Bernard Pidoux 8034f3610b net/rose: fix NULL ax25_cb kernel panic ... [ Upstream commit b0cf029234f9b18e10703ba5147f0389c382bccc ] When an internally generated frame is handled by rose_xmit(), rose_route_frame() is called: if (!rose_route_frame(skb, NULL)) { dev_kfree_skb(skb); stats->tx_errors++; return NETDEV_TX_OK; } We have the same code sequence in Net/Rom where an internally generated frame is handled by nr_xmit() calling nr_route_frame(skb, NULL). However, in this function NULL argument is tested while it is not in rose_route_frame(). Then kernel panic occurs later on when calling ax25cmp() with a NULL ax25_cb argument as reported many times and recently with syzbot. We need to test if ax25 is NULL before using it. Testing: Built kernel with CONFIG_ROSE=y. Signed-off-by: Bernard Pidoux <f6bvp@free.fr> Acked-by: Dmitry Vyukov <dvyukov@google.com> Reported-by: syzbot+1a2c456a1ea08fa5b5f7@syzkaller.appspotmail.com Cc: "David S. Miller" <davem@davemloft.net> Cc: Ralf Baechle <ralf@linux-mips.org> Cc: Bernard Pidoux <f6bvp@free.fr> Cc: linux-hams@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2019-02-06 19:43:06 +01:00
..
af_rose.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2015-06-24 02:58:51 -07:00
Makefile
rose_dev.c	net: Kill dev_rebuild_header	2015-03-02 16:43:41 -05:00
rose_in.c
rose_link.c	netfilter: Remove spurios included of netfilter.h	2015-06-18 21:14:32 +02:00
rose_loopback.c
rose_out.c
rose_route.c	net/rose: fix NULL ax25_cb kernel panic	2019-02-06 19:43:06 +01:00
rose_subr.c
rose_timer.c
sysctl_net_rose.c	net: Convert uses of typedef ctl_table to struct ctl_table	2013-06-13 02:36:09 -07:00