* [PATCH] netrom: fix double-free in nr_route_frame()
@ 2026-01-19 6:33 Jeongjun Park
2026-01-21 3:30 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 2+ messages in thread
From: Jeongjun Park @ 2026-01-19 6:33 UTC (permalink / raw)
To: David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni
Cc: Simon Horman, linux-hams, netdev, linux-kernel, stable,
syzbot+999115c3bf275797dc27, Jeongjun Park
In nr_route_frame(), old_skb is immediately freed without checking if
nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL,
the caller function will free old_skb again, causing a double-free bug.
Therefore, to prevent this, we need to modify it to check whether
nr_neigh->ax25 is NULL before freeing old_skb.
Cc: <stable@vger.kernel.org>
Reported-by: syzbot+999115c3bf275797dc27@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0029.GAE@google.com/
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
---
net/netrom/nr_route.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c
index b94cb2ffbaf8..9cc29ae85b06 100644
--- a/net/netrom/nr_route.c
+++ b/net/netrom/nr_route.c
@@ -752,7 +752,7 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25)
unsigned char *dptr;
ax25_cb *ax25s;
int ret;
- struct sk_buff *skbn;
+ struct sk_buff *nskb, *oskb;
/*
* Reject malformed packets early. Check that it contains at least 2
@@ -811,14 +811,16 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25)
/* We are going to change the netrom headers so we should get our
own skb, we also did not know until now how much header space
we had to reserve... - RXQ */
- if ((skbn=skb_copy_expand(skb, dev->hard_header_len, 0, GFP_ATOMIC)) == NULL) {
+ nskb = skb_copy_expand(skb, dev->hard_header_len, 0, GFP_ATOMIC);
+
+ if (!nskb) {
nr_node_unlock(nr_node);
nr_node_put(nr_node);
dev_put(dev);
return 0;
}
- kfree_skb(skb);
- skb=skbn;
+ oskb = skb;
+ skb = nskb;
skb->data[14]--;
dptr = skb_push(skb, 1);
@@ -837,6 +839,9 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25)
nr_node_unlock(nr_node);
nr_node_put(nr_node);
+ if (ret)
+ kfree_skb(oskb);
+
return ret;
}
--
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH] netrom: fix double-free in nr_route_frame()
2026-01-19 6:33 [PATCH] netrom: fix double-free in nr_route_frame() Jeongjun Park
@ 2026-01-21 3:30 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-01-21 3:30 UTC (permalink / raw)
To: Jeongjun Park
Cc: davem, edumazet, kuba, pabeni, horms, linux-hams, netdev,
linux-kernel, stable, syzbot+999115c3bf275797dc27
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Mon, 19 Jan 2026 15:33:59 +0900 you wrote:
> In nr_route_frame(), old_skb is immediately freed without checking if
> nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL,
> the caller function will free old_skb again, causing a double-free bug.
>
> Therefore, to prevent this, we need to modify it to check whether
> nr_neigh->ax25 is NULL before freeing old_skb.
>
> [...]
Here is the summary with links:
- netrom: fix double-free in nr_route_frame()
https://git.kernel.org/netdev/net/c/ba1096c31528
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-01-21 3:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-19 6:33 [PATCH] netrom: fix double-free in nr_route_frame() Jeongjun Park
2026-01-21 3:30 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox