> Bernard Pidoux <[email protected]> hat am 14. Dezember 2018 um 12:29 geschrieben:
>
>
> Hi Ralf,
>
> While running packet radio network switch ROSE node a kernel panic
> occurs systematically when opening a Chromium session.
> Hardware is Raspberry Pi and distro is Debian Stretch with 4.14.79-v7+
> kernel.
>
> Kernel panic is related to ax25cmp() when called with a null pointer
> argument.
>
> The function from which ax25cmp() gets a NULL pointer is rose_route_frame().
> rose_route_frame() is called by rose_xmit() in the following code
> sequence :
>
> if (!rose_route_frame(skb, NULL)) {
> dev_kfree_skb(skb);
> stats->tx_errors++;
> return NETDEV_TX_OK;
> }
>
> The same code structure is present in Net/Rom when nr_xmit() is calling
> nr_route_frame(skb, NULL)
> However, in this function NULL argument is carefully looked at while
> this is not the case in rose_route_frame()
>
> if ((dev = nr_dev_get(nr_dest)) != NULL) { /* Its for me */
> if (ax25 == NULL) /* Its from me */
> ret = nr_loopback_queue(skb);
> else
> ret = nr_rx_frame(skb, dev);
> dev_put(dev);
> return ret;
> }
>
> Thus I applied the following patch to rose module :
>
> diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
> index 452bbb38d943..5474ab3f7093 100644
> --- a/net/rose/rose_route.c
> +++ b/net/rose/rose_route.c
> @@ -865,6 +866,13 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb
> *ax25)
>
> if (skb->len < ROSE_MIN_LEN)
> return res;
> +
> + if (ax25 == NULL) {
> + res = rose_loopback_queue(skb, NULL);
> + printk(KERN_WARNING "ROSE: rose_route_frame() NULL
> ax25_cb indicates an internally generated frame\n");
> + return res;
> + }
> +
> frametype = skb->data[2];
> lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) &
> 0x0FF);
> if (frametype == ROSE_CALL_REQUEST &&
>
> After loading new rose.module and reboot, as soon as starting Chromium
> browser, dmesg dumps :
>
> 20.623664] NET: Registered protocol family 11
> [ 21.159231] mkiss: ax0: Trying crc-smack
> [ 23.744977] mkiss: ax0: Trying crc-flexnet
> [ 99.788904] ROSE: rose_route_frame() NULL ax25_cb indicates an
> internally generated frame
> [ 99.812015] ROSE: rose_route_frame() NULL ax25_cb indicates an
> internally generated frame
> [ 100.102042] ROSE: rose_route_frame() NULL ax25_cb indicates an
> internally generated frame
> [ 100.672616] ROSE: rose_route_frame() NULL ax25_cb indicates an
> internally generated frame
> [ 100.681703] ROSE: rose_route_frame() NULL ax25_cb indicates an
> internally generated frame
> [ 100.790324] ROSE: rose_route_frame() NULL ax25_cb indicates an
> internally generated frame
>
> However at this time, no more kernel panic occurs.
>
> We thus commit the following patch :
>
> diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
> index 452bbb38d943..0d4aa75cf783 100644
> --- a/net/rose/rose_route.c
> +++ b/net/rose/rose_route.c
> @@ -848,6 +847,7 @@ void rose_link_device_down(struct net_device *dev)
>
> /*
> * Route a frame to an appropriate AX.25 connection.
> + * a NULL ax25_cb indicates an internally generated frame.
> */
> int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
> {
> @@ -865,6 +865,12 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb
> *ax25)
>
> if (skb->len < ROSE_MIN_LEN)
> return res;
> +
> + if (!ax25) {
> + res = rose_loopback_queue(skb, NULL);
> + return res;
> + }
> +
nitpicking:
there is no need to store the result in res.
if (!ax25)
return rose_loopback_queue(skb, NULL);
> frametype = skb->data[2];
> lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) &
> 0x0FF);
> if (frametype == ROSE_CALL_REQUEST &&
>
>
> Signed-off-by: Bernard Pidoux, f6bvp <[email protected]>
>
