From nobody Sat Feb 7 13:45:54 2026 Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7E5A72690D1 for ; Mon, 19 Jan 2026 06:34:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768804476; cv=none; b=oeqO1qDYVkMZNC5ETxJpevJaXaP+1VjGzO9QQrpw9/I0fVD2hwj2n6RHN5LIhdrUSm1WGM6ym46fQcH1Pgksdl4ZX8ewv7GApu3FQAI7aG1zGhz7tYRJc40OeL4e9VacStlxRkpC7617MiSQtVe81x0SNaBNmC/7rFGe2K09fkQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768804476; c=relaxed/simple; bh=ZAFtvc1Z7KU3XRunl8wn48JhlkoHpQ1IjxvalaK9BBM=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=o1OCbiT7RbEbOO//WgVHJ4RohBGuQ1Ebb6GHrXuchicVubon5D9ayCMioNwmVPRHkjDyXbeRTODtGRefvj4IVU/VQZjVM+jHLCsRjL/s1rT5tZFzpZVcRNgPbFrq5iexQl/L1wl40gXCymSl5FzboWoab/86FEubrCMgfZiYx5E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ch8uM8nv; arc=none smtp.client-ip=209.85.210.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ch8uM8nv" Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-81dab89f286so1821840b3a.2 for ; Sun, 18 Jan 2026 22:34:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768804475; x=1769409275; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=O7ypBHDBNdyMjE+aygf+T74/TrmyZiWsKZCNBe7Qtqw=; b=ch8uM8nvq6mgzWZBSY63W9wXbv673n8s2vZ9x1E58JxVRX6IzSmmIxkaiW3ptZgs5O OCfg4sKKRctElWlt/y1Bh8dMGhfX0+PwK3X97I0Y9GPc4dh59M4xnSo9cdI2KXRPXZRL xVlQl5mqjxMW0jjfBCRkYTyL9w9J01Mghy1lmBxFFIisoDQ1RDRsVQRS1Qp/2DpuQnga ujG+7V1Ag/bxHUQCM02p/Z+fUzqqNd94dXXAol1aVLjMXKBkwtANFjyupmzzRUcA7/fc wHjWF8BfizGw7ZdNIVY2Kz69On0rEcyCIw8z27raa54fyY7ikJEV+h/vteWVQuLKO6LL xRZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768804475; x=1769409275; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=O7ypBHDBNdyMjE+aygf+T74/TrmyZiWsKZCNBe7Qtqw=; b=cqE4Mu/wACSwRlHf1HTv+zCT+i7AQvj5ZuMCdJJePJtJ6rXgwUuSJI0OjkT1ALqU2Y Ko5KducT00KHPYsvSWpq9kMrp+bQ40/FXsW7oqu1kU42VSVCapykC+pAjJ7XunX2ft33 byRKqIS+l5EGUaVNDhNnvzQMXAHQpyJFGqK2EJ/1/Pfx/7pk3v7IDeeppAdEUjlHkvXI OqLKDpwVHOxMRMMC3CoHMkP+ztFYHZkP4SV+PXBsuomQC95KNFM+V4ZRkG80uvbf1RYX SsSIlG++Sy22/4d0ComkCVvnE6iN4Lc/s9Yh/4OYvYCIbxjtwEgHQSvLaS4DjOypeGQO E12g== X-Forwarded-Encrypted: i=1; AJvYcCXO5WR5/E6Ynz1lhYCTBYDqjAs4qhu4c/ZGS0D6x9Ea0A189h12dZYEK+I0YHTmBYLOj/Ps88AKlTyQ86Q=@vger.kernel.org X-Gm-Message-State: AOJu0YwyOJKnEyobMLjKzwi9rPV9br7UKUAlm/HNX5/snWy57c2nITVJ rgz8IF+SkwBPHsjErwRna9BOjOHfx2He0JHoMdmwWRu7LsUFNaNX3um+ X-Gm-Gg: AZuq6aJAN/g7OobrzwRfnQ83//j6/mawuWFECf8qgC8nNVLJYBCoiVBytEpwwgabGeb dzXDOO1QMRpx53gTOznFshEOQNU7LCk6+9eIV2jNph19dl/uZ6Lt3PfAdE3wyh8XcDRnYdITpdM CaC2VsxJ7gIs1j0N+azfMM93EoqWqjCPJd97MW5A08Nsr+SKu9+JinvKIFr7tziNFn95b9L9v3o W1Pju8Xyi7ke5g5rm4s3+kdXoPY1vqca3vdlkZcaCQzEkeAU6S67PmZBPjomUTnUSzL7aQBgFlY zpS41Xl/ZMeszS2E9pGdCeW192uCR1CWFbfpa/7yxW0jGI9ZIdiG2lD//3JO/meJX3y6yj1iWGm Pv8+AjLjVri9UbAxsM+0YbE7ryipBrYZdQH2p+w6YUzpchUZpOcBZc9vlvtSUXuEB+lk1aPS+sR pWR86QTonMAIYIYKDNCkHLyFQEVa8PpbH7OF1VFrt/W7cDBmln X-Received: by 2002:a17:90b:4ece:b0:34c:fe7e:850c with SMTP id 98e67ed59e1d1-35272ec4ac9mr8480444a91.1.1768804474729; Sun, 18 Jan 2026 22:34:34 -0800 (PST) Received: from name2965-Precision-7820-Tower.. ([121.185.186.233]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35273121a65sm8184664a91.13.2026.01.18.22.34.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 18 Jan 2026 22:34:34 -0800 (PST) From: Jeongjun Park To: "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni Cc: Simon Horman , linux-hams@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, syzbot+999115c3bf275797dc27@syzkaller.appspotmail.com, Jeongjun Park Subject: [PATCH] netrom: fix double-free in nr_route_frame() Date: Mon, 19 Jan 2026 15:33:59 +0900 Message-Id: <20260119063359.10604-1-aha310510@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In nr_route_frame(), old_skb is immediately freed without checking if nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL, the caller function will free old_skb again, causing a double-free bug. Therefore, to prevent this, we need to modify it to check whether nr_neigh->ax25 is NULL before freeing old_skb. Cc: Reported-by: syzbot+999115c3bf275797dc27@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0029.GAE@google= .com/ Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jeongjun Park --- net/netrom/nr_route.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c index b94cb2ffbaf8..9cc29ae85b06 100644 --- a/net/netrom/nr_route.c +++ b/net/netrom/nr_route.c @@ -752,7 +752,7 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25) unsigned char *dptr; ax25_cb *ax25s; int ret; - struct sk_buff *skbn; + struct sk_buff *nskb, *oskb; =20 /* * Reject malformed packets early. Check that it contains at least 2 @@ -811,14 +811,16 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25) /* We are going to change the netrom headers so we should get our own skb, we also did not know until now how much header space we had to reserve... - RXQ */ - if ((skbn=3Dskb_copy_expand(skb, dev->hard_header_len, 0, GFP_ATOMIC)) = =3D=3D NULL) { + nskb =3D skb_copy_expand(skb, dev->hard_header_len, 0, GFP_ATOMIC); + + if (!nskb) { nr_node_unlock(nr_node); nr_node_put(nr_node); dev_put(dev); return 0; } - kfree_skb(skb); - skb=3Dskbn; + oskb =3D skb; + skb =3D nskb; skb->data[14]--; =20 dptr =3D skb_push(skb, 1); @@ -837,6 +839,9 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25) nr_node_unlock(nr_node); nr_node_put(nr_node); =20 + if (ret) + kfree_skb(oskb); + return ret; } =20 --