On Thu, Oct 15, 2020 at 05:47:12AM +0530, Anmol Karn wrote: > In rose_send_frame(), when comparing two ax.25 addresses, it assigns > rose_call to > either global ROSE callsign or default port, but when the former block > triggers and > rose_call is assigned by (ax25_address *)neigh->dev->dev_addr, a NULL pointer > is > dereferenced by 'neigh' when dereferencing 'dev'. > > - net/rose/rose_link.c > This bug seems to get triggered in this line: > > rose_call = (ax25_address *)neigh->dev->dev_addr; > > Prevent it by checking NULL condition for neigh->dev before comparing > addressed for > rose_call initialization. > > Reported-by: syzbot+a1c743815982d9496...@syzkaller.appspotmail.com > Link: > https://syzkaller.appspot.com/bug?id=9d2a7ca8c7f2e4b682c97578dfa3f236258300b3 > Signed-off-by: Anmol Karn <anmol.karan...@gmail.com> > --- > I am bit sceptical about the error return code, please suggest if anything > else is > appropriate in place of '-ENODEV'. > > net/rose/rose_link.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/rose/rose_link.c b/net/rose/rose_link.c > index f6102e6f5161..92ea6a31d575 100644 > --- a/net/rose/rose_link.c > +++ b/net/rose/rose_link.c > @@ -97,6 +97,9 @@ static int rose_send_frame(struct sk_buff *skb, struct > rose_neigh *neigh) > ax25_address *rose_call; > ax25_cb *ax25s; > > + if (!neigh->dev) > + return -ENODEV;
How can ->dev not be set at this point in time? Shouldn't that be fixed, because it could change right after you check this, right? thanks, greg k-h