| Message ID | 20201107191835.5541-1-anmol.karan123@gmail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [Linux-kernel-mentees,v3,net] rose: Fix Null pointer dereference in rose_send_frame() | expand |
On Sun, 8 Nov 2020 00:48:35 +0530 Anmol Karn wrote: > + dev = rose_dev_get(dest); this calls dev_hold internally, you never release that reference in case ..neigh->dev is NULL > + if (rose_loopback_neigh->dev && dev) {
Hello Sir, On Tue, Nov 10, 2020 at 09:58:15AM -0800, Jakub Kicinski wrote: > On Sun, 8 Nov 2020 00:48:35 +0530 Anmol Karn wrote: > > + dev = rose_dev_get(dest); > > this calls dev_hold internally, you never release that reference in > case ..neigh->dev is NULL > > > + if (rose_loopback_neigh->dev && dev) { Ah, I missed to `dev_put()` the `dev` after checking for, if neigh->dev is NULL, I will fix it soon and send another version. Thank you for review. Anmol
diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c index 7b094275ea8b..2c51756ed7bf 100644 --- a/net/rose/rose_loopback.c +++ b/net/rose/rose_loopback.c @@ -96,7 +96,8 @@ static void rose_loopback_timer(struct timer_list *unused) } if (frametype == ROSE_CALL_REQUEST) { - if ((dev = rose_dev_get(dest)) != NULL) { + dev = rose_dev_get(dest); + if (rose_loopback_neigh->dev && dev) { if (rose_rx_call_request(skb, dev, rose_loopback_neigh, lci_o) == 0) kfree_skb(skb); } else {
rose_send_frame() dereferences `neigh->dev` when called from rose_transmit_clear_request(), and the first occurrence of the `neigh` is in rose_loopback_timer() as `rose_loopback_neigh`, and it is initialized in rose_add_loopback_neigh() as NULL. i.e when `rose_loopback_neigh` used in rose_loopback_timer() its `->dev` was still NULL and rose_loopback_timer() was calling rose_rx_call_request() without checking for NULL. - net/rose/rose_link.c This bug seems to get triggered in this line: rose_call = (ax25_address *)neigh->dev->dev_addr; Fix it by adding NULL checking for `rose_loopback_neigh->dev` in rose_loopback_timer(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot+a1c743815982d9496393@syzkaller.appspotmail.com Tested-by: syzbot+a1c743815982d9496393@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=9d2a7ca8c7f2e4b682c97578dfa3f236258300b3 Signed-off-by: Anmol Karn <anmol.karan123@gmail.com> --- Changes in v3: - Corrected checkpatch warnings and errors (Suggested-by: Saeed Mahameed <saeed@kernel.org>) - Added "Fixes:" tag (Suggested-by: Saeed Mahameed <saeed@kernel.org>) Changes in v2: - Added NULL check in rose_loopback_timer() (Suggested-by: Greg KH <gregkh@linuxfoundation.org>) net/rose/rose_loopback.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) - 2.29.2