net/rose: fix NULL ax25_cb kernel panic - linux-dev - Linux kernel development work

diff options

author	Bernard Pidoux <f6bvp@free.fr>	2019-01-25 11:46:40 +0100
committer	David S. Miller <davem@davemloft.net>	2019-01-27 10:40:01 -0800
commit	b0cf029234f9b18e10703ba5147f0389c382bccc (patch)
tree	ce465f39a10f701dcc03cca11e152d7e1b6bd80a /tools/perf/scripts/python/export-to-postgresql.py
parent	net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case (diff)
download	linux-dev-b0cf029234f9b18e10703ba5147f0389c382bccc.tar.xz linux-dev-b0cf029234f9b18e10703ba5147f0389c382bccc.zip

net/rose: fix NULL ax25_cb kernel panic

When an internally generated frame is handled by rose_xmit(), rose_route_frame() is called: if (!rose_route_frame(skb, NULL)) { dev_kfree_skb(skb); stats->tx_errors++; return NETDEV_TX_OK; } We have the same code sequence in Net/Rom where an internally generated frame is handled by nr_xmit() calling nr_route_frame(skb, NULL). However, in this function NULL argument is tested while it is not in rose_route_frame(). Then kernel panic occurs later on when calling ax25cmp() with a NULL ax25_cb argument as reported many times and recently with syzbot. We need to test if ax25 is NULL before using it. Testing: Built kernel with CONFIG_ROSE=y. Signed-off-by: Bernard Pidoux <f6bvp@free.fr> Acked-by: Dmitry Vyukov <dvyukov@google.com> Reported-by: syzbot+1a2c456a1ea08fa5b5f7@syzkaller.appspotmail.com Cc: "David S. Miller" <davem@davemloft.net> Cc: Ralf Baechle <ralf@linux-mips.org> Cc: Bernard Pidoux <f6bvp@free.fr> Cc: linux-hams@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: David S. Miller <davem@davemloft.net>

Diffstat (limited to 'tools/perf/scripts/python/export-to-postgresql.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: