Thread (26 messages) 26 messages, 9 authors, 2025-09-02

Re: [ROSE] [AX25] 6.15.10 long term stable kernel oops

From: Eric Dumazet <edumazet@google.com>
Date: 2025-09-01 12:05:49
Also in: linux-hams

Possibly related (same subject, not in this thread)

On Mon, Sep 1, 2025 at 5:04 AM Eric Dumazet [off-list ref] wrote:
quoted hunk ↗ jump to hunk
On Sat, Aug 30, 2025 at 4:37 PM F6BVP [off-list ref] wrote:
quoted
Here is a bad commit report by git bisect and the corresponding decoded
stack trace of kernel panic triggered when mkiss receives AX25 packet.

All kernels following 6.14.11, i.e. starting with 6.15.1 until net-next
are affected by the issue.

I would be pleased to check any patch correcting the issue.
Thanks for the report.

At some point we will have to remove ax25, this has been quite broken
for a long time.

Please try :
diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c
index 1cac25aca637..f2d66af86359 100644
--- a/net/ax25/ax25_in.c
+++ b/net/ax25/ax25_in.c
@@ -433,6 +433,10 @@ static int ax25_rcv(struct sk_buff *skb, struct
net_device *dev,
 int ax25_kiss_rcv(struct sk_buff *skb, struct net_device *dev,
                  struct packet_type *ptype, struct net_device *orig_dev)
 {
+       skb = skb_share_check(skb, GFP_ATOMIC);
+       if (!skb)
+               return NET_RX_DROP;
+
        skb_orphan(skb);

        if (!net_eq(dev_net(dev), &init_net)) {
We had a similar fix in 2016 for phonet:

commit 7aaed57c5c2890634cfadf725173c7c68ea4cb4f
Author: Eric Dumazet [off-list ref]
Date:   Tue Jan 12 08:58:00 2016 -0800

    phonet: properly unshare skbs in phonet_rcv()

    Ivaylo Dimitrov reported a regression caused by commit 7866a621043f
    ("dev: add per net_device packet type chains").

    skb->dev becomes NULL and we crash in __netif_receive_skb_core().

    Before above commit, different kind of bugs or corruptions could happen
    without major crash.

    But the root cause is that phonet_rcv() can queue skb without checking
    if skb is shared or not.

    Many thanks to Ivaylo Dimitrov for his help, diagnosis and tests.

    Reported-by: Ivaylo Dimitrov [off-list ref]
    Tested-by: Ivaylo Dimitrov [off-list ref]
    Signed-off-by: Eric Dumazet [off-list ref]
    Cc: Remi Denis-Courmont [off-list ref]
    Signed-off-by: David S. Miller [off-list ref]
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help