Received: by 2002:ab2:60d1:0:b0:1f7:5705:b850 with SMTP id i17csp1358754lqm;
        Thu, 2 May 2024 12:11:52 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCVXqOiroYBWMzxqmjnxnD5PV+qbqdmtv875mOBmfZyFFQmZ7tGsP+noF0GaHKH0rDhUUxqJiYQWm1t7AmKXQ8WxWDq+X7qjXyYres0YLw==
X-Google-Smtp-Source: AGHT+IEha4CNmOe+1Xc2+RKVS7f2Bb8vUkwcLA9/54xatD5AvUdPlGXmH1u6sHUL35cKiOLvttsG
X-Received: by 2002:ad4:5bc7:0:b0:6a0:b91e:3994 with SMTP id t7-20020ad45bc7000000b006a0b91e3994mr537108qvt.25.1714677111876;
        Thu, 02 May 2024 12:11:51 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1714677111; cv=pass;
        d=google.com; s=arc-20160816;
        b=RPx7jBQBBb6PwdCM9xaedXbHGdMtMGvrNwy1pq91ibfHlbjpAZd/I+6qpOgm80L+Fq
         cs00QH9Bf8RuwALBiS3DMe2lOn1NuK86oi5ZS8hKeUJswiQ7rdH0V/y6sOQG/QEqoxCG
         5biyAy7zK/8hsUtXtpN5y/+h3VycUsXnutEAjevBkK7JTfO2y1OMWqLMQle6pTnT3ZBs
         S88L1iY5kTzZPjeqtdE9TRe/dZHCwr9Ufh9unnDSfQbJM3CNe2a99s5leb2/LHmCsARV
         YfbcHGoSiT1QsPuyIFgjPGstflGiUA9sGQUtJApcAzLUjo4C905gNzRhwnfiTmPD7XQa
         f5kA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=5UdxPLsG0wqKtX/P4H2HAJJ1dNwYNmVMjkw5l4jZ0ro=;
        fh=BkV2KAh5atcGusCi7aQRxHHrWog7CKVJgTwJhnLhiEk=;
        b=Ng38SQmHhF2gsV1ROm3mBUx5CEq/oukZP5n+ddr3AnTnziCBVawxHwao2/68BWeiZq
         S9gpHbYUD1ZtLzwdlTsebnJNCLOXYgPv/uWaS2gzYoopTs7tA85luQCoQWgIU2vob9ot
         gd71ngz+KZZPJUx98LipjlxW7+nmTd8/FyeM2HsNro6MN16J5D3ljkjLULyr8hrnlfOl
         +dNFAODawgLfpWW/7t76jsC5dfw8KdJlQAqU5wi2F1TJbjNTH71OmflNNptvGCevNKkx
         GtkiVMjj5DdzV/l8TtOhmtRuZ3wFvrePi8V0OK1VuaBO4pHqUyCkV7h/5cR9GUeyFuQq
         lCNA==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@oddbit.com header.s=20180920-g2b7aziw header.b=nNIoF+Hp;
       arc=pass (i=1 spf=pass spfdomain=oddbit.com dkim=pass dkdomain=oddbit.com);
       spf=pass (google.com: domain of linux-kernel+bounces-166856-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-166856-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-166856-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id fn3-20020ad45d63000000b006a0cd6a78b9si1682818qvb.15.2024.05.02.12.11.51
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 02 May 2024 12:11:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-166856-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@oddbit.com header.s=20180920-g2b7aziw header.b=nNIoF+Hp;
       arc=pass (i=1 spf=pass spfdomain=oddbit.com dkim=pass dkdomain=oddbit.com);
       spf=pass (google.com: domain of linux-kernel+bounces-166856-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-166856-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 153371C21049
	for <linux.lists.archive@gmail.com>; Thu,  2 May 2024 19:11:51 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 1F72D176FDF;
	Thu,  2 May 2024 19:11:49 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=oddbit.com header.i=@oddbit.com header.b="nNIoF+Hp"
Received: from smtp88.ord1d.emailsrvr.com (smtp88.ord1d.emailsrvr.com [184.106.54.88])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B3E6959B56
	for <linux-kernel@vger.kernel.org>; Thu,  2 May 2024 19:11:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=184.106.54.88
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1714677108; cv=none; b=Lf3Ipd9c7H3nzYuy5wUrT8PhFcDAT/mx6DMUJ9t+1LIJzIxtXgS8kdTxDkdkv36rG683BMaKiUyXHuvLRqSk8s1ivQWlRJeJy/V8C3Y/1u8QpRnPJtqHm0wQpx4/blmw2RMwUNc+71zkrc4HBXW2sJKSvVOnK9vj/5R95kh3wLw=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1714677108; c=relaxed/simple;
	bh=10QgoifWZIHsQYM4viNQAebY5RXKGshG/GWxuIdO2XE=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=BQXuyELEdCTOLOJ1MOFgpmmqtjXhvanEucUd7rWWAP2OLxTYAJ45GR09fQ/SuvZjFvjTKe2jIS2VKkmt2dECqmxZc8QyzD8pdi51FHmOOowrBsz7MGo2HLvUvzEweTYh5EFE9MKl//t5De3g0YsxAHEu6fcZNWoF/64+C9sv6ak=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=oddbit.com; spf=pass smtp.mailfrom=oddbit.com; dkim=pass (1024-bit key) header.d=oddbit.com header.i=@oddbit.com header.b=nNIoF+Hp; arc=none smtp.client-ip=184.106.54.88
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=oddbit.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oddbit.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=oddbit.com;
	s=20180920-g2b7aziw; t=1714676144;
	bh=10QgoifWZIHsQYM4viNQAebY5RXKGshG/GWxuIdO2XE=;
	h=Date:From:To:Subject:From;
	b=nNIoF+HpJuRzKWliHOsw5wu6Gr3MXa5Rpj3/WR6MgGkBJ4z711YkWhyGirF8Oo48M
	 E+7h678BXuClR2SEgnSh3fNeSjD8ej2qZjY3VGLQaFV25TaDRcvZO1OFH1VF+e2ilk
	 5EPFMVC1wd5658USB6b7Rf96TsCGN91btGmOJu/A=
X-Auth-ID: lars@oddbit.com
Received: by smtp20.relay.ord1d.emailsrvr.com (Authenticated sender: lars-AT-oddbit.com) with ESMTPSA id 7B978C026F;
	Thu,  2 May 2024 14:55:43 -0400 (EDT)
Date: Thu, 2 May 2024 14:55:43 -0400
From: Lars Kellogg-Stedman <lars@oddbit.com>
To: Duoming Zhou <duoming@zju.edu.cn>
Cc: linux-hams@vger.kernel.org, netdev@vger.kernel.org, 
	linux-kernel@vger.kernel.org, jreuter@yaina.de, davem@davemloft.net, edumazet@google.com, 
	kuba@kernel.org, pabeni@redhat.com, dan.carpenter@linaro.org
Subject: Re: [PATCH net 2/2] ax25: fix potential reference counting leak in
 ax25_addr_ax25dev
Message-ID: <vvk5silsu6nvu3dpdeffk2vjocijebkevqvub7erd4sorvnllt@7yyjmrczbatf>
References: <cover.1714660565.git.duoming@zju.edu.cn>
 <cb44ea91c0b7084079c3086d6d75e7984505cec7.1714660565.git.duoming@zju.edu.cn>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <cb44ea91c0b7084079c3086d6d75e7984505cec7.1714660565.git.duoming@zju.edu.cn>
X-Classification-ID: 17c51de0-41ab-40c1-8817-f4243cb35e3a-1-1

On Thu, May 02, 2024 at 10:43:38PM +0800, Duoming Zhou wrote:
> The reference counting of ax25_dev potentially increase more
> than once in ax25_addr_ax25dev(), which will cause memory leak.

With this patch applied, I see a kernel panic as soon as something binds
an ax.25 socket (e.g., starting ax25d):

BUG: kernel NULL pointer dereference, address: 0000000000000098
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#1] SMP PTI
CPU: 0 PID: 111 Comm: ax25d Not tainted 6.9.0-rc6-ax25+ #69
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
RIP: 0010:ax25_addr_ax25dev+0x5b/0xb0
Code: 8b 43 08 4c 89 ef 48 8b b0 d0 03 00 00 e8 6d fb ff ff 85 c0 4c 0f 44 e3 48 8b 1b 48 85 db 75 df 4d 85 e4 74 19 b8 01 00 00 00 <f0> 0f c1 04 25 98 00 00 00 85 c0 74 21 8d 50 01 09 c2 78 2b 48 c7
RSP: 0018:ffffc90000463e00 EFLAGS: 00010282
RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff888101a5f728 RDI: ffffc90000463e6a
RBP: ffffc90000463e18 R08: ffffc90000463e68 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888101523e40
R13: ffffc90000463e6a R14: ffff88810111f200 R15: ffff8881004e4e00
FS:  00007fb6a6d93b08(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000098 CR3: 0000000101bb4000 CR4: 00000000000006b0
Call Trace:
 <TASK>
 ? show_regs.part.0+0x22/0x30
 ? __die+0x5b/0x99
 ? page_fault_oops+0xae/0x220
 ? search_extable+0x2e/0x40
 ? ax25_addr_ax25dev+0x5b/0xb0
 ? kernelmode_fixup_or_oops+0x9f/0x120
 ? __bad_area_nosemaphore+0x15f/0x1a0
 ? bad_area_nosemaphore+0x16/0x20
 ? exc_page_fault+0x2a8/0x6e0
 ? asm_exc_page_fault+0x2b/0x30
 ? ax25_addr_ax25dev+0x5b/0xb0
 ax25_bind+0x14c/0x260
 __sys_bind+0xc0/0xf0
 ? alloc_file_pseudo+0xae/0xe0
 __x64_sys_bind+0x1c/0x30
 x64_sys_call+0xfe3/0x1d00
 do_syscall_64+0x55/0x120
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7fb6a6d2cfa4
Code: 00 00 00 ba 01 00 00 00 0f 05 80 e7 08 74 c3 eb b0 48 83 ec 08 89 d2 48 63 ff 45 31 d2 45 31 c0 45 31 c9 b8 31 00 00 00 0f 05 <48> 89 c7 e8 da 3f fe ff 48 83 c4 08 c3 48 83 ec 10 48 89 f0 89 d1
RSP: 002b:00007ffc1a5c7670 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 00007ffc1a5c7799 RCX: 00007fb6a6d2cfa4
RDX: 0000000000000048 RSI: 00007ffc1a5c7750 RDI: 0000000000000005
RBP: 00007fb6a6d94a80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb6a6cebca0
R13: 0000000000000048 R14: 0000561ff9f9e776 R15: 00007ffc1a5c8b00
 </TASK>
CR2: 0000000000000098
---[ end trace 0000000000000000 ]---
RIP: 0010:ax25_addr_ax25dev+0x5b/0xb0
Code: 8b 43 08 4c 89 ef 48 8b b0 d0 03 00 00 e8 6d fb ff ff 85 c0 4c 0f 44 e3 48 8b 1b 48 85 db 75 df 4d 85 e4 74 19 b8 01 00 00 00 <f0> 0f c1 04 25 98 00 00 00 85 c0 74 21 8d 50 01 09 c2 78 2b 48 c7
RSP: 0018:ffffc90000463e00 EFLAGS: 00010282
RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff888101a5f728 RDI: ffffc90000463e6a
RBP: ffffc90000463e18 R08: ffffc90000463e68 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888101523e40
R13: ffffc90000463e6a R14: ffff88810111f200 R15: ffff8881004e4e00
FS:  00007fb6a6d93b08(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000098 CR3: 0000000101bb4000 CR4: 00000000000006b0
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

My kernel tree looks like this:

d32d77d2b4a (HEAD -> ham-patches) ax25: fix potential reference counting leak in ax25_addr_ax25dev
742ab0da09d ax25: change kfree in ax25_dev_free to ax25_dev_free
e6357cafe3e ax25: fix reference counting issue of ax25_dev
0106679839f (origin/master, origin/HEAD, master) Merge tag 'regulator-fix-v6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonieer

I don't see the kernel panic if I discard the top patch.

-- 
Lars Kellogg-Stedman <lars@oddbit.com> | larsks @ {irc,twitter,github}
http://blog.oddbit.com/                | N1LKS