From: duoming@zju.edu.cn
To: "Lars Kellogg-Stedman" <lars@oddbit.com>
Cc: linux-hams@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, pabeni@redhat.com, kuba@kernel.org,
edumazet@google.com, davem@davemloft.net, jreuter@yaina.de,
dan.carpenter@linaro.org
Subject: Re: [PATCH net] ax25: Fix refcount leak issues of ax25_dev
Date: Wed, 15 May 2024 17:52:25 +0800 (GMT+08:00) [thread overview]
Message-ID: <ac6f090.eaff.18f7baadb40.Coremail.duoming@zju.edu.cn> (raw)
In-Reply-To: <my4l7ljo35dnwxl33maqhyvw7666dmuwtduwtyhnzdlb6bbf5m@5sbp4tvg246f>
On Wed, 1 May 2024 21:29:16 -0400 Lars Kellogg-Stedman wrote:
> Assume we have the following two interfaces configured on a system:
>
> $ cat /etc/ax25/axports
> udp0 test0-0 9600 255 2 axudp0
> udp1 test0-1 9600 255 2 axudp1
>
> And we have ax25d listening on both interfaces:
>
> [udp0]
> default * * * * * * - root /usr/sbin/axwrapper axwrapper -- /bin/sh sh /etc/ax25/example-output.sh
> [udp1]
> default * * * * * * - root /usr/sbin/axwrapper axwrapper -- /bin/sh sh /etc/ax25/example-output.sh
>
> Using the 'ax-devs' and 'ax-sockets' gdb commands shown at the end of
> this message, we start with:
>
> (gdb) ax-devs
> ax1 ax_refcnt:2 dev_refcnt:9 dev_untracked:1 dev_notrack:1
> ax0 ax_refcnt:2 dev_refcnt:9 dev_untracked:1 dev_notrack:1
> (gdb) ax-sockets
> 0xffff8881002b6800 if:ax1 state:0 refcnt:2 dev_tracker:0xffff888100ded200
> 0xffff888101ac4e00 if:ax0 state:0 refcnt:2 dev_tracker:0xffff888100dec4c0
>
> We initiate a connection from ax0 to ax1:
>
> call -r udp0 test0-1
>
> When we first enter ax25_rcv, we have:
>
> (gdb) ax-devs
> ax1 ax_refcnt:2 dev_refcnt:9 dev_untracked:1 dev_notrack:1
> ax0 ax_refcnt:3 dev_refcnt:10 dev_untracked:1 dev_notrack:1
> (gdb) ax-sockets
> 0xffff888101ac8000 if:ax0 state:1 refcnt:2 dev_tracker:0xffff888100dedb80
> 0xffff8881002b6800 if:ax1 state:0 refcnt:2 dev_tracker:0xffff888100ded200
> 0xffff888101ac4e00 if:ax0 state:0 refcnt:2 dev_tracker:0xffff888100dec4c0
>
> After we reach line 413 (in net/ax25/ax25_in.c) and add a new control
> block:
>
> ax25_cb_add(ax25)
>
> We have:
>
> (gdb) ax-devs
> ax1 ax_refcnt:2 dev_refcnt:9 dev_untracked:1 dev_notrack:1
> ax0 ax_refcnt:3 dev_refcnt:10 dev_untracked:1 dev_notrack:1
> (gdb) ax-sockets
> 0xffff88810245ac00 if:ax1 state:3 refcnt:2 dev_tracker:0x0 <fixed_percpu_data>
> 0xffff88810245ba00 if:ax0 state:1 refcnt:2 dev_tracker:0xffff88810136c800
> 0xffff888100c79e00 if:ax1 state:0 refcnt:2 dev_tracker:0xffff88810136c6e0
> 0xffff8881018e9800 if:ax0 state:0 refcnt:2 dev_tracker:0xffff88810170c860
>
> Note that (a) ax25->dev_tracker is NULL, and (b) we have incremeted the
> refcount on ax0 (the source interface), but not on ax1 (the destination
> interface). When we call ax25_release for this control block, we get to:
>
> netdev_put(ax25_dev->dev, &ax25->dev_tracker);
> ax25_dev_put(ax25_dev);
>
> With:
>
> (gdb) ax-devs
> ax1 ax_refcnt:2 dev_refcnt:9 dev_untracked:1 dev_notrack:1
> ax0 ax_refcnt:3 dev_refcnt:10 dev_untracked:1 dev_notrack:1
>
> After the calls to netdev_put() and ax25_dev_put(), we have:
>
> (gdb) ax-devs
> ax1 ax_refcnt:1 dev_refcnt:8 dev_untracked:-1073741824 dev_notrack:1
> ax0 ax_refcnt:2 dev_refcnt:9 dev_untracked:1 dev_notrack:1
>
> You can see that (a) ax25_dev->dev->refcnt_tracker->untracked is now
> invalid, and ax25_dev->dev->dev_refcnt is in trouble: it decrements by
> one for each closed connection, even though it was never incremented
> when we accepted the connection. The underflow in
> ...refcnt_tracker->untracked yields the traceback with:
>
> refcount_t: decrement hit 0; leaking memory.
>
> Additional connections will eventually trigger more problems; we will
> ultimately underflow ax25_dev->dev->dev_refcnt, but we may also run into
> memory corruption because of the invalid tracker data, resulting in:
>
> BUG: unable to handle page fault for address: 00000010000003b0
Do you know how to trigger this bug? Could you share the POC?
Best regards,
Duoming Zhou
next prev parent reply other threads:[~2024-05-15 9:52 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-01 6:02 [PATCH net] ax25: Fix refcount leak issues of ax25_dev Duoming Zhou
2024-05-01 17:33 ` Markus Elfring
2024-05-01 17:43 ` Dan Carpenter
2024-05-02 4:35 ` duoming
2024-05-02 7:56 ` Dan Carpenter
2024-05-02 9:30 ` Paolo Abeni
2024-05-02 1:29 ` Lars Kellogg-Stedman
2024-05-03 20:36 ` Dan Carpenter
2024-05-03 23:40 ` Lars Kellogg-Stedman
2024-05-04 12:16 ` Dan Carpenter
2024-05-04 22:16 ` Lars Kellogg-Stedman
2024-05-07 3:18 ` Lars Kellogg-Stedman
2024-05-07 8:08 ` Dan Carpenter
2024-05-07 9:04 ` duoming
2024-05-09 1:40 ` duoming
2024-05-23 12:30 ` Lars Kellogg-Stedman
2024-05-07 6:38 ` Dan Carpenter
2024-05-15 9:52 ` duoming [this message]
2024-05-04 11:04 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ac6f090.eaff.18f7baadb40.Coremail.duoming@zju.edu.cn \
--to=duoming@zju.edu.cn \
--cc=dan.carpenter@linaro.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jreuter@yaina.de \
--cc=kuba@kernel.org \
--cc=lars@oddbit.com \
--cc=linux-hams@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).