiss]
> [ 205.799170] tty_ldisc_close+0x2e/0x40
> [ 205.799173] tty_ldisc_hangup+0x137/0x210
> [ 205.799178] __tty_hangup.part.0+0x208/0x350
> [ 205.799184] tty_vhangup+0x15/0x20
> [ 205.799188] pty_close+0x127/0x160
> [ 205.799193] tty_release+0x139/0x5e0
> [ 205.799199] __fput+0x9f/0x260
> [ 205.799203] ____fput+0xe/0x10
> [ 205.799208] task_work_run+0x64/0xa0
> [ 205.799213] do_exit+0x33b/0xab0
> [ 205.799217] ? __handle_mm_fault+0xc4f/0x15f0
> [ 205.799224] do_group_exit+0x35/0xa0
> [ 205.799228] __x64_sys_exit_group+0x18/0x20
> [ 205.799232] do_syscall_64+0x5c/0x80
> [ 205.799238] ? handle_mm_fault+0xba/0x290
> [ 205.799242] ? debug_smp_processor_id+0x17/0x20
> [ 205.799246] ? fpregs_assert_state_consistent+0x26/0x50
> [ 205.799251] ? exit_to_user_mode_prepare+0x49/0x190
> [ 205.799256] ? irqentry_exit_to_user_mode+0x9/0x20
> [ 205.799260] ? irqentry_exit+0x33/0x40
> [ 205.799263] ? exc_page_fault+0x87/0x170
> [ 205.799268] ? asm_exc_page_fault+0x8/0x30
> [ 205.799273] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 205.799277] RIP: 0033:0x7ff6b80eaca1
> [ 205.799281] Code: Unable to access opcode bytes at RIP 0x7ff6b80eac77.
> [ 205.799283] RSP: 002b:00007fff6dfd4738 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> [ 205.799287] RAX: ffffffffffffffda RBX: 00007ff6b8215a00 RCX: 00007ff6b80eaca1
> [ 205.799290] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
> [ 205.799293] RBP: 0000000000000001 R08: ffffffffffffff80 R09: 0000000000000028
> [ 205.799295] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff6b8215a00
> [ 205.799298] R13: 0000000000000000 R14: 00007ff6b821aee8 R15: 00007ff6b821af00
> [ 205.799304] </TASK>
>
> Fixes: feef318c855a ("ax25: fix UAF bugs of net_device caused by rebinding operation")
> Reported-by: Bernard F6BVP <f6bvp@free.fr>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Duoming Zhou <duoming@zju.edu.cn>
> ---
> include/net/ax25.h | 1 +
> net/ax25/af_ax25.c | 4 ++--
> 2 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/include/net/ax25.h b/include/net/ax25.h
> index a427a05672e2aab158efd44381fe2190d9cb8969..f8cf3629a41934f96f33e5d70ad90cc8ae796d38 100644
> --- a/include/net/ax25.h
> +++ b/include/net/ax25.h
> @@ -236,6 +236,7 @@ typedef struct ax25_cb {
> ax25_address source_addr, dest_addr;
> ax25_digi *digipeat;
> ax25_dev *ax25_dev;
> + netdevice_tracker dev_tracker;
> unsigned char iamdigi;
> unsigned char state, modulus, pidincl;
> unsigned short vs, vr, va;
I'm sorry for the [too] late feedback, but it looks like this patch
forgot to remove the old/unused tracker from ax25_dev, or am I missing
something?
Thanks!
Paolo
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH net] ax25: fix incorrect dev_tracker usage
2022-08-03 6:23 ` Paolo Abeni
@ 2022-08-03 6:46 ` Eric Dumazet
2022-08-03 7:03 ` Paolo Abeni
0 siblings, 1 reply; 10+ messages in thread
From: Eric Dumazet @ 2022-08-03 6:46 UTC (permalink / raw)
To: Paolo Abeni
Cc: Eric Dumazet, David S . Miller, Jakub Kicinski, netdev,
Bernard F6BVP, Duoming Zhou
On Tue, Aug 2, 2022 at 11:23 PM Paolo Abeni <pabeni@redhat.com> wrote:
>
> On Wed, 2022-07-27 at 22:18 -0700, Eric Dumazet wrote:
> > From: Eric Dumazet <edumazet@google.com>
> >
> > While investigating a separate rose issue [1], and enabling
> > CONFIG_NET_DEV_REFCNT_TRACKER=y, Bernard reported an orthogonal ax25 issue [2]
> >
> > An ax25_dev can be used by one (or many) struct ax25_cb.
> > We thus need different dev_tracker, one per struct ax25_cb.
> >
> > After this patch is applied, we are able to focus on rose.
> >
> > [1] https://lore.kernel.org/netdev/fb7544a1-f42e-9254-18cc-c9b071f4ca70@free.fr/
> >
> > [2]
> > [ 205.798723] reference already released.
> > [ 205.798732] allocated in:
> > [ 205.798734] ax25_bind+0x1a2/0x230 [ax25]
> > [ 205.798747] __sys_bind+0xea/0x110
> > [ 205.798753] __x64_sys_bind+0x18/0x20
> > [ 205.798758] do_syscall_64+0x5c/0x80
> > [ 205.798763] entry_SYSCALL_64_after_hwframe+0x44/0xae
> > [ 205.798768] freed in:
> > [ 205.798770] ax25_release+0x115/0x370 [ax25]
> > [ 205.798778] __sock_release+0x42/0xb0
> > [ 205.798782] sock_close+0x15/0x20
> > [ 205.798785] __fput+0x9f/0x260
> > [ 205.798789] ____fput+0xe/0x10
> > [ 205.798792] task_work_run+0x64/0xa0
> > [ 205.798798] exit_to_user_mode_prepare+0x18b/0x190
> > [ 205.798804] syscall_exit_to_user_mode+0x26/0x40
> > [ 205.798808] do_syscall_64+0x69/0x80
> > [ 205.798812] entry_SYSCALL_64_after_hwframe+0x44/0xae
> > [ 205.798827] ------------[ cut here ]------------
> > [ 205.798829] WARNING: CPU: 2 PID: 2605 at lib/ref_tracker.c:136 ref_tracker_free.cold+0x60/0x81
> > [ 205.798837] Modules linked in: rose netrom mkiss ax25 rfcomm cmac algif_hash algif_skcipher af_alg bnep snd_hda_codec_hdmi nls_iso8859_1 i915 rtw88_8821ce rtw88_8821c x86_pkg_temp_thermal rtw88_pci intel_powerclamp rtw88_core snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio coretemp snd_hda_intel kvm_intel snd_intel_dspcfg mac80211 snd_hda_codec kvm i2c_algo_bit drm_buddy drm_dp_helper btusb drm_kms_helper snd_hwdep btrtl snd_hda_core btbcm joydev crct10dif_pclmul btintel crc32_pclmul ghash_clmulni_intel mei_hdcp btmtk intel_rapl_msr aesni_intel bluetooth input_leds snd_pcm crypto_simd syscopyarea processor_thermal_device_pci_legacy sysfillrect cryptd intel_soc_dts_iosf snd_seq sysimgblt ecdh_generic fb_sys_fops rapl libarc4 processor_thermal_device intel_cstate processor_thermal_rfim cec snd_timer ecc snd_seq_device cfg80211 processor_thermal_mbox mei_me processor_thermal_rapl mei rc_core at24 snd intel_pch_thermal intel_rapl_common ttm soundcore int340x_thermal_zone video
> > [ 205.798948] mac_hid acpi_pad sch_fq_codel ipmi_devintf ipmi_msghandler drm msr parport_pc ppdev lp parport ramoops pstore_blk reed_solomon pstore_zone efi_pstore ip_tables x_tables autofs4 hid_generic usbhid hid i2c_i801 i2c_smbus r8169 xhci_pci ahci libahci realtek lpc_ich xhci_pci_renesas [last unloaded: ax25]
> > [ 205.798992] CPU: 2 PID: 2605 Comm: ax25ipd Not tainted 5.18.11-F6BVP #3
> > [ 205.798996] Hardware name: To be filled by O.E.M. To be filled by O.E.M./CK3, BIOS 5.011 09/16/2020
> > [ 205.798999] RIP: 0010:ref_tracker_free.cold+0x60/0x81
> > [ 205.799005] Code: e8 d2 01 9b ff 83 7b 18 00 74 14 48 c7 c7 2f d7 ff 98 e8 10 6e fc ff 8b 7b 18 e8 b8 01 9b ff 4c 89 ee 4c 89 e7 e8 5d fd 07 00 <0f> 0b b8 ea ff ff ff e9 30 05 9b ff 41 0f b6 f7 48 c7 c7 a0 fa 4e
> > [ 205.799008] RSP: 0018:ffffaf5281073958 EFLAGS: 00010286
> > [ 205.799011] RAX: 0000000080000000 RBX: ffff9a0bd687ebe0 RCX: 0000000000000000
> > [ 205.799014] RDX: 0000000000000001 RSI: 0000000000000282 RDI: 00000000ffffffff
> > [ 205.799016] RBP: ffffaf5281073a10 R08: 0000000000000003 R09: fffffffffffd5618
> > [ 205.799019] R10: 0000000000ffff10 R11: 000000000000000f R12: ffff9a0bc53384d0
> > [ 205.799022] R13: 0000000000000282 R14: 00000000ae000001 R15: 0000000000000001
> > [ 205.799024] FS: 0000000000000000(0000) GS:ffff9a0d0f300000(0000) knlGS:0000000000000000
> > [ 205.799028] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [ 205.799031] CR2: 00007ff6b8311554 CR3: 000000001ac10004 CR4: 00000000001706e0
> > [ 205.799033] Call Trace:
> > [ 205.799035] <TASK>
> > [ 205.799038] ? ax25_dev_device_down+0xd9/0x1b0 [ax25]
> > [ 205.799047] ? ax25_device_event+0x9f/0x270 [ax25]
> > [ 205.799055] ? raw_notifier_call_chain+0x49/0x60
> > [ 205.799060] ? call_netdevice_notifiers_info+0x52/0xa0
> > [ 205.799065] ? dev_close_many+0xc8/0x120
> > [ 205.799070] ? unregister_netdevice_many+0x13d/0x890
> > [ 205.799073] ? unregister_netdevice_queue+0x90/0xe0
> > [ 205.799076] ? unregister_netdev+0x1d/0x30
> > [ 205.799080] ? mkiss_close+0x7c/0xc0 [mkiss]
> > [ 205.799084] ? tty_ldisc_close+0x2e/0x40
> > [ 205.799089] ? tty_ldisc_hangup+0x137/0x210
> > [ 205.799092] ? __tty_hangup.part.0+0x208/0x350
> > [ 205.799098] ? tty_vhangup+0x15/0x20
> > [ 205.799103] ? pty_close+0x127/0x160
> > [ 205.799108] ? tty_release+0x139/0x5e0
> > [ 205.799112] ? __fput+0x9f/0x260
> > [ 205.799118] ax25_dev_device_down+0xd9/0x1b0 [ax25]
> > [ 205.799126] ax25_device_event+0x9f/0x270 [ax25]
> > [ 205.799135] raw_notifier_call_chain+0x49/0x60
> > [ 205.799140] call_netdevice_notifiers_info+0x52/0xa0
> > [ 205.799146] dev_close_many+0xc8/0x120
> > [ 205.799152] unregister_netdevice_many+0x13d/0x890
> > [ 205.799157] unregister_netdevice_queue+0x90/0xe0
> > [ 205.799161] unregister_netdev+0x1d/0x30
> > [ 205.799165] mkiss_close+0x7c/0xc0 [mkiss]
> > [ 205.799170] tty_ldisc_close+0x2e/0x40
> > [ 205.799173] tty_ldisc_hangup+0x137/0x210
> > [ 205.799178] __tty_hangup.part.0+0x208/0x350
> > [ 205.799184] tty_vhangup+0x15/0x20
> > [ 205.799188] pty_close+0x127/0x160
> > [ 205.799193] tty_release+0x139/0x5e0
> > [ 205.799199] __fput+0x9f/0x260
> > [ 205.799203] ____fput+0xe/0x10
> > [ 205.799208] task_work_run+0x64/0xa0
> > [ 205.799213] do_exit+0x33b/0xab0
> > [ 205.799217] ? __handle_mm_fault+0xc4f/0x15f0
> > [ 205.799224] do_group_exit+0x35/0xa0
> > [ 205.799228] __x64_sys_exit_group+0x18/0x20
> > [ 205.799232] do_syscall_64+0x5c/0x80
> > [ 205.799238] ? handle_mm_fault+0xba/0x290
> > [ 205.799242] ? debug_smp_processor_id+0x17/0x20
> > [ 205.799246] ? fpregs_assert_state_consistent+0x26/0x50
> > [ 205.799251] ? exit_to_user_mode_prepare+0x49/0x190
> > [ 205.799256] ? irqentry_exit_to_user_mode+0x9/0x20
> > [ 205.799260] ? irqentry_exit+0x33/0x40
> > [ 205.799263] ? exc_page_fault+0x87/0x170
> > [ 205.799268] ? asm_exc_page_fault+0x8/0x30
> > [ 205.799273] entry_SYSCALL_64_after_hwframe+0x44/0xae
> > [ 205.799277] RIP: 0033:0x7ff6b80eaca1
> > [ 205.799281] Code: Unable to access opcode bytes at RIP 0x7ff6b80eac77.
> > [ 205.799283] RSP: 002b:00007fff6dfd4738 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> > [ 205.799287] RAX: ffffffffffffffda RBX: 00007ff6b8215a00 RCX: 00007ff6b80eaca1
> > [ 205.799290] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
> > [ 205.799293] RBP: 0000000000000001 R08: ffffffffffffff80 R09: 0000000000000028
> > [ 205.799295] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff6b8215a00
> > [ 205.799298] R13: 0000000000000000 R14: 00007ff6b821aee8 R15: 00007ff6b821af00
> > [ 205.799304] </TASK>
> >
> > Fixes: feef318c855a ("ax25: fix UAF bugs of net_device caused by rebinding operation")
> > Reported-by: Bernard F6BVP <f6bvp@free.fr>
> > Signed-off-by: Eric Dumazet <edumazet@google.com>
> > Cc: Duoming Zhou <duoming@zju.edu.cn>
> > ---
> > include/net/ax25.h | 1 +
> > net/ax25/af_ax25.c | 4 ++--
> > 2 files changed, 3 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/net/ax25.h b/include/net/ax25.h
> > index a427a05672e2aab158efd44381fe2190d9cb8969..f8cf3629a41934f96f33e5d70ad90cc8ae796d38 100644
> > --- a/include/net/ax25.h
> > +++ b/include/net/ax25.h
> > @@ -236,6 +236,7 @@ typedef struct ax25_cb {
> > ax25_address source_addr, dest_addr;
> > ax25_digi *digipeat;
> > ax25_dev *ax25_dev;
> > + netdevice_tracker dev_tracker;
> > unsigned char iamdigi;
> > unsigned char state, modulus, pidincl;
> > unsigned short vs, vr, va;
>
> I'm sorry for the [too] late feedback, but it looks like this patch
> forgot to remove the old/unused tracker from ax25_dev, or am I missing
> something?
I think you are confused ;)
The other tracker is still used.
Only the blamed patch (feef318c855a ("ax25: fix UAF bugs of net_device
caused by rebinding operation")) needed
a separate tracker in 'struct ax25_cb'.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH net] ax25: fix incorrect dev_tracker usage
2022-08-03 6:46 ` Eric Dumazet
@ 2022-08-03 7:03 ` Paolo Abeni
2022-08-03 7:15 ` Eric Dumazet
0 siblings, 1 reply; 10+ messages in thread
From: Paolo Abeni @ 2022-08-03 7:03 UTC (permalink / raw)
To: Eric Dumazet
Cc: Eric Dumazet, David S . Miller, Jakub Kicinski, netdev,
Bernard F6BVP, Duoming Zhou
On Tue, 2022-08-02 at 23:46 -0700, Eric Dumazet wrote:
> On Tue, Aug 2, 2022 at 11:23 PM Paolo Abeni <pabeni@redhat.com> wrote:
> >
> > On Wed, 2022-07-27 at 22:18 -0700, Eric Dumazet wrote:
> > > From: Eric Dumazet <edumazet@google.com>
> > >
> > > While investigating a separate rose issue [1], and enabling
> > > CONFIG_NET_DEV_REFCNT_TRACKER=y, Bernard reported an orthogonal ax25 issue [2]
> > >
> > > An ax25_dev can be used by one (or many) struct ax25_cb.
> > > We thus need different dev_tracker, one per struct ax25_cb.
> > >
> > > After this patch is applied, we are able to focus on rose.
> > >
> > > [1] https://lore.kernel.org/netdev/fb7544a1-f42e-9254-18cc-c9b071f4ca70@free.fr/
> > >
> > > [2]
> > > [ 205.798723] reference already released.
> > > [ 205.798732] allocated in:
> > > [ 205.798734] ax25_bind+0x1a2/0x230 [ax25]
> > > [ 205.798747] __sys_bind+0xea/0x110
> > > [ 205.798753] __x64_sys_bind+0x18/0x20
> > > [ 205.798758] do_syscall_64+0x5c/0x80
> > > [ 205.798763] entry_SYSCALL_64_after_hwframe+0x44/0xae
> > > [ 205.798768] freed in:
> > > [ 205.798770] ax25_release+0x115/0x370 [ax25]
> > > [ 205.798778] __sock_release+0x42/0xb0
> > > [ 205.798782] sock_close+0x15/0x20
> > > [ 205.798785] __fput+0x9f/0x260
> > > [ 205.798789] ____fput+0xe/0x10
> > > [ 205.798792] task_work_run+0x64/0xa0
> > > [ 205.798798] exit_to_user_mode_prepare+0x18b/0x190
> > > [ 205.798804] syscall_exit_to_user_mode+0x26/0x40
> > > [ 205.798808] do_syscall_64+0x69/0x80
> > > [ 205.798812] entry_SYSCALL_64_after_hwframe+0x44/0xae
> > > [ 205.798827] ------------[ cut here ]------------
> > > [ 205.798829] WARNING: CPU: 2 PID: 2605 at lib/ref_tracker.c:136 ref_tracker_free.cold+0x60/0x81
> > > [ 205.798837] Modules linked in: rose netrom mkiss ax25 rfcomm cmac algif_hash algif_skcipher af_alg bnep snd_hda_codec_hdmi nls_iso8859_1 i915 rtw88_8821ce rtw88_8821c x86_pkg_temp_thermal rtw88_pci intel_powerclamp rtw88_core snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio coretemp snd_hda_intel kvm_intel snd_intel_dspcfg mac80211 snd_hda_codec kvm i2c_algo_bit drm_buddy drm_dp_helper btusb drm_kms_helper snd_hwdep btrtl snd_hda_core btbcm joydev crct10dif_pclmul btintel crc32_pclmul ghash_clmulni_intel mei_hdcp btmtk intel_rapl_msr aesni_intel bluetooth input_leds snd_pcm crypto_simd syscopyarea processor_thermal_device_pci_legacy sysfillrect cryptd intel_soc_dts_iosf snd_seq sysimgblt ecdh_generic fb_sys_fops rapl libarc4 processor_thermal_device intel_cstate processor_thermal_rfim cec snd_timer ecc snd_seq_device cfg80211 processor_thermal_mbox mei_me processor_thermal_rapl mei rc_core at24 snd intel_pch_thermal intel_rapl_common ttm soundcore int340x_thermal_zone video
> > > [ 205.798948] mac_hid acpi_pad sch_fq_codel ipmi_devintf ipmi_msghandler drm msr parport_pc ppdev lp parport ramoops pstore_blk reed_solomon pstore_zone efi_pstore ip_tables x_tables autofs4 hid_generic usbhid hid i2c_i801 i2c_smbus r8169 xhci_pci ahci libahci realtek lpc_ich xhci_pci_renesas [last unloaded: ax25]
> > > [ 205.798992] CPU: 2 PID: 2605 Comm: ax25ipd Not tainted 5.18.11-F6BVP #3
> > > [ 205.798996] Hardware name: To be filled by O.E.M. To be filled by O.E.M./CK3, BIOS 5.011 09/16/2020
> > > [ 205.798999] RIP: 0010:ref_tracker_free.cold+0x60/0x81
> > > [ 205.799005] Code: e8 d2 01 9b ff 83 7b 18 00 74 14 48 c7 c7 2f d7 ff 98 e8 10 6e fc ff 8b 7b 18 e8 b8 01 9b ff 4c 89 ee 4c 89 e7 e8 5d fd 07 00 <0f> 0b b8 ea ff ff ff e9 30 05 9b ff 41 0f b6 f7 48 c7 c7 a0 fa 4e
> > > [ 205.799008] RSP: 0018:ffffaf5281073958 EFLAGS: 00010286
> > > [ 205.799011] RAX: 0000000080000000 RBX: ffff9a0bd687ebe0 RCX: 0000000000000000
> > > [ 205.799014] RDX: 0000000000000001 RSI: 0000000000000282 RDI: 00000000ffffffff
> > > [ 205.799016] RBP: ffffaf5281073a10 R08: 0000000000000003 R09: fffffffffffd5618
> > > [ 205.799019] R10: 0000000000ffff10 R11: 000000000000000f R12: ffff9a0bc53384d0
> > > [ 205.799022] R13: 0000000000000282 R14: 00000000ae000001 R15: 0000000000000001
> > > [ 205.799024] FS: 0000000000000000(0000) GS:ffff9a0d0f300000(0000) knlGS:0000000000000000
> > > [ 205.799028] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > [ 205.799031] CR2: 00007ff6b8311554 CR3: 000000001ac10004 CR4: 00000000001706e0
> > > [ 205.799033] Call Trace:
> > > [ 205.799035] <TASK>
> > > [ 205.799038] ? ax25_dev_device_down+0xd9/0x1b0 [ax25]
> > > [ 205.799047] ? ax25_device_event+0x9f/0x270 [ax25]
> > > [ 205.799055] ? raw_notifier_call_chain+0x49/0x60
> > > [ 205.799060] ? call_netdevice_notifiers_info+0x52/0xa0
> > > [ 205.799065] ? dev_close_many+0xc8/0x120
> > > [ 205.799070] ? unregister_netdevice_many+0x13d/0x890
> > > [ 205.799073] ? unregister_netdevice_queue+0x90/0xe0
> > > [ 205.799076] ? unregister_netdev+0x1d/0x30
> > > [ 205.799080] ? mkiss_close+0x7c/0xc0 [mkiss]
> > > [ 205.799084] ? tty_ldisc_close+0x2e/0x40
> > > [ 205.799089] ? tty_ldisc_hangup+0x137/0x210
> > > [ 205.799092] ? __tty_hangup.part.0+0x208/0x350
> > > [ 205.799098] ? tty_vhangup+0x15/0x20
> > > [ 205.799103] ? pty_close+0x127/0x160
> > > [ 205.799108] ? tty_release+0x139/0x5e0
> > > [ 205.799112] ? __fput+0x9f/0x260
> > > [ 205.799118] ax25_dev_device_down+0xd9/0x1b0 [ax25]
> > > [ 205.799126] ax25_device_event+0x9f/0x270 [ax25]
> > > [ 205.799135] raw_notifier_call_chain+0x49/0x60
> > > [ 205.799140] call_netdevice_notifiers_info+0x52/0xa0
> > > [ 205.799146] dev_close_many+0xc8/0x120
> > > [ 205.799152] unregister_netdevice_many+0x13d/0x890
> > > [ 205.799157] unregister_netdevice_queue+0x90/0xe0
> > > [ 205.799161] unregister_netdev+0x1d/0x30
> > > [ 205.799165] mkiss_close+0x7c/0xc0 [mkiss]
> > > [ 205.799170] tty_ldisc_close+0x2e/0x40
> > > [ 205.799173] tty_ldisc_hangup+0x137/0x210
> > > [ 205.799178] __tty_hangup.part.0+0x208/0x350
> > > [ 205.799184] tty_vhangup+0x15/0x20
> > > [ 205.799188] pty_close+0x127/0x160
> > > [ 205.799193] tty_release+0x139/0x5e0
> > > [ 205.799199] __fput+0x9f/0x260
> > > [ 205.799203] ____fput+0xe/0x10
> > > [ 205.799208] task_work_run+0x64/0xa0
> > > [ 205.799213] do_exit+0x33b/0xab0
> > > [ 205.799217] ? __handle_mm_fault+0xc4f/0x15f0
> > > [ 205.799224] do_group_exit+0x35/0xa0
> > > [ 205.799228] __x64_sys_exit_group+0x18/0x20
> > > [ 205.799232] do_syscall_64+0x5c/0x80
> > > [ 205.799238] ? handle_mm_fault+0xba/0x290
> > > [ 205.799242] ? debug_smp_processor_id+0x17/0x20
> > > [ 205.799246] ? fpregs_assert_state_consistent+0x26/0x50
> > > [ 205.799251] ? exit_to_user_mode_prepare+0x49/0x190
> > > [ 205.799256] ? irqentry_exit_to_user_mode+0x9/0x20
> > > [ 205.799260] ? irqentry_exit+0x33/0x40
> > > [ 205.799263] ? exc_page_fault+0x87/0x170
> > > [ 205.799268] ? asm_exc_page_fault+0x8/0x30
> > > [ 205.799273] entry_SYSCALL_64_after_hwframe+0x44/0xae
> > > [ 205.799277] RIP: 0033:0x7ff6b80eaca1
> > > [ 205.799281] Code: Unable to access opcode bytes at RIP 0x7ff6b80eac77.
> > > [ 205.799283] RSP: 002b:00007fff6dfd4738 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> > > [ 205.799287] RAX: ffffffffffffffda RBX: 00007ff6b8215a00 RCX: 00007ff6b80eaca1
> > > [ 205.799290] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
> > > [ 205.799293] RBP: 0000000000000001 R08: ffffffffffffff80 R09: 0000000000000028
> > > [ 205.799295] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff6b8215a00
> > > [ 205.799298] R13: 0000000000000000 R14: 00007ff6b821aee8 R15: 00007ff6b821af00
> > > [ 205.799304] </TASK>
> > >
> > > Fixes: feef318c855a ("ax25: fix UAF bugs of net_device caused by rebinding operation")
> > > Reported-by: Bernard F6BVP <f6bvp@free.fr>
> > > Signed-off-by: Eric Dumazet <edumazet@google.com>
> > > Cc: Duoming Zhou <duoming@zju.edu.cn>
> > > ---
> > > include/net/ax25.h | 1 +
> > > net/ax25/af_ax25.c | 4 ++--
> > > 2 files changed, 3 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/include/net/ax25.h b/include/net/ax25.h
> > > index a427a05672e2aab158efd44381fe2190d9cb8969..f8cf3629a41934f96f33e5d70ad90cc8ae796d38 100644
> > > --- a/include/net/ax25.h
> > > +++ b/include/net/ax25.h
> > > @@ -236,6 +236,7 @@ typedef struct ax25_cb {
> > > ax25_address source_addr, dest_addr;
> > > ax25_digi *digipeat;
> > > ax25_dev *ax25_dev;
> > > + netdevice_tracker dev_tracker;
> > > unsigned char iamdigi;
> > > unsigned char state, modulus, pidincl;
> > > unsigned short vs, vr, va;
> >
> > I'm sorry for the [too] late feedback, but it looks like this patch
> > forgot to remove the old/unused tracker from ax25_dev, or am I missing
> > something?
>
> I think you are confused ;)
Indeed I'm (hopefully I was).
> The other tracker is still used.
>
> Only the blamed patch (feef318c855a ("ax25: fix UAF bugs of net_device
> caused by rebinding operation")) needed
> a separate tracker in 'struct ax25_cb'.
So this conflict resolution:
https://lore.kernel.org/linux-next/20220802151932.2830110-1-broonie@kernel.org/T/#u
is wrong - the first chunck must be dropped, only the last 2 are
required, right?
Thanks,
Paolo
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH net] ax25: fix incorrect dev_tracker usage
2022-08-03 7:03 ` Paolo Abeni
@ 2022-08-03 7:15 ` Eric Dumazet
2022-09-03 8:56 ` Bernard Pidoux
0 siblings, 1 reply; 10+ messages in thread
From: Eric Dumazet @ 2022-08-03 7:15 UTC (permalink / raw)
To: Paolo Abeni
Cc: Eric Dumazet, David S . Miller, Jakub Kicinski, netdev,
Bernard F6BVP, Duoming Zhou
On Wed, Aug 3, 2022 at 12:03 AM Paolo Abeni <pabeni@redhat.com> wrote:
>
> On Tue, 2022-08-02 at 23:46 -0700, Eric Dumazet wrote:
> > On Tue, Aug 2, 2022 at 11:23 PM Paolo Abeni <pabeni@redhat.com> wrote:
> > >
> > > On Wed, 2022-07-27 at 22:18 -0700, Eric Dumazet wrote:
> > > > From: Eric Dumazet <edumazet@google.com>
> > > >
> > > > While investigating a separate rose issue [1], and enabling
> > > > CONFIG_NET_DEV_REFCNT_TRACKER=y, Bernard reported an orthogonal ax25 issue [2]
> > > >
> > > > An ax25_dev can be used by one (or many) struct ax25_cb.
> > > > We thus need different dev_tracker, one per struct ax25_cb.
> > > >
> > > > After this patch is applied, we are able to focus on rose.
> > > >
> > > > [1] https://lore.kernel.org/netdev/fb7544a1-f42e-9254-18cc-c9b071f4ca70@free.fr/
> > > >
> > > > [2]
> > > > [ 205.798723] reference already released.
> > > > [ 205.798732] allocated in:
> > > > [ 205.798734] ax25_bind+0x1a2/0x230 [ax25]
> > > > [ 205.798747] __sys_bind+0xea/0x110
> > > > [ 205.798753] __x64_sys_bind+0x18/0x20
> > > > [ 205.798758] do_syscall_64+0x5c/0x80
> > > > [ 205.798763] entry_SYSCALL_64_after_hwframe+0x44/0xae
> > > > [ 205.798768] freed in:
> > > > [ 205.798770] ax25_release+0x115/0x370 [ax25]
> > > > [ 205.798778] __sock_release+0x42/0xb0
> > > > [ 205.798782] sock_close+0x15/0x20
> > > > [ 205.798785] __fput+0x9f/0x260
> > > > [ 205.798789] ____fput+0xe/0x10
> > > > [ 205.798792] task_work_run+0x64/0xa0
> > > > [ 205.798798] exit_to_user_mode_prepare+0x18b/0x190
> > > > [ 205.798804] syscall_exit_to_user_mode+0x26/0x40
> > > > [ 205.798808] do_syscall_64+0x69/0x80
> > > > [ 205.798812] entry_SYSCALL_64_after_hwframe+0x44/0xae
> > > > [ 205.798827] ------------[ cut here ]------------
> > > > [ 205.798829] WARNING: CPU: 2 PID: 2605 at lib/ref_tracker.c:136 ref_tracker_free.cold+0x60/0x81
> > > > [ 205.798837] Modules linked in: rose netrom mkiss ax25 rfcomm cmac algif_hash algif_skcipher af_alg bnep snd_hda_codec_hdmi nls_iso8859_1 i915 rtw88_8821ce rtw88_8821c x86_pkg_temp_thermal rtw88_pci intel_powerclamp rtw88_core snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio coretemp snd_hda_intel kvm_intel snd_intel_dspcfg mac80211 snd_hda_codec kvm i2c_algo_bit drm_buddy drm_dp_helper btusb drm_kms_helper snd_hwdep btrtl snd_hda_core btbcm joydev crct10dif_pclmul btintel crc32_pclmul ghash_clmulni_intel mei_hdcp btmtk intel_rapl_msr aesni_intel bluetooth input_leds snd_pcm crypto_simd syscopyarea processor_thermal_device_pci_legacy sysfillrect cryptd intel_soc_dts_iosf snd_seq sysimgblt ecdh_generic fb_sys_fops rapl libarc4 processor_thermal_device intel_cstate processor_thermal_rfim cec snd_timer ecc snd_seq_device cfg80211 processor_thermal_mbox mei_me processor_thermal_rapl mei rc_core at24 snd intel_pch_thermal intel_rapl_common ttm soundcore int340x_thermal_zone video
> > > > [ 205.798948] mac_hid acpi_pad sch_fq_codel ipmi_devintf ipmi_msghandler drm msr parport_pc ppdev lp parport ramoops pstore_blk reed_solomon pstore_zone efi_pstore ip_tables x_tables autofs4 hid_generic usbhid hid i2c_i801 i2c_smbus r8169 xhci_pci ahci libahci realtek lpc_ich xhci_pci_renesas [last unloaded: ax25]
> > > > [ 205.798992] CPU: 2 PID: 2605 Comm: ax25ipd Not tainted 5.18.11-F6BVP #3
> > > > [ 205.798996] Hardware name: To be filled by O.E.M. To be filled by O.E.M./CK3, BIOS 5.011 09/16/2020
> > > > [ 205.798999] RIP: 0010:ref_tracker_free.cold+0x60/0x81
> > > > [ 205.799005] Code: e8 d2 01 9b ff 83 7b 18 00 74 14 48 c7 c7 2f d7 ff 98 e8 10 6e fc ff 8b 7b 18 e8 b8 01 9b ff 4c 89 ee 4c 89 e7 e8 5d fd 07 00 <0f> 0b b8 ea ff ff ff e9 30 05 9b ff 41 0f b6 f7 48 c7 c7 a0 fa 4e
> > > > [ 205.799008] RSP: 0018:ffffaf5281073958 EFLAGS: 00010286
> > > > [ 205.799011] RAX: 0000000080000000 RBX: ffff9a0bd687ebe0 RCX: 0000000000000000
> > > > [ 205.799014] RDX: 0000000000000001 RSI: 0000000000000282 RDI: 00000000ffffffff
> > > > [ 205.799016] RBP: ffffaf5281073a10 R08: 0000000000000003 R09: fffffffffffd5618
> > > > [ 205.799019] R10: 0000000000ffff10 R11: 000000000000000f R12: ffff9a0bc53384d0
> > > > [ 205.799022] R13: 0000000000000282 R14: 00000000ae000001 R15: 0000000000000001
> > > > [ 205.799024] FS: 0000000000000000(0000) GS:ffff9a0d0f300000(0000) knlGS:0000000000000000
> > > > [ 205.799028] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > > [ 205.799031] CR2: 00007ff6b8311554 CR3: 000000001ac10004 CR4: 00000000001706e0
> > > > [ 205.799033] Call Trace:
> > > > [ 205.799035] <TASK>
> > > > [ 205.799038] ? ax25_dev_device_down+0xd9/0x1b0 [ax25]
> > > > [ 205.799047] ? ax25_device_event+0x9f/0x270 [ax25]
> > > > [ 205.799055] ? raw_notifier_call_chain+0x49/0x60
> > > > [ 205.799060] ? call_netdevice_notifiers_info+0x52/0xa0
> > > > [ 205.799065] ? dev_close_many+0xc8/0x120
> > > > [ 205.799070] ? unregister_netdevice_many+0x13d/0x890
> > > > [ 205.799073] ? unregister_netdevice_queue+0x90/0xe0
> > > > [ 205.799076] ? unregister_netdev+0x1d/0x30
> > > > [ 205.799080] ? mkiss_close+0x7c/0xc0 [mkiss]
> > > > [ 205.799084] ? tty_ldisc_close+0x2e/0x40
> > > > [ 205.799089] ? tty_ldisc_hangup+0x137/0x210
> > > > [ 205.799092] ? __tty_hangup.part.0+0x208/0x350
> > > > [ 205.799098] ? tty_vhangup+0x15/0x20
> > > > [ 205.799103] ? pty_close+0x127/0x160
> > > > [ 205.799108] ? tty_release+0x139/0x5e0
> > > > [ 205.799112] ? __fput+0x9f/0x260
> > > > [ 205.799118] ax25_dev_device_down+0xd9/0x1b0 [ax25]
> > > > [ 205.799126] ax25_device_event+0x9f/0x270 [ax25]
> > > > [ 205.799135] raw_notifier_call_chain+0x49/0x60
> > > > [ 205.799140] call_netdevice_notifiers_info+0x52/0xa0
> > > > [ 205.799146] dev_close_many+0xc8/0x120
> > > > [ 205.799152] unregister_netdevice_many+0x13d/0x890
> > > > [ 205.799157] unregister_netdevice_queue+0x90/0xe0
> > > > [ 205.799161] unregister_netdev+0x1d/0x30
> > > > [ 205.799165] mkiss_close+0x7c/0xc0 [mkiss]
> > > > [ 205.799170] tty_ldisc_close+0x2e/0x40
> > > > [ 205.799173] tty_ldisc_hangup+0x137/0x210
> > > > [ 205.799178] __tty_hangup.part.0+0x208/0x350
> > > > [ 205.799184] tty_vhangup+0x15/0x20
> > > > [ 205.799188] pty_close+0x127/0x160
> > > > [ 205.799193] tty_release+0x139/0x5e0
> > > > [ 205.799199] __fput+0x9f/0x260
> > > > [ 205.799203] ____fput+0xe/0x10
> > > > [ 205.799208] task_work_run+0x64/0xa0
> > > > [ 205.799213] do_exit+0x33b/0xab0
> > > > [ 205.799217] ? __handle_mm_fault+0xc4f/0x15f0
> > > > [ 205.799224] do_group_exit+0x35/0xa0
> > > > [ 205.799228] __x64_sys_exit_group+0x18/0x20
> > > > [ 205.799232] do_syscall_64+0x5c/0x80
> > > > [ 205.799238] ? handle_mm_fault+0xba/0x290
> > > > [ 205.799242] ? debug_smp_processor_id+0x17/0x20
> > > > [ 205.799246] ? fpregs_assert_state_consistent+0x26/0x50
> > > > [ 205.799251] ? exit_to_user_mode_prepare+0x49/0x190
> > > > [ 205.799256] ? irqentry_exit_to_user_mode+0x9/0x20
> > > > [ 205.799260] ? irqentry_exit+0x33/0x40
> > > > [ 205.799263] ? exc_page_fault+0x87/0x170
> > > > [ 205.799268] ? asm_exc_page_fault+0x8/0x30
> > > > [ 205.799273] entry_SYSCALL_64_after_hwframe+0x44/0xae
> > > > [ 205.799277] RIP: 0033:0x7ff6b80eaca1
> > > > [ 205.799281] Code: Unable to access opcode bytes at RIP 0x7ff6b80eac77.
> > > > [ 205.799283] RSP: 002b:00007fff6dfd4738 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> > > > [ 205.799287] RAX: ffffffffffffffda RBX: 00007ff6b8215a00 RCX: 00007ff6b80eaca1
> > > > [ 205.799290] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
> > > > [ 205.799293] RBP: 0000000000000001 R08: ffffffffffffff80 R09: 0000000000000028
> > > > [ 205.799295] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff6b8215a00
> > > > [ 205.799298] R13: 0000000000000000 R14: 00007ff6b821aee8 R15: 00007ff6b821af00
> > > > [ 205.799304] </TASK>
> > > >
> > > > Fixes: feef318c855a ("ax25: fix UAF bugs of net_device caused by rebinding operation")
> > > > Reported-by: Bernard F6BVP <f6bvp@free.fr>
> > > > Signed-off-by: Eric Dumazet <edumazet@google.com>
> > > > Cc: Duoming Zhou <duoming@zju.edu.cn>
> > > > ---
> > > > include/net/ax25.h | 1 +
> > > > net/ax25/af_ax25.c | 4 ++--
> > > > 2 files changed, 3 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/include/net/ax25.h b/include/net/ax25.h
> > > > index a427a05672e2aab158efd44381fe2190d9cb8969..f8cf3629a41934f96f33e5d70ad90cc8ae796d38 100644
> > > > --- a/include/net/ax25.h
> > > > +++ b/include/net/ax25.h
> > > > @@ -236,6 +236,7 @@ typedef struct ax25_cb {
> > > > ax25_address source_addr, dest_addr;
> > > > ax25_digi *digipeat;
> > > > ax25_dev *ax25_dev;
> > > > + netdevice_tracker dev_tracker;
> > > > unsigned char iamdigi;
> > > > unsigned char state, modulus, pidincl;
> > > > unsigned short vs, vr, va;
> > >
> > > I'm sorry for the [too] late feedback, but it looks like this patch
> > > forgot to remove the old/unused tracker from ax25_dev, or am I missing
> > > something?
> >
> > I think you are confused ;)
>
> Indeed I'm (hopefully I was).
>
>
> > The other tracker is still used.
> >
> > Only the blamed patch (feef318c855a ("ax25: fix UAF bugs of net_device
> > caused by rebinding operation")) needed
> > a separate tracker in 'struct ax25_cb'.
>
> So this conflict resolution:
>
> https://lore.kernel.org/linux-next/20220802151932.2830110-1-broonie@kernel.org/T/#u
>
> is wrong - the first chunck must be dropped, only the last 2 are
> required, right?
Indeed, this conflict resolution is wrong.
I knew this renaming thing was going to hurt us, this is only the beginning :/
Thanks.
>
> Thanks,
>
> Paolo
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH net] ax25: fix incorrect dev_tracker usage
2022-08-03 7:15 ` Eric Dumazet
@ 2022-09-03 8:56 ` Bernard Pidoux
2022-09-03 16:47 ` Eric Dumazet
0 siblings, 1 reply; 10+ messages in thread
From: Bernard Pidoux @ 2022-09-03 8:56 UTC (permalink / raw)
To: Eric Dumazet, Paolo Abeni
Cc: Eric Dumazet, David S . Miller, Jakub Kicinski, netdev, Duoming Zhou
This patch is still not applied to net-next.
This is probably due to renaming thing ... that was confusing.
Any possibility to build on for old stables ?
Eric could you clarify the situation ?
Regards,
Bernard
Le 03/08/2022 à 09:15, Eric Dumazet a écrit :
> On Wed, Aug 3, 2022 at 12:03 AM Paolo Abeni <pabeni@redhat.com> wrote:
>>
>> On Tue, 2022-08-02 at 23:46 -0700, Eric Dumazet wrote:
>>> On Tue, Aug 2, 2022 at 11:23 PM Paolo Abeni <pabeni@redhat.com> wrote:
>>>>
>>>> On Wed, 2022-07-27 at 22:18 -0700, Eric Dumazet wrote:
>>>>> From: Eric Dumazet <edumazet@google.com>
>>>>>
>>>>> While investigating a separate rose issue [1], and enabling
>>>>> CONFIG_NET_DEV_REFCNT_TRACKER=y, Bernard reported an orthogonal ax25 issue [2]
>>>>>
>>>>> An ax25_dev can be used by one (or many) struct ax25_cb.
>>>>> We thus need different dev_tracker, one per struct ax25_cb.
>>>>>
>>>>> After this patch is applied, we are able to focus on rose.
>>>>>
>>>>> [1] https://lore.kernel.org/netdev/fb7544a1-f42e-9254-18cc-c9b071f4ca70@free.fr/
>>>>>
>>>>> [2]
>>>>> [ 205.798723] reference already released.
>>>>> [ 205.798732] allocated in:
>>>>> [ 205.798734] ax25_bind+0x1a2/0x230 [ax25]
>>>>> [ 205.798747] __sys_bind+0xea/0x110
>>>>> [ 205.798753] __x64_sys_bind+0x18/0x20
>>>>> [ 205.798758] do_syscall_64+0x5c/0x80
>>>>> [ 205.798763] entry_SYSCALL_64_after_hwframe+0x44/0xae
>>>>> [ 205.798768] freed in:
>>>>> [ 205.798770] ax25_release+0x115/0x370 [ax25]
>>>>> [ 205.798778] __sock_release+0x42/0xb0
>>>>> [ 205.798782] sock_close+0x15/0x20
>>>>> [ 205.798785] __fput+0x9f/0x260
>>>>> [ 205.798789] ____fput+0xe/0x10
>>>>> [ 205.798792] task_work_run+0x64/0xa0
>>>>> [ 205.798798] exit_to_user_mode_prepare+0x18b/0x190
>>>>> [ 205.798804] syscall_exit_to_user_mode+0x26/0x40
>>>>> [ 205.798808] do_syscall_64+0x69/0x80
>>>>> [ 205.798812] entry_SYSCALL_64_after_hwframe+0x44/0xae
>>>>> [ 205.798827] ------------[ cut here ]------------
>>>>> [ 205.798829] WARNING: CPU: 2 PID: 2605 at lib/ref_tracker.c:136 ref_tracker_free.cold+0x60/0x81
>>>>> [ 205.798837] Modules linked in: rose netrom mkiss ax25 rfcomm cmac algif_hash algif_skcipher af_alg bnep snd_hda_codec_hdmi nls_iso8859_1 i915 rtw88_8821ce rtw88_8821c x86_pkg_temp_thermal rtw88_pci intel_powerclamp rtw88_core snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio coretemp snd_hda_intel kvm_intel snd_intel_dspcfg mac80211 snd_hda_codec kvm i2c_algo_bit drm_buddy drm_dp_helper btusb drm_kms_helper snd_hwdep btrtl snd_hda_core btbcm joydev crct10dif_pclmul btintel crc32_pclmul ghash_clmulni_intel mei_hdcp btmtk intel_rapl_msr aesni_intel bluetooth input_leds snd_pcm crypto_simd syscopyarea processor_thermal_device_pci_legacy sysfillrect cryptd intel_soc_dts_iosf snd_seq sysimgblt ecdh_generic fb_sys_fops rapl libarc4 processor_thermal_device intel_cstate processor_thermal_rfim cec snd_timer ecc snd_seq_device cfg80211 processor_thermal_mbox mei_me processor_thermal_rapl mei rc_core at24 snd intel_pch_thermal intel_rapl_common ttm soundcore int340x_thermal_zone video
>>>>> [ 205.798948] mac_hid acpi_pad sch_fq_codel ipmi_devintf ipmi_msghandler drm msr parport_pc ppdev lp parport ramoops pstore_blk reed_solomon pstore_zone efi_pstore ip_tables x_tables autofs4 hid_generic usbhid hid i2c_i801 i2c_smbus r8169 xhci_pci ahci libahci realtek lpc_ich xhci_pci_renesas [last unloaded: ax25]
>>>>> [ 205.798992] CPU: 2 PID: 2605 Comm: ax25ipd Not tainted 5.18.11-F6BVP #3
>>>>> [ 205.798996] Hardware name: To be filled by O.E.M. To be filled by O.E.M./CK3, BIOS 5.011 09/16/2020
>>>>> [ 205.798999] RIP: 0010:ref_tracker_free.cold+0x60/0x81
>>>>> [ 205.799005] Code: e8 d2 01 9b ff 83 7b 18 00 74 14 48 c7 c7 2f d7 ff 98 e8 10 6e fc ff 8b 7b 18 e8 b8 01 9b ff 4c 89 ee 4c 89 e7 e8 5d fd 07 00 <0f> 0b b8 ea ff ff ff e9 30 05 9b ff 41 0f b6 f7 48 c7 c7 a0 fa 4e
>>>>> [ 205.799008] RSP: 0018:ffffaf5281073958 EFLAGS: 00010286
>>>>> [ 205.799011] RAX: 0000000080000000 RBX: ffff9a0bd687ebe0 RCX: 0000000000000000
>>>>> [ 205.799014] RDX: 0000000000000001 RSI: 0000000000000282 RDI: 00000000ffffffff
>>>>> [ 205.799016] RBP: ffffaf5281073a10 R08: 0000000000000003 R09: fffffffffffd5618
>>>>> [ 205.799019] R10: 0000000000ffff10 R11: 000000000000000f R12: ffff9a0bc53384d0
>>>>> [ 205.799022] R13: 0000000000000282 R14: 00000000ae000001 R15: 0000000000000001
>>>>> [ 205.799024] FS: 0000000000000000(0000) GS:ffff9a0d0f300000(0000) knlGS:0000000000000000
>>>>> [ 205.799028] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>>>> [ 205.799031] CR2: 00007ff6b8311554 CR3: 000000001ac10004 CR4: 00000000001706e0
>>>>> [ 205.799033] Call Trace:
>>>>> [ 205.799035] <TASK>
>>>>> [ 205.799038] ? ax25_dev_device_down+0xd9/0x1b0 [ax25]
>>>>> [ 205.799047] ? ax25_device_event+0x9f/0x270 [ax25]
>>>>> [ 205.799055] ? raw_notifier_call_chain+0x49/0x60
>>>>> [ 205.799060] ? call_netdevice_notifiers_info+0x52/0xa0
>>>>> [ 205.799065] ? dev_close_many+0xc8/0x120
>>>>> [ 205.799070] ? unregister_netdevice_many+0x13d/0x890
>>>>> [ 205.799073] ? unregister_netdevice_queue+0x90/0xe0
>>>>> [ 205.799076] ? unregister_netdev+0x1d/0x30
>>>>> [ 205.799080] ? mkiss_close+0x7c/0xc0 [mkiss]
>>>>> [ 205.799084] ? tty_ldisc_close+0x2e/0x40
>>>>> [ 205.799089] ? tty_ldisc_hangup+0x137/0x210
>>>>> [ 205.799092] ? __tty_hangup.part.0+0x208/0x350
>>>>> [ 205.799098] ? tty_vhangup+0x15/0x20
>>>>> [ 205.799103] ? pty_close+0x127/0x160
>>>>> [ 205.799108] ? tty_release+0x139/0x5e0
>>>>> [ 205.799112] ? __fput+0x9f/0x260
>>>>> [ 205.799118] ax25_dev_device_down+0xd9/0x1b0 [ax25]
>>>>> [ 205.799126] ax25_device_event+0x9f/0x270 [ax25]
>>>>> [ 205.799135] raw_notifier_call_chain+0x49/0x60
>>>>> [ 205.799140] call_netdevice_notifiers_info+0x52/0xa0
>>>>> [ 205.799146] dev_close_many+0xc8/0x120
>>>>> [ 205.799152] unregister_netdevice_many+0x13d/0x890
>>>>> [ 205.799157] unregister_netdevice_queue+0x90/0xe0
>>>>> [ 205.799161] unregister_netdev+0x1d/0x30
>>>>> [ 205.799165] mkiss_close+0x7c/0xc0 [mkiss]
>>>>> [ 205.799170] tty_ldisc_close+0x2e/0x40
>>>>> [ 205.799173] tty_ldisc_hangup+0x137/0x210
>>>>> [ 205.799178] __tty_hangup.part.0+0x208/0x350
>>>>> [ 205.799184] tty_vhangup+0x15/0x20
>>>>> [ 205.799188] pty_close+0x127/0x160
>>>>> [ 205.799193] tty_release+0x139/0x5e0
>>>>> [ 205.799199] __fput+0x9f/0x260
>>>>> [ 205.799203] ____fput+0xe/0x10
>>>>> [ 205.799208] task_work_run+0x64/0xa0
>>>>> [ 205.799213] do_exit+0x33b/0xab0
>>>>> [ 205.799217] ? __handle_mm_fault+0xc4f/0x15f0
>>>>> [ 205.799224] do_group_exit+0x35/0xa0
>>>>> [ 205.799228] __x64_sys_exit_group+0x18/0x20
>>>>> [ 205.799232] do_syscall_64+0x5c/0x80
>>>>> [ 205.799238] ? handle_mm_fault+0xba/0x290
>>>>> [ 205.799242] ? debug_smp_processor_id+0x17/0x20
>>>>> [ 205.799246] ? fpregs_assert_state_consistent+0x26/0x50
>>>>> [ 205.799251] ? exit_to_user_mode_prepare+0x49/0x190
>>>>> [ 205.799256] ? irqentry_exit_to_user_mode+0x9/0x20
>>>>> [ 205.799260] ? irqentry_exit+0x33/0x40
>>>>> [ 205.799263] ? exc_page_fault+0x87/0x170
>>>>> [ 205.799268] ? asm_exc_page_fault+0x8/0x30
>>>>> [ 205.799273] entry_SYSCALL_64_after_hwframe+0x44/0xae
>>>>> [ 205.799277] RIP: 0033:0x7ff6b80eaca1
>>>>> [ 205.799281] Code: Unable to access opcode bytes at RIP 0x7ff6b80eac77.
>>>>> [ 205.799283] RSP: 002b:00007fff6dfd4738 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
>>>>> [ 205.799287] RAX: ffffffffffffffda RBX: 00007ff6b8215a00 RCX: 00007ff6b80eaca1
>>>>> [ 205.799290] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
>>>>> [ 205.799293] RBP: 0000000000000001 R08: ffffffffffffff80 R09: 0000000000000028
>>>>> [ 205.799295] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff6b8215a00
>>>>> [ 205.799298] R13: 0000000000000000 R14: 00007ff6b821aee8 R15: 00007ff6b821af00
>>>>> [ 205.799304] </TASK>
>>>>>
>>>>> Fixes: feef318c855a ("ax25: fix UAF bugs of net_device caused by rebinding operation")
>>>>> Reported-by: Bernard F6BVP <f6bvp@free.fr>
>>>>> Signed-off-by: Eric Dumazet <edumazet@google.com>
>>>>> Cc: Duoming Zhou <duoming@zju.edu.cn>
>>>>> ---
>>>>> include/net/ax25.h | 1 +
>>>>> net/ax25/af_ax25.c | 4 ++--
>>>>> 2 files changed, 3 insertions(+), 2 deletions(-)
>>>>>
>>>>> diff --git a/include/net/ax25.h b/include/net/ax25.h
>>>>> index a427a05672e2aab158efd44381fe2190d9cb8969..f8cf3629a41934f96f33e5d70ad90cc8ae796d38 100644
>>>>> --- a/include/net/ax25.h
>>>>> +++ b/include/net/ax25.h
>>>>> @@ -236,6 +236,7 @@ typedef struct ax25_cb {
>>>>> ax25_address source_addr, dest_addr;
>>>>> ax25_digi *digipeat;
>>>>> ax25_dev *ax25_dev;
>>>>> + netdevice_tracker dev_tracker;
>>>>> unsigned char iamdigi;
>>>>> unsigned char state, modulus, pidincl;
>>>>> unsigned short vs, vr, va;
>>>>
>>>> I'm sorry for the [too] late feedback, but it looks like this patch
>>>> forgot to remove the old/unused tracker from ax25_dev, or am I missing
>>>> something?
>>>
>>> I think you are confused ;)
>>
>> Indeed I'm (hopefully I was).
>>
>>
>>> The other tracker is still used.
>>>
>>> Only the blamed patch (feef318c855a ("ax25: fix UAF bugs of net_device
>>> caused by rebinding operation")) needed
>>> a separate tracker in 'struct ax25_cb'.
>>
>> So this conflict resolution:
>>
>> https://lore.kernel.org/linux-next/20220802151932.2830110-1-broonie@kernel.org/T/#u
>>
>> is wrong - the first chunck must be dropped, only the last 2 are
>> required, right?
>
> Indeed, this conflict resolution is wrong.
>
> I knew this renaming thing was going to hurt us, this is only the beginning :/
>
> Thanks.
>
>>
>> Thanks,
>>
>> Paolo
>>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH net] ax25: fix incorrect dev_tracker usage
2022-09-03 8:56 ` Bernard Pidoux
@ 2022-09-03 16:47 ` Eric Dumazet
2022-09-04 10:37 ` [AX25] [ROSE] refcount_t: decrement hit 0; leaking memory Bernard Pidoux
0 siblings, 1 reply; 10+ messages in thread
From: Eric Dumazet @ 2022-09-03 16:47 UTC (permalink / raw)
To: Bernard Pidoux
Cc: Paolo Abeni, Eric Dumazet, David S . Miller, Jakub Kicinski,
netdev, Duoming Zhou
On Sat, Sep 3, 2022 at 1:57 AM Bernard Pidoux <bernard.f6bvp@gmail.com> wrote:
>
> This patch is still not applied to net-next.
> This is probably due to renaming thing ... that was confusing.
>
> Any possibility to build on for old stables ?
>
> Eric could you clarify the situation ?
>
> Regards,
>
> Bernard
>
Patch is definitely there.
Let me point you to the relevant parts, with a fake diff on the
current net-next tree.
diff --git a/include/net/ax25.h b/include/net/ax25.h
index f8cf3629a41934f96f33e5d70ad90cc8ae796d38..025a9f5d9f67d77897e3caf4c2ca1ef4b42c8c6c
100644
--- a/include/net/ax25.h
+++ b/include/net/ax25.h
@@ -236,7 +236,7 @@ typedef struct ax25_cb {
ax25_address source_addr, dest_addr;
ax25_digi *digipeat;
ax25_dev *ax25_dev;
- netdevice_tracker dev_tracker;
+// netdevice_tracker dev_tracker;
unsigned char iamdigi;
unsigned char state, modulus, pidincl;
unsigned short vs, vr, va;
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index 6b4c25a9237746265158900ab92d7f411b77ab79..c0a2e860eeaa76a7cd4c9f8068aa03659ce9452a
100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -1066,7 +1066,7 @@ static int ax25_release(struct socket *sock)
del_timer_sync(&ax25->t3timer);
del_timer_sync(&ax25->idletimer);
}
- netdev_put(ax25_dev->dev, &ax25->dev_tracker);
+// netdev_put(ax25_dev->dev, &ax25->dev_tracker);
ax25_dev_put(ax25_dev);
}
@@ -1147,7 +1147,7 @@ static int ax25_bind(struct socket *sock, struct
sockaddr *uaddr, int addr_len)
if (ax25_dev) {
ax25_fillin_cb(ax25, ax25_dev);
- netdev_hold(ax25_dev->dev, &ax25->dev_tracker, GFP_ATOMIC);
+// netdev_hold(ax25_dev->dev, &ax25->dev_tracker, GFP_ATOMIC);
}
done:
> Le 03/08/2022 à 09:15, Eric Dumazet a écrit :
> > On Wed, Aug 3, 2022 at 12:03 AM Paolo Abeni <pabeni@redhat.com> wrote:
> >>
> >> On Tue, 2022-08-02 at 23:46 -0700, Eric Dumazet wrote:
> >>> On Tue, Aug 2, 2022 at 11:23 PM Paolo Abeni <pabeni@redhat.com> wrote:
> >>>>
> >>>> On Wed, 2022-07-27 at 22:18 -0700, Eric Dumazet wrote:
> >>>>> From: Eric Dumazet <edumazet@google.com>
> >>>>>
> >>>>> While investigating a separate rose issue [1], and enabling
> >>>>> CONFIG_NET_DEV_REFCNT_TRACKER=y, Bernard reported an orthogonal ax25 issue [2]
> >>>>>
> >>>>> An ax25_dev can be used by one (or many) struct ax25_cb.
> >>>>> We thus need different dev_tracker, one per struct ax25_cb.
> >>>>>
> >>>>> After this patch is applied, we are able to focus on rose.
> >>>>>
> >>>>> [1] https://lore.kernel.org/netdev/fb7544a1-f42e-9254-18cc-c9b071f4ca70@free.fr/
> >>>>>
> >>>>> [2]
> >>>>> [ 205.798723] reference already released.
> >>>>> [ 205.798732] allocated in:
> >>>>> [ 205.798734] ax25_bind+0x1a2/0x230 [ax25]
> >>>>> [ 205.798747] __sys_bind+0xea/0x110
> >>>>> [ 205.798753] __x64_sys_bind+0x18/0x20
> >>>>> [ 205.798758] do_syscall_64+0x5c/0x80
> >>>>> [ 205.798763] entry_SYSCALL_64_after_hwframe+0x44/0xae
> >>>>> [ 205.798768] freed in:
> >>>>> [ 205.798770] ax25_release+0x115/0x370 [ax25]
> >>>>> [ 205.798778] __sock_release+0x42/0xb0
> >>>>> [ 205.798782] sock_close+0x15/0x20
> >>>>> [ 205.798785] __fput+0x9f/0x260
> >>>>> [ 205.798789] ____fput+0xe/0x10
> >>>>> [ 205.798792] task_work_run+0x64/0xa0
> >>>>> [ 205.798798] exit_to_user_mode_prepare+0x18b/0x190
> >>>>> [ 205.798804] syscall_exit_to_user_mode+0x26/0x40
> >>>>> [ 205.798808] do_syscall_64+0x69/0x80
> >>>>> [ 205.798812] entry_SYSCALL_64_after_hwframe+0x44/0xae
> >>>>> [ 205.798827] ------------[ cut here ]------------
> >>>>> [ 205.798829] WARNING: CPU: 2 PID: 2605 at lib/ref_tracker.c:136 ref_tracker_free.cold+0x60/0x81
> >>>>> [ 205.798837] Modules linked in: rose netrom mkiss ax25 rfcomm cmac algif_hash algif_skcipher af_alg bnep snd_hda_codec_hdmi nls_iso8859_1 i915 rtw88_8821ce rtw88_8821c x86_pkg_temp_thermal rtw88_pci intel_powerclamp rtw88_core snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio coretemp snd_hda_intel kvm_intel snd_intel_dspcfg mac80211 snd_hda_codec kvm i2c_algo_bit drm_buddy drm_dp_helper btusb drm_kms_helper snd_hwdep btrtl snd_hda_core btbcm joydev crct10dif_pclmul btintel crc32_pclmul ghash_clmulni_intel mei_hdcp btmtk intel_rapl_msr aesni_intel bluetooth input_leds snd_pcm crypto_simd syscopyarea processor_thermal_device_pci_legacy sysfillrect cryptd intel_soc_dts_iosf snd_seq sysimgblt ecdh_generic fb_sys_fops rapl libarc4 processor_thermal_device intel_cstate processor_thermal_rfim cec snd_timer ecc snd_seq_device cfg80211 processor_thermal_mbox mei_me processor_thermal_rapl mei rc_core at24 snd intel_pch_thermal intel_rapl_common ttm soundcore int340x_thermal_zone video
> >>>>> [ 205.798948] mac_hid acpi_pad sch_fq_codel ipmi_devintf ipmi_msghandler drm msr parport_pc ppdev lp parport ramoops pstore_blk reed_solomon pstore_zone efi_pstore ip_tables x_tables autofs4 hid_generic usbhid hid i2c_i801 i2c_smbus r8169 xhci_pci ahci libahci realtek lpc_ich xhci_pci_renesas [last unloaded: ax25]
> >>>>> [ 205.798992] CPU: 2 PID: 2605 Comm: ax25ipd Not tainted 5.18.11-F6BVP #3
> >>>>> [ 205.798996] Hardware name: To be filled by O.E.M. To be filled by O.E.M./CK3, BIOS 5.011 09/16/2020
> >>>>> [ 205.798999] RIP: 0010:ref_tracker_free.cold+0x60/0x81
> >>>>> [ 205.799005] Code: e8 d2 01 9b ff 83 7b 18 00 74 14 48 c7 c7 2f d7 ff 98 e8 10 6e fc ff 8b 7b 18 e8 b8 01 9b ff 4c 89 ee 4c 89 e7 e8 5d fd 07 00 <0f> 0b b8 ea ff ff ff e9 30 05 9b ff 41 0f b6 f7 48 c7 c7 a0 fa 4e
> >>>>> [ 205.799008] RSP: 0018:ffffaf5281073958 EFLAGS: 00010286
> >>>>> [ 205.799011] RAX: 0000000080000000 RBX: ffff9a0bd687ebe0 RCX: 0000000000000000
> >>>>> [ 205.799014] RDX: 0000000000000001 RSI: 0000000000000282 RDI: 00000000ffffffff
> >>>>> [ 205.799016] RBP: ffffaf5281073a10 R08: 0000000000000003 R09: fffffffffffd5618
> >>>>> [ 205.799019] R10: 0000000000ffff10 R11: 000000000000000f R12: ffff9a0bc53384d0
> >>>>> [ 205.799022] R13: 0000000000000282 R14: 00000000ae000001 R15: 0000000000000001
> >>>>> [ 205.799024] FS: 0000000000000000(0000) GS:ffff9a0d0f300000(0000) knlGS:0000000000000000
> >>>>> [ 205.799028] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >>>>> [ 205.799031] CR2: 00007ff6b8311554 CR3: 000000001ac10004 CR4: 00000000001706e0
> >>>>> [ 205.799033] Call Trace:
> >>>>> [ 205.799035] <TASK>
> >>>>> [ 205.799038] ? ax25_dev_device_down+0xd9/0x1b0 [ax25]
> >>>>> [ 205.799047] ? ax25_device_event+0x9f/0x270 [ax25]
> >>>>> [ 205.799055] ? raw_notifier_call_chain+0x49/0x60
> >>>>> [ 205.799060] ? call_netdevice_notifiers_info+0x52/0xa0
> >>>>> [ 205.799065] ? dev_close_many+0xc8/0x120
> >>>>> [ 205.799070] ? unregister_netdevice_many+0x13d/0x890
> >>>>> [ 205.799073] ? unregister_netdevice_queue+0x90/0xe0
> >>>>> [ 205.799076] ? unregister_netdev+0x1d/0x30
> >>>>> [ 205.799080] ? mkiss_close+0x7c/0xc0 [mkiss]
> >>>>> [ 205.799084] ? tty_ldisc_close+0x2e/0x40
> >>>>> [ 205.799089] ? tty_ldisc_hangup+0x137/0x210
> >>>>> [ 205.799092] ? __tty_hangup.part.0+0x208/0x350
> >>>>> [ 205.799098] ? tty_vhangup+0x15/0x20
> >>>>> [ 205.799103] ? pty_close+0x127/0x160
> >>>>> [ 205.799108] ? tty_release+0x139/0x5e0
> >>>>> [ 205.799112] ? __fput+0x9f/0x260
> >>>>> [ 205.799118] ax25_dev_device_down+0xd9/0x1b0 [ax25]
> >>>>> [ 205.799126] ax25_device_event+0x9f/0x270 [ax25]
> >>>>> [ 205.799135] raw_notifier_call_chain+0x49/0x60
> >>>>> [ 205.799140] call_netdevice_notifiers_info+0x52/0xa0
> >>>>> [ 205.799146] dev_close_many+0xc8/0x120
> >>>>> [ 205.799152] unregister_netdevice_many+0x13d/0x890
> >>>>> [ 205.799157] unregister_netdevice_queue+0x90/0xe0
> >>>>> [ 205.799161] unregister_netdev+0x1d/0x30
> >>>>> [ 205.799165] mkiss_close+0x7c/0xc0 [mkiss]
> >>>>> [ 205.799170] tty_ldisc_close+0x2e/0x40
> >>>>> [ 205.799173] tty_ldisc_hangup+0x137/0x210
> >>>>> [ 205.799178] __tty_hangup.part.0+0x208/0x350
> >>>>> [ 205.799184] tty_vhangup+0x15/0x20
> >>>>> [ 205.799188] pty_close+0x127/0x160
> >>>>> [ 205.799193] tty_release+0x139/0x5e0
> >>>>> [ 205.799199] __fput+0x9f/0x260
> >>>>> [ 205.799203] ____fput+0xe/0x10
> >>>>> [ 205.799208] task_work_run+0x64/0xa0
> >>>>> [ 205.799213] do_exit+0x33b/0xab0
> >>>>> [ 205.799217] ? __handle_mm_fault+0xc4f/0x15f0
> >>>>> [ 205.799224] do_group_exit+0x35/0xa0
> >>>>> [ 205.799228] __x64_sys_exit_group+0x18/0x20
> >>>>> [ 205.799232] do_syscall_64+0x5c/0x80
> >>>>> [ 205.799238] ? handle_mm_fault+0xba/0x290
> >>>>> [ 205.799242] ? debug_smp_processor_id+0x17/0x20
> >>>>> [ 205.799246] ? fpregs_assert_state_consistent+0x26/0x50
> >>>>> [ 205.799251] ? exit_to_user_mode_prepare+0x49/0x190
> >>>>> [ 205.799256] ? irqentry_exit_to_user_mode+0x9/0x20
> >>>>> [ 205.799260] ? irqentry_exit+0x33/0x40
> >>>>> [ 205.799263] ? exc_page_fault+0x87/0x170
> >>>>> [ 205.799268] ? asm_exc_page_fault+0x8/0x30
> >>>>> [ 205.799273] entry_SYSCALL_64_after_hwframe+0x44/0xae
> >>>>> [ 205.799277] RIP: 0033:0x7ff6b80eaca1
> >>>>> [ 205.799281] Code: Unable to access opcode bytes at RIP 0x7ff6b80eac77.
> >>>>> [ 205.799283] RSP: 002b:00007fff6dfd4738 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> >>>>> [ 205.799287] RAX: ffffffffffffffda RBX: 00007ff6b8215a00 RCX: 00007ff6b80eaca1
> >>>>> [ 205.799290] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
> >>>>> [ 205.799293] RBP: 0000000000000001 R08: ffffffffffffff80 R09: 0000000000000028
> >>>>> [ 205.799295] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff6b8215a00
> >>>>> [ 205.799298] R13: 0000000000000000 R14: 00007ff6b821aee8 R15: 00007ff6b821af00
> >>>>> [ 205.799304] </TASK>
> >>>>>
> >>>>> Fixes: feef318c855a ("ax25: fix UAF bugs of net_device caused by rebinding operation")
> >>>>> Reported-by: Bernard F6BVP <f6bvp@free.fr>
> >>>>> Signed-off-by: Eric Dumazet <edumazet@google.com>
> >>>>> Cc: Duoming Zhou <duoming@zju.edu.cn>
> >>>>> ---
> >>>>> include/net/ax25.h | 1 +
> >>>>> net/ax25/af_ax25.c | 4 ++--
> >>>>> 2 files changed, 3 insertions(+), 2 deletions(-)
> >>>>>
> >>>>> diff --git a/include/net/ax25.h b/include/net/ax25.h
> >>>>> index a427a05672e2aab158efd44381fe2190d9cb8969..f8cf3629a41934f96f33e5d70ad90cc8ae796d38 100644
> >>>>> --- a/include/net/ax25.h
> >>>>> +++ b/include/net/ax25.h
> >>>>> @@ -236,6 +236,7 @@ typedef struct ax25_cb {
> >>>>> ax25_address source_addr, dest_addr;
> >>>>> ax25_digi *digipeat;
> >>>>> ax25_dev *ax25_dev;
> >>>>> + netdevice_tracker dev_tracker;
> >>>>> unsigned char iamdigi;
> >>>>> unsigned char state, modulus, pidincl;
> >>>>> unsigned short vs, vr, va;
> >>>>
> >>>> I'm sorry for the [too] late feedback, but it looks like this patch
> >>>> forgot to remove the old/unused tracker from ax25_dev, or am I missing
> >>>> something?
> >>>
> >>> I think you are confused ;)
> >>
> >> Indeed I'm (hopefully I was).
> >>
> >>
> >>> The other tracker is still used.
> >>>
> >>> Only the blamed patch (feef318c855a ("ax25: fix UAF bugs of net_device
> >>> caused by rebinding operation")) needed
> >>> a separate tracker in 'struct ax25_cb'.
> >>
> >> So this conflict resolution:
> >>
> >> https://lore.kernel.org/linux-next/20220802151932.2830110-1-broonie@kernel.org/T/#u
> >>
> >> is wrong - the first chunck must be dropped, only the last 2 are
> >> required, right?
> >
> > Indeed, this conflict resolution is wrong.
> >
> > I knew this renaming thing was going to hurt us, this is only the beginning :/
> >
> > Thanks.
> >
> >>
> >> Thanks,
> >>
> >> Paolo
> >>
^ permalink raw reply [flat|nested] 10+ messages in thread
* [AX25] [ROSE] refcount_t: decrement hit 0; leaking memory
2022-09-03 16:47 ` Eric Dumazet
@ 2022-09-04 10:37 ` Bernard Pidoux
0 siblings, 0 replies; 10+ messages in thread
From: Bernard Pidoux @ 2022-09-04 10:37 UTC (permalink / raw)
To: Eric Dumazet; +Cc: netdev, linux-hams, Francois Romieu
refcount warning when a rose connection is performed from remote node:
[26215.100860] NET: Registered PF_AX25 protocol family
[26215.108188] mkiss: AX.25 Multikiss, Hans Albas PE1AYX
[26215.108896] mkiss: ax0: crc mode is auto.
[26215.109078] IPv6: ADDRCONF(NETDEV_CHANGE): ax0: link becomes ready
[26219.157349] NET: Registered PF_ROSE protocol family
[26226.215278] mkiss: ax0: Trying crc-smack
[26226.215429] mkiss: ax0: Trying crc-flexnet
[26442.283263] ------------[ cut here ]------------
[26442.283282] refcount_t: decrement hit 0; leaking memory.
[26442.283309] WARNING: CPU: 3 PID: 5541 at lib/refcount.c:31
refcount_warn_saturate+0x4c/0x150
[26442.283333] Modules linked in: rose mkiss ax25 rfcomm
snd_hda_codec_hdmi cmac algif_hash algif_skcipher af_alg bnep i915
nls_iso8859_1 x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel
snd_hda_codec_realtek snd_hda_codec_generic rtw88_8821ce ledtrig_audio
kvm i2c_algo_bit rtw88_8821c drm_buddy snd_hda_intel rtw88_pci btusb
drm_display_helper snd_intel_dspcfg btrtl rtw88_core snd_hda_codec
crct10dif_pclmul snd_hwdep crc32_pclmul snd_hda_core ghash_clmulni_intel
btbcm aesni_intel drm_kms_helper btintel snd_pcm mei_hdcp btmtk
crypto_simd intel_rapl_msr mac80211 syscopyarea snd_seq cryptd
sysfillrect bluetooth sysimgblt fb_sys_fops cec
processor_thermal_device_pci_legacy rapl snd_timer intel_soc_dts_iosf
libarc4 rc_core at24 input_leds joydev processor_thermal_device
intel_cstate cfg80211 snd_seq_device processor_thermal_rfim ecdh_generic
ttm snd processor_thermal_mbox processor_thermal_rapl mei_me
intel_pch_thermal ecc mei intel_rapl_common soundcore
[26442.283525] int340x_thermal_zone acpi_pad video mac_hid ipmi_devintf
ipmi_msghandler drm msr parport_pc ppdev lp ramoops parport pstore_blk
reed_solomon pstore_zone efi_pstore ip_tables x_tables autofs4 btrfs
blake2b_generic libcrc32c xor raid6_pq zstd_compress dm_mirror
dm_region_hash dm_log hid_generic usbhid hid i2c_i801 ahci r8169
i2c_smbus libahci lpc_ich xhci_pci realtek xhci_pci_renesas
[26442.283644] CPU: 3 PID: 5541 Comm: kworker/u8:2 Not tainted
6.0.0-rc3-DEBUG+ #5
[26442.283655] Hardware name: To be filled by O.E.M. To be filled by
O.E.M./CK3, BIOS 5.011 09/16/2020
[26442.283663] Workqueue: events_unbound flush_to_ldisc
[26442.283686] RIP: 0010:refcount_warn_saturate+0x4c/0x150
[26442.283711] Code: 00 00 0f b6 1d 6c 10 52 01 80 fb 01 0f 87 3a 04 6c
00 83 e3 01 75 34 48 c7 c7 70 bc 21 bb c6 05 50 10 52 01 01 e8 59 0c 68
00 <0f> 0b eb 1d 85 f6 74 4f 0f b6 1d 3f 10 52 01 80 fb 01 0f 87 f6 03
[26442.283723] RSP: 0018:ffffa20940174ad8 EFLAGS: 00010286
[26442.283734] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
0000000000000000
[26442.283742] RDX: 0000000000000504 RSI: ffffffffbb1cdaf1 RDI:
00000000ffffffff
[26442.283750] RBP: ffffa20940174ae0 R08: 0000000000000003 R09:
3b30207469682074
[26442.283758] R10: 203a745f746e756f R11: 746e756f63666572 R12:
ffff92316c140490
[26442.283766] R13: 0000000000000000 R14: 0000000000000001 R15:
ffff92316b561800
[26442.283774] FS: 0000000000000000(0000) GS:ffff92328f380000(0000)
knlGS:0000000000000000
[26442.283783] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[26442.283791] CR2: 00005634bae01a08 CR3: 0000000166410006 CR4:
00000000001706e0
[26442.283801] Call Trace:
[26442.283807] <IRQ>
[26442.283816] ref_tracker_free+0x181/0x1c0
[26442.283836] rose_route_frame+0x298/0x740 [rose]
[26442.283856] ? pollwake+0x72/0x90
[26442.283869] ? wake_up_q+0x90/0x90
[26442.283884] ? __wake_up_common+0x7d/0x140
[26442.283896] ? rose_link_device_down+0x50/0x50 [rose]
[26442.283916] ax25_rx_iframe.part.0+0x8a/0x340 [ax25]
[26442.283937] ax25_rx_iframe+0x13/0x20 [ax25]
[26442.283957] ax25_std_frame_in+0x7ae/0x810 [ax25]
[26442.283979] ax25_rcv.constprop.0+0x5ee/0x880 [ax25]
[26442.284002] ? __netif_receive_skb_core.constprop.0+0x725/0x10b0
[26442.284021] ax25_kiss_rcv+0x6c/0x90 [ax25]
[26442.284041] __netif_receive_skb_one_core+0x91/0xa0
[26442.284054] __netif_receive_skb+0x15/0x60
[26442.284066] process_backlog+0x96/0x140
[26442.284079] __napi_poll+0x33/0x190
[26442.284091] net_rx_action+0x19f/0x300
[26442.284105] __do_softirq+0x103/0x366
[26442.284123] do_softirq.part.0+0xa4/0xd0
[26442.284138] </IRQ>
[26442.284145] <TASK>
[26442.284152] __local_bh_enable_ip+0x87/0x90
[26442.284166] _raw_spin_unlock_bh+0x1d/0x30
[26442.284178] mkiss_receive_buf+0x330/0x3d0 [mkiss]
[26442.284195] tty_ldisc_receive_buf+0x4b/0x60
[26442.284209] tty_port_default_receive_buf+0x42/0x70
[26442.284225] flush_to_ldisc+0xb8/0x1b0
[26442.284240] process_one_work+0x21f/0x3f0
[26442.284257] worker_thread+0x50/0x3e0
[26442.284271] ? process_one_work+0x3f0/0x3f0
[26442.284326] kthread+0xfd/0x130
[26442.284345] ? kthread_complete_and_exit+0x20/0x20
[26442.284365] ret_from_fork+0x22/0x30
[26442.284393] </TASK>
[26442.284404] ---[ end trace 0000000000000000 ]---
[26442.284494] ------------[ cut here ]------------
[26442.284508] refcount_t: saturated; leaking memory.
[26442.284537] WARNING: CPU: 3 PID: 34 at lib/refcount.c:22
refcount_warn_saturate+0x144/0x150
[26442.284564] Modules linked in: rose mkiss ax25 rfcomm
snd_hda_codec_hdmi cmac algif_hash algif_skcipher af_alg bnep i915
nls_iso8859_1 x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel
snd_hda_codec_realtek snd_hda_codec_generic rtw88_8821ce ledtrig_audio
kvm i2c_algo_bit rtw88_8821c drm_buddy snd_hda_intel rtw88_pci btusb
drm_display_helper snd_intel_dspcfg btrtl rtw88_core snd_hda_codec
crct10dif_pclmul snd_hwdep crc32_pclmul snd_hda_core ghash_clmulni_intel
btbcm aesni_intel drm_kms_helper btintel snd_pcm mei_hdcp btmtk
crypto_simd intel_rapl_msr mac80211 syscopyarea snd_seq cryptd
sysfillrect bluetooth sysimgblt fb_sys_fops cec
processor_thermal_device_pci_legacy rapl snd_timer intel_soc_dts_iosf
libarc4 rc_core at24 input_leds joydev processor_thermal_device
intel_cstate cfg80211 snd_seq_device processor_thermal_rfim ecdh_generic
ttm snd processor_thermal_mbox processor_thermal_rapl mei_me
intel_pch_thermal ecc mei intel_rapl_common soundcore
[26442.284833] int340x_thermal_zone acpi_pad video mac_hid ipmi_devintf
ipmi_msghandler drm msr parport_pc ppdev lp ramoops parport pstore_blk
reed_solomon pstore_zone efi_pstore ip_tables x_tables autofs4 btrfs
blake2b_generic libcrc32c xor raid6_pq zstd_compress dm_mirror
dm_region_hash dm_log hid_generic usbhid hid i2c_i801 ahci r8169
i2c_smbus libahci lpc_ich xhci_pci realtek xhci_pci_renesas
[26442.284958] CPU: 3 PID: 34 Comm: ksoftirqd/3 Tainted: G W
6.0.0-rc3-DEBUG+ #5
[26442.284976] Hardware name: To be filled by O.E.M. To be filled by
O.E.M./CK3, BIOS 5.011 09/16/2020
[26442.284987] RIP: 0010:refcount_warn_saturate+0x144/0x150
[26442.285008] Code: a0 bc 21 bb c6 05 71 0f 52 01 01 e8 7b 0b 68 00 0f
0b e9 3c ff ff ff 48 c7 c7 f0 bb 21 bb c6 05 5b 0f 52 01 01 e8 61 0b 68
00 <0f> 0b e9 22 ff ff ff 0f 1f 44 00 00 8b 07 3d 00 00 00 c0 74 12 83
[26442.285024] RSP: 0018:ffffa2094015f990 EFLAGS: 00010286
[26442.285042] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
0000000000000000
[26442.285056] RDX: 0000000000000503 RSI: ffffffffbb1cdaf1 RDI:
00000000ffffffff
[26442.285070] RBP: ffffa2094015f998 R08: 0000000000000003 R09:
3b64657461727574
[26442.285086] R10: 00000000756f6366 R11: 0000000063666572 R12:
ffff92316c140490
[26442.285100] R13: 0000000000000a20 R14: 0000000000000000 R15:
0000000000000000
[26442.285114] FS: 0000000000000000(0000) GS:ffff92328f380000(0000)
knlGS:0000000000000000
[26442.285123] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[26442.285131] CR2: 00005634bae01a08 CR3: 0000000166410006 CR4:
00000000001706e0
[26442.285140] Call Trace:
[26442.285146] <TASK>
[26442.285155] ref_tracker_alloc+0x170/0x220
[26442.285169] ? __smp_call_single_queue+0x59/0x90
[26442.285184] ? ttwu_queue_wakelist+0xff/0x1d0
[26442.285196] ? _raw_spin_unlock_irqrestore+0x27/0x50
[26442.285210] rose_dev_get+0x8a/0xa0 [rose]
[26442.285228] rose_route_frame+0x267/0x740 [rose]
[26442.285245] ? pollwake+0x72/0x90
[26442.285255] ? wake_up_q+0x90/0x90
[26442.285268] ? __wake_up_common+0x7d/0x140
[26442.285279] ? rose_link_device_down+0x50/0x50 [rose]
[26442.285294] ax25_rx_iframe.part.0+0x8a/0x340 [ax25]
[26442.285313] ax25_rx_iframe+0x13/0x20 [ax25]
[26442.285330] ax25_std_frame_in+0x7ae/0x810 [ax25]
[26442.285350] ax25_rcv.constprop.0+0x5ee/0x880 [ax25]
[26442.285369] ? __netif_receive_skb_core.constprop.0+0x725/0x10b0
[26442.285385] ax25_kiss_rcv+0x6c/0x90 [ax25]
[26442.285402] __netif_receive_skb_one_core+0x91/0xa0
[26442.285414] __netif_receive_skb+0x15/0x60
[26442.285424] process_backlog+0x96/0x140
[26442.285436] __napi_poll+0x33/0x190
[26442.285447] net_rx_action+0x19f/0x300
[26442.285460] __do_softirq+0x103/0x366
[26442.285475] run_ksoftirqd+0x39/0x50
[26442.285488] smpboot_thread_fn+0x193/0x230
[26442.285500] ? sort_range+0x30/0x30
[26442.285509] kthread+0xfd/0x130
[26442.285521] ? kthread_complete_and_exit+0x20/0x20
[26442.285534] ret_from_fork+0x22/0x30
[26442.285551] </TASK>
[26442.285557] ---[ end trace 0000000000000000 ]---
[26442.286648] ROSE: unknown 0F in state 3
[26442.287419] ROSE: unknown 17 in state 3
root@bernard-f6bvp:/home/bernard#
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2022-09-04 10:38 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-28 5:18 [PATCH net] ax25: fix incorrect dev_tracker usage Eric Dumazet
2022-07-29 5:30 ` patchwork-bot+netdevbpf
2022-07-29 17:32 ` Matthieu Baerts
2022-08-03 6:23 ` Paolo Abeni
2022-08-03 6:46 ` Eric Dumazet
2022-08-03 7:03 ` Paolo Abeni
2022-08-03 7:15 ` Eric Dumazet
2022-09-03 8:56 ` Bernard Pidoux
2022-09-03 16:47 ` Eric Dumazet
2022-09-04 10:37 ` [AX25] [ROSE] refcount_t: decrement hit 0; leaking memory Bernard Pidoux
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.