* [PATCH] NET:AX25:ROSE NULL ax25_cb kernel panic
[not found] <57ADC4F4.6080707@free.fr>
@ 2019-01-19 10:58 ` f6bvp
2019-01-19 11:39 ` Dmitry Vyukov
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: f6bvp @ 2019-01-19 10:58 UTC (permalink / raw)
To: linux-hams
Cc: Ralf Baechle, Dmitry Vyukov, David Miller, Linux Netdev List,
F6BVP, brian
[PATCH] [ROSE] NULL ax25_cb kernel panic
When an internally generated frame is handled by rose_xmit(),
rose_route_frame() is called:
if (!rose_route_frame(skb, NULL)) {
dev_kfree_skb(skb);
stats->tx_errors++;
return NETDEV_TX_OK;
}
We have the same code sequence in Net/Rom where an internally generated
frame is handled by nr_xmit() calling nr_route_frame(skb, NULL).
However, in this function NULL argument is tested while it is not in
rose_route_frame().
Then kernel panic occurs later on when calling ax25cmp() with a NULL
ax25_cb argument as reported many times and recently with syzbot.
We need to test if ax25 is NULL before using it.
Here is the patch:
diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
index 77e9f85a2c92..7f075255a372 100644
--- a/net/rose/rose_route.c
+++ b/net/rose/rose_route.c
@@ -850,6 +850,7 @@ void rose_link_device_down(struct net_device *dev)
/*
* Route a frame to an appropriate AX.25 connection.
+ * a NULL ax25_cb indicates an internally generated frame.
*/
int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
{
@@ -867,6 +868,10 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb
*ax25)
if (skb->len < ROSE_MIN_LEN)
return res;
+
+ if (!ax25)
+ return rose_loopback_queue(skb, NULL);
+
frametype = skb->data[2];
lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
if (frametype == ROSE_CALL_REQUEST &&
Signed-off-by: Bernard Pidoux, f6bvp <f6bvp@free.fr>
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] NET:AX25:ROSE NULL ax25_cb kernel panic
2019-01-19 10:58 ` [PATCH] NET:AX25:ROSE NULL ax25_cb kernel panic f6bvp
@ 2019-01-19 11:39 ` Dmitry Vyukov
2019-01-20 9:58 ` f6bvp
` (2 subsequent siblings)
3 siblings, 0 replies; 7+ messages in thread
From: Dmitry Vyukov @ 2019-01-19 11:39 UTC (permalink / raw)
To: f6bvp; +Cc: linux-hams, Ralf Baechle, David Miller, Linux Netdev List, brian
On Sat, Jan 19, 2019 at 11:58 AM f6bvp <f6bvp@free.fr> wrote:
>
>
> [PATCH] [ROSE] NULL ax25_cb kernel panic
>
> When an internally generated frame is handled by rose_xmit(),
> rose_route_frame() is called:
>
> if (!rose_route_frame(skb, NULL)) {
> dev_kfree_skb(skb);
> stats->tx_errors++;
> return NETDEV_TX_OK;
> }
>
> We have the same code sequence in Net/Rom where an internally generated
> frame is handled by nr_xmit() calling nr_route_frame(skb, NULL).
> However, in this function NULL argument is tested while it is not in
> rose_route_frame().
> Then kernel panic occurs later on when calling ax25cmp() with a NULL
> ax25_cb argument as reported many times and recently with syzbot.
>
> We need to test if ax25 is NULL before using it.
>
> Here is the patch:
>
> diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
> index 77e9f85a2c92..7f075255a372 100644
> --- a/net/rose/rose_route.c
> +++ b/net/rose/rose_route.c
> @@ -850,6 +850,7 @@ void rose_link_device_down(struct net_device *dev)
>
> /*
> * Route a frame to an appropriate AX.25 connection.
> + * a NULL ax25_cb indicates an internally generated frame.
> */
> int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
> {
> @@ -867,6 +868,10 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb
> *ax25)
>
> if (skb->len < ROSE_MIN_LEN)
> return res;
> +
> + if (!ax25)
> + return rose_loopback_queue(skb, NULL);
> +
> frametype = skb->data[2];
> lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
> if (frametype == ROSE_CALL_REQUEST &&
>
> Signed-off-by: Bernard Pidoux, f6bvp <f6bvp@free.fr>
Please also add:
Reported-by: syzbot+1a2c456a1ea08fa5b5f7@syzkaller.appspotmail.com
It's this report we are fixing, right?
https://syzkaller.appspot.com/bug?id=fd0b0b00fc26abb4b35663a0e2f1c91d8e6e5725
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] NET:AX25:ROSE NULL ax25_cb kernel panic
2019-01-19 10:58 ` [PATCH] NET:AX25:ROSE NULL ax25_cb kernel panic f6bvp
2019-01-19 11:39 ` Dmitry Vyukov
@ 2019-01-20 9:58 ` f6bvp
2019-01-20 10:32 ` Dmitry Vyukov
2019-01-22 22:48 ` David Miller
2019-01-24 17:30 ` Bernard Pidoux
3 siblings, 1 reply; 7+ messages in thread
From: f6bvp @ 2019-01-20 9:58 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: linux-hams, Ralf Baechle, David Miller, Linux Netdev List, n1uro,
C Schuman
Hi,
Dmitry wrote:
>Please also add:
>Reported-by: syzbot+1a2c456a1ea08fa5b5f7@syzkaller.appspotmail.com
I did mention syzbot report but without the exact reference, thanks.
>It's this report we are fixing, right?
>https://syzkaller.appspot.com/bug?id=fd0b0b00fc26abb4b35663a0e2f1c91d8e6e5725
Yes exactly !
This is a long date well know bug I reported two years ago.
Bernard
On Sat, Jan 19, 2019 at 11:58 AM f6bvp <f6bvp@free.fr> wrote:
>
>
> [PATCH] [ROSE] NULL ax25_cb kernel panic
>
> When an internally generated frame is handled by rose_xmit(),
> rose_route_frame() is called:
>
> if (!rose_route_frame(skb, NULL)) {
> dev_kfree_skb(skb);
> stats->tx_errors++;
> return NETDEV_TX_OK;
> }
>
> We have the same code sequence in Net/Rom where an internally generated
> frame is handled by nr_xmit() calling nr_route_frame(skb, NULL).
> However, in this function NULL argument is tested while it is not in
> rose_route_frame().
> Then kernel panic occurs later on when calling ax25cmp() with a NULL
> ax25_cb argument as reported many times and recently with syzbot.
>
> We need to test if ax25 is NULL before using it.
>
> Here is the patch:
>
> diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
> index 77e9f85a2c92..7f075255a372 100644
> --- a/net/rose/rose_route.c
> +++ b/net/rose/rose_route.c
> @@ -850,6 +850,7 @@ void rose_link_device_down(struct net_device *dev)
>
> /*
> * Route a frame to an appropriate AX.25 connection.
> + * a NULL ax25_cb indicates an internally generated frame.
> */
> int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
> {
> @@ -867,6 +868,10 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb
> *ax25)
>
> if (skb->len < ROSE_MIN_LEN)
> return res;
> +
> + if (!ax25)
> + return rose_loopback_queue(skb, NULL);
> +
> frametype = skb->data[2];
> lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) &
0x0FF);
> if (frametype == ROSE_CALL_REQUEST &&
>
> Signed-off-by: Bernard Pidoux, f6bvp <f6bvp@free.fr>
Please also add:
Reported-by: syzbot+1a2c456a1ea08fa5b5f7@syzkaller.appspotmail.com
It's this report we are fixing, right?
https://syzkaller.appspot.com/bug?id=fd0b0b00fc26abb4b35663a0e2f1c91d8e6e5725
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] NET:AX25:ROSE NULL ax25_cb kernel panic
2019-01-20 9:58 ` f6bvp
@ 2019-01-20 10:32 ` Dmitry Vyukov
2019-01-20 12:29 ` f6bvp
0 siblings, 1 reply; 7+ messages in thread
From: Dmitry Vyukov @ 2019-01-20 10:32 UTC (permalink / raw)
To: f6bvp
Cc: linux-hams, Ralf Baechle, David Miller, Linux Netdev List, n1uro,
C Schuman
On Sun, Jan 20, 2019 at 10:58 AM f6bvp <f6bvp@free.fr> wrote:
>
> Hi,
>
> Dmitry wrote:
>
> >Please also add:
> >Reported-by: syzbot+1a2c456a1ea08fa5b5f7@syzkaller.appspotmail.com
>
> I did mention syzbot report but without the exact reference, thanks.
>
> >It's this report we are fixing, right?
> >https://syzkaller.appspot.com/bug?id=fd0b0b00fc26abb4b35663a0e2f1c91d8e6e5725
>
> Yes exactly !
> This is a long date well know bug I reported two years ago.
Then, well, I don't know, we either can leave syzbot as reporter if
you don't mind. Or don't include it as supports other means to
associate reports with fixes (#syz fix tag in email). The goal of
associating fixes with reports is to "close" bugs and get them off the
dashboard:
https://syzkaller.appspot.com/#upstream-open
Otherwise it turns into unuseful pile of bugs.
> Bernard
>
>
> On Sat, Jan 19, 2019 at 11:58 AM f6bvp <f6bvp@free.fr> wrote:
> >
> >
> > [PATCH] [ROSE] NULL ax25_cb kernel panic
> >
> > When an internally generated frame is handled by rose_xmit(),
> > rose_route_frame() is called:
> >
> > if (!rose_route_frame(skb, NULL)) {
> > dev_kfree_skb(skb);
> > stats->tx_errors++;
> > return NETDEV_TX_OK;
> > }
> >
> > We have the same code sequence in Net/Rom where an internally generated
> > frame is handled by nr_xmit() calling nr_route_frame(skb, NULL).
> > However, in this function NULL argument is tested while it is not in
> > rose_route_frame().
> > Then kernel panic occurs later on when calling ax25cmp() with a NULL
> > ax25_cb argument as reported many times and recently with syzbot.
> >
> > We need to test if ax25 is NULL before using it.
> >
> > Here is the patch:
> >
> > diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
> > index 77e9f85a2c92..7f075255a372 100644
> > --- a/net/rose/rose_route.c
> > +++ b/net/rose/rose_route.c
> > @@ -850,6 +850,7 @@ void rose_link_device_down(struct net_device *dev)
> >
> > /*
> > * Route a frame to an appropriate AX.25 connection.
> > + * a NULL ax25_cb indicates an internally generated frame.
> > */
> > int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
> > {
> > @@ -867,6 +868,10 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb
> > *ax25)
> >
> > if (skb->len < ROSE_MIN_LEN)
> > return res;
> > +
> > + if (!ax25)
> > + return rose_loopback_queue(skb, NULL);
> > +
> > frametype = skb->data[2];
> > lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) &
> 0x0FF);
> > if (frametype == ROSE_CALL_REQUEST &&
> >
> > Signed-off-by: Bernard Pidoux, f6bvp <f6bvp@free.fr>
>
> Please also add:
>
> Reported-by: syzbot+1a2c456a1ea08fa5b5f7@syzkaller.appspotmail.com
>
> It's this report we are fixing, right?
> https://syzkaller.appspot.com/bug?id=fd0b0b00fc26abb4b35663a0e2f1c91d8e6e5725
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] NET:AX25:ROSE NULL ax25_cb kernel panic
2019-01-20 10:32 ` Dmitry Vyukov
@ 2019-01-20 12:29 ` f6bvp
0 siblings, 0 replies; 7+ messages in thread
From: f6bvp @ 2019-01-20 12:29 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: linux-hams, Ralf Baechle, David Miller, Linux Netdev List, n1uro,
C Schuman
Dimitri,
I am so pleased to get some support for fixing this bug that I will let
you manage things as you like.
Please perform necessary actions for proper achievement of our concern.
You have my approbation for any change you think is needed.
Regards,
Bernard
Le 20/01/2019 à 11:32, Dmitry Vyukov a écrit :
> On Sun, Jan 20, 2019 at 10:58 AM f6bvp <f6bvp@free.fr> wrote:
>>
>> Hi,
>>
>> Dmitry wrote:
>>
>>> Please also add:
>>> Reported-by: syzbot+1a2c456a1ea08fa5b5f7@syzkaller.appspotmail.com
>>
>> I did mention syzbot report but without the exact reference, thanks.
>>
>>> It's this report we are fixing, right?
>>> https://syzkaller.appspot.com/bug?id=fd0b0b00fc26abb4b35663a0e2f1c91d8e6e5725
>>
>> Yes exactly !
>> This is a long date well know bug I reported two years ago.
>
> Then, well, I don't know, we either can leave syzbot as reporter if
> you don't mind. Or don't include it as supports other means to
> associate reports with fixes (#syz fix tag in email). The goal of
> associating fixes with reports is to "close" bugs and get them off the
> dashboard:
> https://syzkaller.appspot.com/#upstream-open
> Otherwise it turns into unuseful pile of bugs.
>
>
>
>> Bernard
>>
>>
>> On Sat, Jan 19, 2019 at 11:58 AM f6bvp <f6bvp@free.fr> wrote:
>>>
>>>
>>> [PATCH] [ROSE] NULL ax25_cb kernel panic
>>>
>>> When an internally generated frame is handled by rose_xmit(),
>>> rose_route_frame() is called:
>>>
>>> if (!rose_route_frame(skb, NULL)) {
>>> dev_kfree_skb(skb);
>>> stats->tx_errors++;
>>> return NETDEV_TX_OK;
>>> }
>>>
>>> We have the same code sequence in Net/Rom where an internally generated
>>> frame is handled by nr_xmit() calling nr_route_frame(skb, NULL).
>>> However, in this function NULL argument is tested while it is not in
>>> rose_route_frame().
>>> Then kernel panic occurs later on when calling ax25cmp() with a NULL
>>> ax25_cb argument as reported many times and recently with syzbot.
>>>
>>> We need to test if ax25 is NULL before using it.
>>>
>>> Here is the patch:
>>>
>>> diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
>>> index 77e9f85a2c92..7f075255a372 100644
>>> --- a/net/rose/rose_route.c
>>> +++ b/net/rose/rose_route.c
>>> @@ -850,6 +850,7 @@ void rose_link_device_down(struct net_device *dev)
>>>
>>> /*
>>> * Route a frame to an appropriate AX.25 connection.
>>> + * a NULL ax25_cb indicates an internally generated frame.
>>> */
>>> int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
>>> {
>>> @@ -867,6 +868,10 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb
>>> *ax25)
>>>
>>> if (skb->len < ROSE_MIN_LEN)
>>> return res;
>>> +
>>> + if (!ax25)
>>> + return rose_loopback_queue(skb, NULL);
>>> +
>>> frametype = skb->data[2];
>>> lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) &
>> 0x0FF);
>>> if (frametype == ROSE_CALL_REQUEST &&
>>>
>>> Signed-off-by: Bernard Pidoux, f6bvp <f6bvp@free.fr>
>>
>> Please also add:
>>
>> Reported-by: syzbot+1a2c456a1ea08fa5b5f7@syzkaller.appspotmail.com
>>
>> It's this report we are fixing, right?
>> https://syzkaller.appspot.com/bug?id=fd0b0b00fc26abb4b35663a0e2f1c91d8e6e5725
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] NET:AX25:ROSE NULL ax25_cb kernel panic
2019-01-19 10:58 ` [PATCH] NET:AX25:ROSE NULL ax25_cb kernel panic f6bvp
2019-01-19 11:39 ` Dmitry Vyukov
2019-01-20 9:58 ` f6bvp
@ 2019-01-22 22:48 ` David Miller
2019-01-24 17:30 ` Bernard Pidoux
3 siblings, 0 replies; 7+ messages in thread
From: David Miller @ 2019-01-22 22:48 UTC (permalink / raw)
To: f6bvp; +Cc: linux-hams, ralf, dvyukov, netdev, brian
This patch is corrupted by your email client, please fix this up
and resubmit.
Thank you.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] NET:AX25:ROSE NULL ax25_cb kernel panic
2019-01-19 10:58 ` [PATCH] NET:AX25:ROSE NULL ax25_cb kernel panic f6bvp
` (2 preceding siblings ...)
2019-01-22 22:48 ` David Miller
@ 2019-01-24 17:30 ` Bernard Pidoux
3 siblings, 0 replies; 7+ messages in thread
From: Bernard Pidoux @ 2019-01-24 17:30 UTC (permalink / raw)
To: linux-hams
Cc: Ralf Baechle, Dmitry Vyukov, David Miller, Linux Netdev List,
n1uro, f6bvp, Dmitry Vyukov
> [PATCH] [ROSE] NULL ax25_cb kernel panic
>
> When an internally generated frame is handled by rose_xmit(),
> rose_route_frame() is called:
>
> if (!rose_route_frame(skb, NULL)) {
> dev_kfree_skb(skb);
> stats->tx_errors++;
> return NETDEV_TX_OK;
> }
>
> We have the same code sequence in Net/Rom where an internally generated
> frame is handled by nr_xmit() calling nr_route_frame(skb, NULL).
> However, in this function NULL argument is tested while it is not in
> rose_route_frame().
> Then kernel panic occurs later on when calling ax25cmp() with a NULL
> ax25_cb argument as reported many times and recently with syzbot.
>
> We need to test if ax25 is NULL before using it.
>
> Here is the patch:
>
> diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
> index 77e9f85a2c92..7f075255a372 100644
> --- a/net/rose/rose_route.c
> +++ b/net/rose/rose_route.c
> @@ -850,6 +850,7 @@ void rose_link_device_down(struct net_device *dev)
>
> /*
> * Route a frame to an appropriate AX.25 connection.
> + * a NULL ax25_cb indicates an internally generated frame.
> */
> int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
> {
> @@ -867,6 +868,10 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb
> *ax25)
>
> if (skb->len < ROSE_MIN_LEN)
> return res;
> +
> + if (!ax25)
> + return rose_loopback_queue(skb, NULL);
> +
> frametype = skb->data[2];
> lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
> if (frametype == ROSE_CALL_REQUEST &&
> Reported-by:syzbot+1a2c456a1ea08fa5b5f7@syzkaller.appspotmail.com
> Signed-off-by: Bernard Pidoux, f6bvp <f6bvp@free.fr>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-01-24 17:26 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <57ADC4F4.6080707@free.fr>
2019-01-19 10:58 ` [PATCH] NET:AX25:ROSE NULL ax25_cb kernel panic f6bvp
2019-01-19 11:39 ` Dmitry Vyukov
2019-01-20 9:58 ` f6bvp
2019-01-20 10:32 ` Dmitry Vyukov
2019-01-20 12:29 ` f6bvp
2019-01-22 22:48 ` David Miller
2019-01-24 17:30 ` Bernard Pidoux
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.