• Bernard Pidoux's avatar
    net/rose: fix NULL ax25_cb kernel panic · 8034f361
    Bernard Pidoux authored
    [ Upstream commit b0cf029234f9b18e10703ba5147f0389c382bccc ]
    
    When an internally generated frame is handled by rose_xmit(),
    rose_route_frame() is called:
    
            if (!rose_route_frame(skb, NULL)) {
                    dev_kfree_skb(skb);
                    stats->tx_errors++;
                    return NETDEV_TX_OK;
            }
    
    We have the same code sequence in Net/Rom where an internally generated
    frame is handled by nr_xmit() calling nr_route_frame(skb, NULL).
    However, in this function NULL argument is tested while it is not in
    rose_route_frame().
    Then kernel panic occurs later on when calling ax25cmp() with a NULL
    ax25_cb argument as reported many times and recently with syzbot.
    
    We need to test if ax25 is NULL before using it.
    
    Testing:
    Built kernel with CONFIG_ROSE=y.
    Signed-off-by: default avatarBernard Pidoux <f6bvp@free.fr>
    Acked-by: default avatarDmitry Vyukov <dvyukov@google.com>
    Reported-by: syzbot+1a2c456a1ea08fa5b5f7@syzkaller.appspotmail.com
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Ralf Baechle <ralf@linux-mips.org>
    Cc: Bernard Pidoux <f6bvp@free.fr>
    Cc: linux-hams@vger.kernel.org
    Cc: netdev@vger.kernel.org
    Cc: linux-kernel@vger.kernel.org
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    8034f361
Name
Last commit
Last update
Documentation Loading commit data...
arch Loading commit data...
block Loading commit data...
certs Loading commit data...
crypto Loading commit data...
drivers Loading commit data...
firmware Loading commit data...
fs Loading commit data...
include Loading commit data...
init Loading commit data...
ipc Loading commit data...
kernel Loading commit data...
lib Loading commit data...
mm Loading commit data...
net Loading commit data...
samples Loading commit data...
scripts Loading commit data...
security Loading commit data...
sound Loading commit data...
tools Loading commit data...
usr Loading commit data...
virt Loading commit data...
.get_maintainer.ignore Loading commit data...
.gitignore Loading commit data...
.mailmap Loading commit data...
COPYING Loading commit data...
CREDITS Loading commit data...
Kbuild Loading commit data...
Kconfig Loading commit data...
MAINTAINERS Loading commit data...
Makefile Loading commit data...
README Loading commit data...
REPORTING-BUGS Loading commit data...