From patchwork Thu Feb  9 13:12:11 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ralf Baechle <ralf@linux-mips.org>
X-Patchwork-Id: 726077
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3vJz5W1WYvz9s73
	for <patchwork-incoming@ozlabs.org>;
	Fri, 10 Feb 2017 00:12:47 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752189AbdBINM1 (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Thu, 9 Feb 2017 08:12:27 -0500
Received: from eddie.linux-mips.org ([148.251.95.138]:56544 "EHLO
	cvs.linux-mips.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752064AbdBINMZ (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 9 Feb 2017 08:12:25 -0500
Received: from localhost.localdomain ([127.0.0.1]:41112 "EHLO linux-mips.org"
	rhost-flags-OK-OK-OK-FAIL) by eddie.linux-mips.org with ESMTP
	id S23991964AbdBINMP1RbvY (ORCPT
	<rfc822;linux-kernel@vger.kernel.org> + 1 other);
	Thu, 9 Feb 2017 14:12:15 +0100
Received: from h7.dl5rb.org.uk (localhost [127.0.0.1])
	by h7.dl5rb.org.uk (8.15.2/8.14.8) with ESMTP id v19DCCSM021789;
	Thu, 9 Feb 2017 14:12:13 +0100
Received: (from ralf@localhost)
	by h7.dl5rb.org.uk (8.15.2/8.15.2/Submit) id v19DCC67021788;
	Thu, 9 Feb 2017 14:12:12 +0100
Date: Thu, 9 Feb 2017 14:12:11 +0100
From: Ralf Baechle <ralf@linux-mips.org>
To: netdev@vger.kernel.org, "David S. Miller" <davem@davemloft.net>,
	Andrew Morton <akpm@linux-foundation.org>, linux-kernel@vger.kernel.org
Cc: Thomas Osterried <thomas@osterried.de>
Subject: [PATCH] NET: mkiss: Fix panic
Message-ID: <20170209131211.GA16072@linux-mips.org>
References: <B4836AA3-200E-4BDA-B1B1-CD3F6AF28F94@osterried.de>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <B4836AA3-200E-4BDA-B1B1-CD3F6AF28F94@osterried.de>
User-Agent: Mutt/1.7.1 (2016-10-04)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

If a USB-to-serial adapter is unplugged, the driver re-initializes, with
dev->hard_header_len and dev->addr_len set to zero, instead of the correct
values.  If then a packet is sent through the half-dead interface, the
kernel will panic due to running out of headroom in the skb when pushing
for the AX.25 headers resulting in this panic:

[<c0595468>] (skb_panic) from [<c0401f70>] (skb_push+0x4c/0x50)
[<c0401f70>] (skb_push) from [<bf0bdad4>] (ax25_hard_header+0x34/0xf4 [ax25])
[<bf0bdad4>] (ax25_hard_header [ax25]) from [<bf0d05d4>] (ax_header+0x38/0x40 [mkiss])
[<bf0d05d4>] (ax_header [mkiss]) from [<c041b584>] (neigh_compat_output+0x8c/0xd8)
[<c041b584>] (neigh_compat_output) from [<c043e7a8>] (ip_finish_output+0x2a0/0x914)
[<c043e7a8>] (ip_finish_output) from [<c043f948>] (ip_output+0xd8/0xf0)
[<c043f948>] (ip_output) from [<c043f04c>] (ip_local_out_sk+0x44/0x48)

This patch makes mkiss behave like the 6pack driver. 6pack does not
panic.  In 6pack.c sp_setup() (same function name here) the values for
dev->hard_header_len and dev->addr_len are set to the same values as in
my mkiss patch.

[ralf@linux-mips.org: Massages original submission to conform to the usual
standards for patch submissions.]

Signed-off-by: Thomas Osterried <thomas@osterried.de>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
---

 drivers/net/hamradio/mkiss.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/hamradio/mkiss.c b/drivers/net/hamradio/mkiss.c
index 1dfe230..e0a6b1a 100644
--- a/drivers/net/hamradio/mkiss.c
+++ b/drivers/net/hamradio/mkiss.c
@@ -648,8 +648,8 @@ static void ax_setup(struct net_device *dev)
 {
 	/* Finish setting up the DEVICE info. */
 	dev->mtu             = AX_MTU;
-	dev->hard_header_len = 0;
-	dev->addr_len        = 0;
+	dev->hard_header_len = AX25_MAX_HEADER_LEN;
+	dev->addr_len        = AX25_ADDR_LEN;
 	dev->type            = ARPHRD_AX25;
 	dev->tx_queue_len    = 10;
 	dev->header_ops      = &ax25_header_ops;