From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Bernard Pidoux <f6bvp@free.fr>,
Dmitry Vyukov <dvyukov@google.com>,
syzbot+1a2c456a1ea08fa5b5f7@syzkaller.appspotmail.com,
"David S. Miller" <davem@davemloft.net>,
Ralf Baechle <ralf@linux-mips.org>,
linux-hams@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH 3.18 20/31] net/rose: fix NULL ax25_cb kernel panic
Date: Mon, 4 Feb 2019 11:36:35 +0100 [thread overview]
Message-ID: <20190204103602.093690397@linuxfoundation.org> (raw)
In-Reply-To: <20190204103557.903263774@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bernard Pidoux <f6bvp@free.fr>
[ Upstream commit b0cf029234f9b18e10703ba5147f0389c382bccc ]
When an internally generated frame is handled by rose_xmit(),
rose_route_frame() is called:
if (!rose_route_frame(skb, NULL)) {
dev_kfree_skb(skb);
stats->tx_errors++;
return NETDEV_TX_OK;
}
We have the same code sequence in Net/Rom where an internally generated
frame is handled by nr_xmit() calling nr_route_frame(skb, NULL).
However, in this function NULL argument is tested while it is not in
rose_route_frame().
Then kernel panic occurs later on when calling ax25cmp() with a NULL
ax25_cb argument as reported many times and recently with syzbot.
We need to test if ax25 is NULL before using it.
Testing:
Built kernel with CONFIG_ROSE=y.
Signed-off-by: Bernard Pidoux <f6bvp@free.fr>
Acked-by: Dmitry Vyukov <dvyukov@google.com>
Reported-by: syzbot+1a2c456a1ea08fa5b5f7@syzkaller.appspotmail.com
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Bernard Pidoux <f6bvp@free.fr>
Cc: linux-hams@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rose/rose_route.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/rose/rose_route.c
+++ b/net/rose/rose_route.c
@@ -849,6 +849,7 @@ void rose_link_device_down(struct net_de
/*
* Route a frame to an appropriate AX.25 connection.
+ * A NULL ax25_cb indicates an internally generated frame.
*/
int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
{
@@ -866,6 +867,10 @@ int rose_route_frame(struct sk_buff *skb
if (skb->len < ROSE_MIN_LEN)
return res;
+
+ if (!ax25)
+ return rose_loopback_queue(skb, NULL);
+
frametype = skb->data[2];
lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
if (frametype == ROSE_CALL_REQUEST &&
next prev parent reply other threads:[~2019-02-04 10:38 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-04 10:36 [PATCH 3.18 00/31] 3.18.134-stable review Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 01/31] openvswitch: Avoid OOB read when parsing flow nlattrs Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 02/31] USB: serial: simple: add Motorola Tetra TPG2200 device id Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 03/31] USB: serial: pl2303: add new PID to support PL2303TB Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 04/31] s390/smp: fix CPU hotplug deadlock with CPU rescan Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 05/31] staging: rtl8188eu: Add device code for D-Link DWA-121 rev B1 Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 06/31] tty: Handle problem if line discipline does not have receive_buf Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 07/31] tty/n_hdlc: fix __might_sleep warning Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 08/31] CIFS: Fix possible hang during async MTU reads and writes Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 09/31] Input: xpad - add support for SteelSeries Stratus Duo Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 10/31] x86/kaslr: Fix incorrect i8254 outb() parameters Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 11/31] can: dev: __can_get_echo_skb(): fix bogous check for non-existing skb by removing it Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 12/31] can: bcm: check timer values before ktime conversion Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 13/31] vt: invoke notifier on screen size change Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 14/31] perf unwind: Unwind with libdw doesnt take symfs into account Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 15/31] perf unwind: Take pgoff into account when reporting elf to libdwfl Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 16/31] f2fs: read page index before freeing Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 17/31] ipv6: Consider sk_bound_dev_if when binding a socket to an address Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 18/31] l2tp: copy 4 more bytes to linear part if necessary Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 19/31] netrom: switch to sock timer API Greg Kroah-Hartman
2019-02-04 10:36 ` Greg Kroah-Hartman [this message]
2019-02-04 10:36 ` [PATCH 3.18 21/31] ucc_geth: Reset BQL queue when stopping device Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 22/31] l2tp: remove l2specific_len dependency in l2tp_core Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 23/31] l2tp: fix reading optional fields of L2TPv3 Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 24/31] CIFS: Do not count -ENODATA as failure for query directory Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 25/31] fs/dcache: Fix incorrect nr_dentry_unused accounting in shrink_dcache_sb() Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 26/31] arm64: hyp-stub: Forbid kprobing of the hyp-stub Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 27/31] gfs2: Revert "Fix loop in gfs2_rbm_find" Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 28/31] platform/x86: asus-nb-wmi: Map 0x35 to KEY_SCREENLOCK Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 29/31] platform/x86: asus-nb-wmi: Drop mapping of 0x33 and 0x34 scan codes Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 30/31] mm, oom: fix use-after-free in oom_kill_process Greg Kroah-Hartman
2019-02-04 10:36 ` [PATCH 3.18 31/31] mm: migrate: dont rely on __PageMovable() of newpage after unlocking it Greg Kroah-Hartman
2019-02-04 21:44 ` [PATCH 3.18 00/31] 3.18.134-stable review Guenter Roeck
2019-02-05 8:46 ` Greg Kroah-Hartman
2019-02-05 13:54 ` Guenter Roeck
2019-02-05 14:41 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190204103602.093690397@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=f6bvp@free.fr \
--cc=linux-hams@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=ralf@linux-mips.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+1a2c456a1ea08fa5b5f7@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).