Re: [PATCH net] ax25: Fix refcount leak issues of ax25_dev

From: Dan Carpenter
Date: Sat May 04 2024 - 08:17:10 EST


On Fri, May 03, 2024 at 07:40:32PM -0400, Lars Kellogg-Stedman wrote:
> On Fri, May 03, 2024 at 11:36:37PM +0300, Dan Carpenter wrote:
> > Could you test this diff?
>
> With that diff applied, there is no kernel panic, but I see the same
> refcount errors that I saw before the latest series of patches from
> Duoming:

Wait, which panic is this? The NULL dereference introduce by the
"ax25_dev" vs "res" typo?

>
> refcount_t: decrement hit 0; leaking memory.
> refcount_t: underflow; use-after-free.

Hm... Is there a missing netdev_hold() in ax25_bind() on the
"User already set interface with SO_BINDTODEVICE" path? That would
fit with the commit 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by
ax25_cb_del()") which introduced the bug.

I'm not really sure I understand how netdev_hold() works.

(My patch here is correct, but apparently that's not the bug).

regards,
dan carpenter