Re: [ROSE] rose dereferenced pointer kernel panic
From: Dmitry Vyukov
Date: Wed Jan 02 2019 - 06:52:24 EST
On Wed, Jan 2, 2019 at 12:12 AM Bernard Pidoux <f6bvp@xxxxxxx> wrote:
> Hi David,
> In my previous message I should have reported the following patch rather than the one I reported.
> The reason is that the bug is better explained here :
> and I hope the new proposed patch is more convenient.
> Le 01/01/2019 Ã 23:39, Bernard Pidoux a Ãcrit :
> Hi David,
> As you already know I am still looking for the simplest way to configure a kernel rose failure situation when rose_route_frame is called with a NULL pointer.
> Could you explain with full details how to have "TCP/IP over AX.25 fully configured" ?
> More specifically how can we configure rose device without NOARP ? This is not the case when performing Dmitry Vyukov :
> # ip link set dev rose0 address 11:22:33:44:55
> # ip link set dev rose0 up
> 73 de Bernard, f6bvp
> Le 08/12/2018 Ã 17:23, David Ranch a Ãcrit :
> Hello Bernard, Everyone,
> Yes, I've seen a similar behavior with another program I have here that broadcasts on all live TCP/IP interfaces when it loads. That all depends if you have TCP/IP over AX.25 fully configured on your machine. If you do, this cp,,amd should key up your radio to send out an ARP:
> ping -b -c 1 <broadcast IP on your ROSE or AX.25 interface>
> d710: fm KI6ZHD to QST ctl UI pid=CC(IP) len 84
> IP: len 84 184.108.40.206->220.127.116.11 ihl 20 ttl 64 DF prot ICMP
> ICMP: type Echo Request id 50814 seq 1
> ................ !"#$%&'()*+,-./01234567
> Btw, I've been aware of this ROSE panic issue for some time and I'm pretty sure I forwarded those details on to you but that was many years ago. Another way to reproduce a ROSE panic is, if I remember correctly, you remove the backing AX.25 interface's connection (say killing kisssattach for ax0) on a ROSE interface that has an IP, that will also panic the kernel every time.
I've provided a bit more information on what I did here:
I really did not do anything fancy.
FWIW I had to do the following locally just to prevent rose from
crashing my machine all the time. I don't know if it's the right fix
or not, I just used this as stop-gap.
diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
index 77e9f85a2c92..218308a3c02c 100644
@@ -874,6 +874,8 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
+ if (ax25 == NULL)
+ return res;
src_addr = (rose_address *)(skb->data + ROSE_CALL_REQ_SRC_ADDR_OFF);
dest_addr = (rose_address *)(skb->data + ROSE_CALL_REQ_DEST_ADDR_OFF);
rose_xmit calls rose_route_frame with ax25==NULL, then
rose_route_frame uses ax25 without any checks.