Last active
April 17, 2024 13:39
-
-
Save larsks/0aef6f5a5a253b58459a7a9bb1f4ca16 to your computer and use it in GitHub Desktop.
Linux AX.25 Bugs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Apr 17 09:38:03 radio1.local kernel: ------------[ cut here ]------------ | |
| Apr 17 09:38:03 radio1.local kernel: WARNING: CPU: 0 PID: 3750 at lib/refcount.c:28 ax25_release+0x358/0x36c [ax25] | |
| Apr 17 09:38:03 radio1.local kernel: refcount_t: underflow; use-after-free. | |
| Apr 17 09:38:03 radio1.local kernel: Modules linked in: tun tcp_diag inet_diag mkiss overlay cmac algif_hash aes_arm_bs crypto_simd cryptd algif_skcipher af_alg bnep vc4 snd_soc_hdmi_codec drm_display_helper cec drm_dma_helper drm_kms_helper brcmfmac_wcc snd_soc_core hci_uart btbcm bluetooth brcmfmac cp210x snd_compress usbserial raspberrypi_hwmon snd_pcm_dmaengine snd_usb_audio bcm2835_codec(C) v4l2_mem2mem brcmutil snd_hwdep snd_usbmidi_lib bcm2835_v4l2(C) bcm2835_isp(C) cfg80211 bcm2835_mmal_vchiq(C) videobuf2_dma_contig videobuf2_vmalloc videobuf2_memops snd_rawmidi snd_bcm2835(C) videobuf2_v4l2 binfmt_misc snd_seq_device videodev snd_pcm snd_timer snd videobuf2_common ecdh_generic ecc rfkill mc vc_sm_cma(C) raspberrypi_gpiomem uio_pdrv_genirq uio netrom ax25 drm fuse drm_panel_orientation_quirks backlight dm_mod ip_tables x_tables ipv6 i2c_bcm2835 fixed | |
| Apr 17 09:38:03 radio1.local kernel: CPU: 0 PID: 3750 Comm: axwrapper Tainted: G C 6.6.20+rpt-rpi-v7 #1 Raspbian 1:6.6.20-1+rpt1 | |
| Apr 17 09:38:03 radio1.local kernel: Hardware name: BCM2835 | |
| Apr 17 09:38:03 radio1.local kernel: unwind_backtrace from show_stack+0x18/0x1c | |
| Apr 17 09:38:03 radio1.local kernel: show_stack from dump_stack_lvl+0x50/0x68 | |
| Apr 17 09:38:03 radio1.local kernel: dump_stack_lvl from __warn+0x80/0x11c | |
| Apr 17 09:38:03 radio1.local kernel: __warn from warn_slowpath_fmt+0x12c/0x198 | |
| Apr 17 09:38:03 radio1.local kernel: warn_slowpath_fmt from ax25_release+0x358/0x36c [ax25] | |
| Apr 17 09:38:03 radio1.local kernel: ax25_release [ax25] from __sock_release+0x44/0xbc | |
| Apr 17 09:38:03 radio1.local kernel: __sock_release from sock_close+0x18/0x20 | |
| Apr 17 09:38:03 radio1.local kernel: sock_close from __fput+0xd0/0x280 | |
| Apr 17 09:38:03 radio1.local kernel: __fput from task_work_run+0x94/0xc4 | |
| Apr 17 09:38:03 radio1.local kernel: task_work_run from do_exit+0x340/0x988 | |
| Apr 17 09:38:03 radio1.local kernel: do_exit from do_group_exit+0x40/0x8c | |
| Apr 17 09:38:03 radio1.local kernel: do_group_exit from __wake_up_parent+0x0/0x20 | |
| Apr 17 09:38:03 radio1.local kernel: ---[ end trace 0000000000000000 ]--- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ 44.821130] ------------[ cut here ]------------ | |
| [ 44.821529] refcount_t: decrement hit 0; leaking memory. | |
| [ 44.821870] WARNING: CPU: 1 PID: 1056 at lib/refcount.c:31 refcount_warn_saturate+0xff/0x110 | |
| [ 44.822383] Modules linked in: rfkill mkiss binfmt_misc vfat intel_rapl_msr fat intel_rapl_common intel_uncore_frequency_common kvm_intel snd_hda_codec_generic kvm snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hda_core rapl snd_hwdep iTCO_wdt iTCO_vendor_support snd_seq snd_seq_device i2c_i801 snd_pcm i2c_smbus virtio_gpu snd_timer pcspkr snd virtio_net pktcdvd net_failover soundcore lpc_ich virtio_dma_buf virtio_balloon failover drm_shmem_helper joydev netrom ax25 loop zram zsmalloc crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel sha512_ssse3 sha256_ssse3 sha1_ssse3 virtio_console virtio_blk serio_raw ip6_tables ip_tables fuse qemu_fw_cfg | |
| [ 44.826448] CPU: 1 PID: 1056 Comm: trigger Not tainted 6.9.0-rc4-ax25-radio+ #10 | |
| [ 44.826900] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 | |
| [ 44.827377] RIP: 0010:refcount_warn_saturate+0xff/0x110 | |
| [ 44.827671] Code: 00 14 83 82 c6 05 02 08 4e 01 01 e8 cb bd 91 ff 0f 0b c3 cc cc cc cc 48 c7 c7 58 14 83 82 c6 05 e6 07 4e 01 01 e8 b1 bd 91 ff <0f> 0b c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 | |
| [ 44.828646] RSP: 0018:ffffc90001e73d28 EFLAGS: 00010282 | |
| [ 44.828976] RAX: 0000000000000000 RBX: ffff88813c6b4570 RCX: 0000000000000000 | |
| [ 44.829379] RDX: ffff88817bd2f1c0 RSI: ffff88817bd21880 RDI: ffff88817bd21880 | |
| [ 44.829847] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000003 | |
| [ 44.830216] R10: ffffc90001e73bc8 R11: ffffffff82b3e548 R12: ffff88813d51ed80 | |
| [ 44.830586] R13: ffff8881118f4600 R14: ffff88813f399880 R15: ffff88813c6b4000 | |
| [ 44.831020] FS: 0000000000000000(0000) GS:ffff88817bd00000(0000) knlGS:0000000000000000 | |
| [ 44.831435] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | |
| [ 44.831788] CR2: 00007f1006c5c680 CR3: 0000000002a22005 CR4: 0000000000770ef0 | |
| [ 44.832259] PKRU: 55555554 | |
| [ 44.832410] Call Trace: | |
| [ 44.832546] <TASK> | |
| [ 44.832673] ? __warn+0x80/0x120 | |
| [ 44.832882] ? refcount_warn_saturate+0xff/0x110 | |
| [ 44.833125] ? report_bug+0x164/0x190 | |
| [ 44.833323] ? handle_bug+0x3c/0x80 | |
| [ 44.833517] ? exc_invalid_op+0x17/0x70 | |
| [ 44.833745] ? asm_exc_invalid_op+0x1a/0x20 | |
| [ 44.833988] ? refcount_warn_saturate+0xff/0x110 | |
| [ 44.834237] ? refcount_warn_saturate+0xff/0x110 | |
| [ 44.834484] ref_tracker_free+0x206/0x210 | |
| [ 44.834716] ? _raw_spin_unlock+0xe/0x30 | |
| [ 44.834947] ? __dev_queue_xmit+0x26a/0xda0 | |
| [ 44.835168] ? __alloc_skb+0xd9/0x1a0 | |
| [ 44.835364] ax25_release+0xff/0x360 [ax25] | |
| [ 44.835595] __sock_release+0x3a/0xc0 | |
| [ 44.835805] sock_close+0x15/0x20 | |
| [ 44.835994] __fput+0x97/0x2c0 | |
| [ 44.836160] task_work_run+0x59/0x90 | |
| [ 44.836353] do_exit+0x311/0xac0 | |
| [ 44.836529] ? handle_mm_fault+0xad/0x2d0 | |
| [ 44.836753] do_group_exit+0x30/0x80 | |
| [ 44.837143] __x64_sys_exit_group+0x18/0x20 | |
| [ 44.837545] do_syscall_64+0x64/0x170 | |
| [ 44.837918] entry_SYSCALL_64_after_hwframe+0x76/0x7e | |
| [ 44.838341] RIP: 0033:0x7f1006b6191d | |
| [ 44.838720] Code: Unable to access opcode bytes at 0x7f1006b618f3. | |
| [ 44.839247] RSP: 002b:00007fff662fa038 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 | |
| [ 44.839852] RAX: ffffffffffffffda RBX: 00007f1006c5dfa8 RCX: 00007f1006b6191d | |
| [ 44.840404] RDX: 00000000000000e7 RSI: ffffffffffffff88 RDI: 0000000000000000 | |
| [ 44.840932] RBP: 00007fff662fa090 R08: 00007fff662f9fd8 R09: 00007fff662f9f5f | |
| [ 44.841453] R10: 00007fff662f9ed0 R11: 0000000000000202 R12: 0000000000000001 | |
| [ 44.841978] R13: 0000000000000000 R14: 0000000000000000 R15: 00007f1006c5dfc0 | |
| [ 44.842495] </TASK> | |
| [ 44.842765] ---[ end trace 0000000000000000 ]--- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ 102.402998] ------------[ cut here ]------------ | |
| [ 102.403340] refcount_t: underflow; use-after-free. | |
| [ 102.403708] WARNING: CPU: 0 PID: 857 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 | |
| [ 102.403716] Modules linked in: rfkill mkiss binfmt_misc vfat intel_rapl_msr fat intel_rapl_common intel_uncore_frequency_common kvm_intel snd_hda_codec_generic kvm snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hda_core rapl snd_hwdep iTCO_wdt iTCO_vendor_support snd_seq snd_seq_device i2c_i801 snd_pcm i2c_smbus virtio_gpu snd_timer pcspkr snd virtio_net pktcdvd net_failover soundcore lpc_ich virtio_dma_buf virtio_balloon failover drm_shmem_helper joydev netrom ax25 loop zram zsmalloc crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel sha512_ssse3 sha256_ssse3 sha1_ssse3 virtio_console virtio_blk serio_raw ip6_tables ip_tables fuse qemu_fw_cfg | |
| [ 102.403739] CPU: 0 PID: 857 Comm: ax25ipd Tainted: G W 6.9.0-rc4-ax25-radio+ #10 | |
| [ 102.403740] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 | |
| [ 102.403741] RIP: 0010:refcount_warn_saturate+0xbe/0x110 | |
| [ 102.403743] Code: 01 01 e8 15 be 91 ff 0f 0b c3 cc cc cc cc 80 3d 38 08 4e 01 00 75 85 48 c7 c7 30 14 83 82 c6 05 28 08 4e 01 01 e8 f2 bd 91 ff <0f> 0b c3 cc cc cc cc 80 3d 16 08 4e 01 00 0f 85 5e ff ff ff 48 c7 | |
| [ 102.403744] RSP: 0018:ffffc90000813bf8 EFLAGS: 00010286 | |
| [ 102.403745] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 | |
| [ 102.403746] RDX: ffff88817bc2f1c0 RSI: ffff88817bc21880 RDI: ffff88817bc21880 | |
| [ 102.403747] RBP: ffff88813c6b4000 R08: 0000000000000000 R09: 0000000000000003 | |
| [ 102.403747] R10: ffffc90000813a98 R11: ffffffff82b3e548 R12: ffff88813d51ed80 | |
| [ 102.403748] R13: ffffc90000813c70 R14: 00000000ffffffe6 R15: 0000000000000000 | |
| [ 102.403749] FS: 0000000000000000(0000) GS:ffff88817bc00000(0000) knlGS:0000000000000000 | |
| [ 102.403749] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | |
| [ 102.403750] CR2: 00007f2a973f0080 CR3: 0000000002a22001 CR4: 0000000000770ef0 | |
| [ 102.403752] PKRU: 55555554 | |
| [ 102.403753] Call Trace: | |
| [ 102.403754] <TASK> | |
| [ 102.403755] ? __warn+0x80/0x120 | |
| [ 102.403758] ? refcount_warn_saturate+0xbe/0x110 | |
| [ 102.403760] ? report_bug+0x164/0x190 | |
| [ 102.403764] ? handle_bug+0x3c/0x80 | |
| [ 102.403766] ? exc_invalid_op+0x17/0x70 | |
| [ 102.403768] ? asm_exc_invalid_op+0x1a/0x20 | |
| [ 102.403772] ? refcount_warn_saturate+0xbe/0x110 | |
| [ 102.403774] ? refcount_warn_saturate+0xbe/0x110 | |
| [ 102.403775] ax25_device_event+0x1c6/0x260 [ax25] | |
| [ 102.403781] notifier_call_chain+0x5a/0xd0 | |
| [ 102.403783] dev_close_many+0x11e/0x180 | |
| [ 102.403786] unregister_netdevice_many_notify+0x1a8/0x880 | |
| [ 102.403788] unregister_netdevice_queue+0xf7/0x140 | |
| [ 102.403790] unregister_netdev+0x1c/0x30 | |
| [ 102.403791] mkiss_close+0x76/0xb0 [mkiss] | |
| [ 102.403793] tty_ldisc_hangup+0xfd/0x230 | |
| [ 102.403796] __tty_hangup.part.0+0x1f3/0x370 | |
| [ 102.403797] tty_release+0xee/0x600 | |
| [ 102.403798] __fput+0x97/0x2c0 | |
| [ 102.403801] task_work_run+0x59/0x90 | |
| [ 102.403803] do_exit+0x311/0xac0 | |
| [ 102.403805] do_group_exit+0x30/0x80 | |
| [ 102.403806] __x64_sys_exit_group+0x18/0x20 | |
| [ 102.403807] do_syscall_64+0x64/0x170 | |
| [ 102.403809] entry_SYSCALL_64_after_hwframe+0x76/0x7e | |
| [ 102.403811] RIP: 0033:0x7f5d6cdf191d | |
| [ 102.403814] Code: Unable to access opcode bytes at 0x7f5d6cdf18f3. | |
| [ 102.403815] RSP: 002b:00007ffe38ac7ce8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7 | |
| [ 102.403816] RAX: ffffffffffffffda RBX: 00007f5d6ceedfa8 RCX: 00007f5d6cdf191d | |
| [ 102.403817] RDX: 00000000000000e7 RSI: ffffffffffffff88 RDI: 0000000000000002 | |
| [ 102.403817] RBP: 00007ffe38ac7d40 R08: 00007ffe38ac7c88 R09: 00007ffe38ac7c0f | |
| [ 102.403818] R10: 00007ffe38ac7b80 R11: 0000000000000206 R12: 0000000000000001 | |
| [ 102.403819] R13: 0000000000000000 R14: 0000000000000002 R15: 00007f5d6ceedfc0 | |
| [ 102.403820] </TASK> | |
| [ 102.403820] ---[ end trace 0000000000000000 ]--- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment