Hi Ralf,
While running packet radio network switch ROSE node a kernel panic
occurs systematically when opening a Chromium session.
Hardware is Raspberry Pi and distro is Debian Stretch with 4.14.79-v7+
kernel.
Kernel panic is related to ax25cmp() when called with a null pointer
argument.
The function from which ax25cmp() gets a NULL pointer is rose_route_frame().
rose_route_frame() is called by rose_xmit() in the following code
sequence :
if (!rose_route_frame(skb, NULL)) {
dev_kfree_skb(skb);
stats->tx_errors++;
return NETDEV_TX_OK;
}
The same code structure is present in Net/Rom when nr_xmit() is calling
nr_route_frame(skb, NULL)
However, in this function NULL argument is carefully looked at while
this is not the case in rose_route_frame()
if ((dev = nr_dev_get(nr_dest)) != NULL) { /* Its for me */
if (ax25 == NULL) /* Its from me */
ret = nr_loopback_queue(skb);
else
ret = nr_rx_frame(skb, dev);
dev_put(dev);
return ret;
}
Thus I applied the following patch to rose module :
diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
index 452bbb38d943..5474ab3f7093 100644
--- a/net/rose/rose_route.c
+++ b/net/rose/rose_route.c
@@ -865,6 +866,13 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb
*ax25)
if (skb->len < ROSE_MIN_LEN)
return res;
+
+ if (ax25 == NULL) {
+ res = rose_loopback_queue(skb, NULL);
+ printk(KERN_WARNING "ROSE: rose_route_frame() NULL
ax25_cb indicates an internally generated frame\n");
+ return res;
+ }
+
frametype = skb->data[2];
lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) &
0x0FF);
if (frametype == ROSE_CALL_REQUEST &&
After loading new rose.module and reboot, as soon as starting Chromium
browser, dmesg dumps :
20.623664] NET: Registered protocol family 11
[ 21.159231] mkiss: ax0: Trying crc-smack
[ 23.744977] mkiss: ax0: Trying crc-flexnet
[ 99.788904] ROSE: rose_route_frame() NULL ax25_cb indicates an
internally generated frame
[ 99.812015] ROSE: rose_route_frame() NULL ax25_cb indicates an
internally generated frame
[ 100.102042] ROSE: rose_route_frame() NULL ax25_cb indicates an
internally generated frame
[ 100.672616] ROSE: rose_route_frame() NULL ax25_cb indicates an
internally generated frame
[ 100.681703] ROSE: rose_route_frame() NULL ax25_cb indicates an
internally generated frame
[ 100.790324] ROSE: rose_route_frame() NULL ax25_cb indicates an
internally generated frame
However at this time, no more kernel panic occurs.
We thus commit the following patch :
diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
index 452bbb38d943..0d4aa75cf783 100644
--- a/net/rose/rose_route.c
+++ b/net/rose/rose_route.c
@@ -848,6 +847,7 @@ void rose_link_device_down(struct net_device *dev)
/*
* Route a frame to an appropriate AX.25 connection.
+ * a NULL ax25_cb indicates an internally generated frame.
*/
int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
{
@@ -865,6 +865,12 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb
*ax25)
if (skb->len < ROSE_MIN_LEN)
return res;
+
+ if (!ax25) {
+ res = rose_loopback_queue(skb, NULL);
+ return res;
+ }
+
frametype = skb->data[2];
lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) &
0x0FF);
if (frametype == ROSE_CALL_REQUEST &&
Signed-off-by: Bernard Pidoux, f6bvp <[email protected]>
