* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-11-09 8:36 [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
@ 2023-11-13 12:04 ` Siddh Raman Pant
2023-11-13 13:33 ` syzbot
2023-11-13 12:43 ` Siddh Raman Pant
` (10 subsequent siblings)
11 siblings, 1 reply; 45+ messages in thread
From: Siddh Raman Pant @ 2023-11-13 12:04 UTC (permalink / raw)
To: syzbot+bbe84a4010eeea00982d; +Cc: linux-kernel, netdev, syzkaller-bugs
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 645677f84dba..bc97cd6971bd 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -795,6 +795,11 @@ static int llcp_sock_sendmsg(struct socket *sock, struct msghdr *msg,
return -ENODEV;
}
+ if (sk->sk_state != LLCP_CONNECTED) {
+ release_sock(sk);
+ return -ENOTCONN;
+ }
+
if (sk->sk_type == SOCK_DGRAM) {
DECLARE_SOCKADDR(struct sockaddr_nfc_llcp *, addr,
msg->msg_name);
@@ -810,11 +815,6 @@ static int llcp_sock_sendmsg(struct socket *sock, struct msghdr *msg,
msg, len);
}
- if (sk->sk_state != LLCP_CONNECTED) {
- release_sock(sk);
- return -ENOTCONN;
- }
-
release_sock(sk);
return nfc_llcp_send_i_frame(llcp_sock, msg, len);
^ permalink raw reply related [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-11-13 12:04 ` Siddh Raman Pant
@ 2023-11-13 13:33 ` syzbot
0 siblings, 0 replies; 45+ messages in thread
From: syzbot @ 2023-11-13 13:33 UTC (permalink / raw)
To: code, linux-kernel, netdev, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to create VM pool: failed to write image file: googleapi: Error 500: We encountered an internal error. Please try again., internalError
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs-2/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs-2/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1681865836=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at 500bfdc41
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=500bfdc41735bc8d617cbfd4f1ab6b5980c8f1e5 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20231103-130513'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=500bfdc41735bc8d617cbfd4f1ab6b5980c8f1e5 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20231103-130513'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=500bfdc41735bc8d617cbfd4f1ab6b5980c8f1e5 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20231103-130513'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"500bfdc41735bc8d617cbfd4f1ab6b5980c8f1e5\"
Tested on:
commit: b85ea95d Linux 6.7-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=b5bf1661f609e7f0
dashboard link: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10070d70e80000
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-11-09 8:36 [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
2023-11-13 12:04 ` Siddh Raman Pant
@ 2023-11-13 12:43 ` Siddh Raman Pant
2023-11-13 13:48 ` syzbot
2023-11-14 12:06 ` Siddh Raman Pant
` (9 subsequent siblings)
11 siblings, 1 reply; 45+ messages in thread
From: Siddh Raman Pant @ 2023-11-13 12:43 UTC (permalink / raw)
To: syzbot+bbe84a4010eeea00982d; +Cc: linux-kernel, netdev, syzkaller-bugs
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 645677f84dba..ea0e6c85866d 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -796,6 +796,11 @@ static int llcp_sock_sendmsg(struct socket *sock, struct msghdr *msg,
}
if (sk->sk_type == SOCK_DGRAM) {
+ if (sk->sk_state != LLCP_BOUND) {
+ release_sock(sk);
+ return -ENOLINK;
+ }
+
DECLARE_SOCKADDR(struct sockaddr_nfc_llcp *, addr,
msg->msg_name);
^ permalink raw reply related [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-11-13 12:43 ` Siddh Raman Pant
@ 2023-11-13 13:48 ` syzbot
0 siblings, 0 replies; 45+ messages in thread
From: syzbot @ 2023-11-13 13:48 UTC (permalink / raw)
To: code, linux-kernel, netdev, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in nfc_alloc_send_skb
==================================================================
BUG: KASAN: slab-use-after-free in nfc_alloc_send_skb+0x189/0x1c0 net/nfc/core.c:726
Read of size 4 at addr ffff888020c66548 by task syz-executor.0/5482
CPU: 0 PID: 5482 Comm: syz-executor.0 Not tainted 6.7.0-rc1-syzkaller-gb85ea95d0864-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x163/0x540 mm/kasan/report.c:475
kasan_report+0x142/0x170 mm/kasan/report.c:588
nfc_alloc_send_skb+0x189/0x1c0 net/nfc/core.c:726
nfc_llcp_send_ui_frame+0x2ac/0x670 net/nfc/llcp_commands.c:766
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x592/0x890 net/socket.c:2584
___sys_sendmsg net/socket.c:2638 [inline]
__sys_sendmmsg+0x3b2/0x730 net/socket.c:2724
__do_sys_sendmmsg net/socket.c:2753 [inline]
__se_sys_sendmmsg net/socket.c:2750 [inline]
__x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2750
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fc24e27cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc24efbd0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007fc24e39bf80 RCX: 00007fc24e27cae9
RDX: 0000000000000001 RSI: 00000000200013c0 RDI: 0000000000000004
RBP: 00007fc24e2c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fc24e39bf80 R15: 00007ffff6582e38
</TASK>
Allocated by task 5482:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:383
kmalloc include/linux/slab.h:600 [inline]
kzalloc include/linux/slab.h:721 [inline]
nfc_allocate_device+0x12f/0x520 net/nfc/core.c:1065
nci_allocate_device+0x1e2/0x360 net/nfc/nci/core.c:1179
virtual_ncidev_open+0x75/0x1b0 drivers/nfc/virtual_ncidev.c:136
misc_open+0x30b/0x380 drivers/char/misc.c:165
chrdev_open+0x5ab/0x630 fs/char_dev.c:414
do_dentry_open+0x8fd/0x1590 fs/open.c:948
do_open fs/namei.c:3622 [inline]
path_openat+0x2845/0x3280 fs/namei.c:3779
do_filp_open+0x234/0x490 fs/namei.c:3809
do_sys_openat2+0x13e/0x1d0 fs/open.c:1440
do_sys_open fs/open.c:1455 [inline]
__do_sys_openat fs/open.c:1471 [inline]
__se_sys_openat fs/open.c:1466 [inline]
__x64_sys_openat+0x247/0x290 fs/open.c:1466
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Freed by task 5481:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
kasan_save_free_info+0x28/0x40 mm/kasan/generic.c:522
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook mm/slub.c:1826 [inline]
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0x263/0x3a0 mm/slub.c:3822
device_release+0x95/0x1c0
kobject_cleanup lib/kobject.c:682 [inline]
kobject_release lib/kobject.c:716 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1ee/0x430 lib/kobject.c:733
nfc_free_device include/net/nfc/nfc.h:213 [inline]
nci_free_device+0x38/0x50 net/nfc/nci/core.c:1209
virtual_ncidev_close+0x70/0x90 drivers/nfc/virtual_ncidev.c:164
__fput+0x3cc/0xa10 fs/file_table.c:394
__do_sys_close fs/open.c:1590 [inline]
__se_sys_close+0x15f/0x220 fs/open.c:1575
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
The buggy address belongs to the object at ffff888020c66000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1352 bytes inside of
freed 2048-byte region [ffff888020c66000, ffff888020c66800)
The buggy address belongs to the physical page:
page:ffffea0000831800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20c60
head:ffffea0000831800 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888012c42000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 8, tgid 8 (kworker/0:0), ts 87575041484, free_ts 86099705668
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1544 [inline]
get_page_from_freelist+0x339a/0x3530 mm/page_alloc.c:3312
__alloc_pages+0x255/0x670 mm/page_alloc.c:4568
alloc_pages_mpol+0x3de/0x640 mm/mempolicy.c:2133
alloc_slab_page+0x6a/0x160 mm/slub.c:1870
allocate_slab mm/slub.c:2017 [inline]
new_slab+0x84/0x2f0 mm/slub.c:2070
___slab_alloc+0xc85/0x1310 mm/slub.c:3223
__slab_alloc mm/slub.c:3322 [inline]
__slab_alloc_node mm/slub.c:3375 [inline]
slab_alloc_node mm/slub.c:3468 [inline]
__kmem_cache_alloc_node+0x21d/0x300 mm/slub.c:3517
__do_kmalloc_node mm/slab_common.c:1006 [inline]
__kmalloc_node_track_caller+0xa5/0x230 mm/slab_common.c:1027
kmalloc_reserve+0xf3/0x260 net/core/skbuff.c:582
__alloc_skb+0x1b1/0x420 net/core/skbuff.c:651
alloc_skb include/linux/skbuff.h:1286 [inline]
alloc_skb_with_frags+0xc3/0x780 net/core/skbuff.c:6331
sock_alloc_send_pskb+0x919/0xa50 net/core/sock.c:2780
sock_alloc_send_skb include/net/sock.h:1884 [inline]
mld_newpack+0x1c9/0xa90 net/ipv6/mcast.c:1746
add_grhead net/ipv6/mcast.c:1849 [inline]
add_grec+0x148d/0x1990 net/ipv6/mcast.c:1987
mld_send_cr net/ipv6/mcast.c:2113 [inline]
mld_ifc_work+0x6bf/0xb20 net/ipv6/mcast.c:2650
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1137 [inline]
free_unref_page_prepare+0x92a/0xa50 mm/page_alloc.c:2347
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2487
discard_slab mm/slub.c:2116 [inline]
__unfreeze_partials+0x1dc/0x220 mm/slub.c:2655
put_cpu_partial+0x17b/0x250 mm/slub.c:2731
__slab_free+0x2b6/0x390 mm/slub.c:3679
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0x75/0xe0 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x14b/0x160 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x23/0x70 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook+0x6c/0x3c0 mm/slab.h:763
slab_alloc_node mm/slub.c:3478 [inline]
slab_alloc mm/slub.c:3486 [inline]
__kmem_cache_alloc_lru mm/slub.c:3493 [inline]
kmem_cache_alloc_lru+0x100/0x2c0 mm/slub.c:3509
__d_alloc+0x31/0x710 fs/dcache.c:1768
d_alloc fs/dcache.c:1848 [inline]
d_alloc_parallel+0xe1/0x1590 fs/dcache.c:2637
__lookup_slow+0x117/0x3e0 fs/namei.c:1679
lookup_slow+0x53/0x70 fs/namei.c:1711
walk_component fs/namei.c:2002 [inline]
link_path_walk+0x9c8/0xe70 fs/namei.c:2329
path_openat+0x25d/0x3280 fs/namei.c:3775
Memory state around the buggy address:
ffff888020c66400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888020c66480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888020c66500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888020c66580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888020c66600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: b85ea95d Linux 6.7-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=113c6a57680000
kernel config: https://syzkaller.appspot.com/x/.config?x=b5bf1661f609e7f0
dashboard link: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12d9c9a8e80000
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-11-09 8:36 [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
2023-11-13 12:04 ` Siddh Raman Pant
2023-11-13 12:43 ` Siddh Raman Pant
@ 2023-11-14 12:06 ` Siddh Raman Pant
2023-11-14 12:31 ` syzbot
2023-11-16 16:55 ` Siddh Raman Pant
` (8 subsequent siblings)
11 siblings, 1 reply; 45+ messages in thread
From: Siddh Raman Pant @ 2023-11-14 12:06 UTC (permalink / raw)
To: syzbot+bbe84a4010eeea00982d; +Cc: linux-kernel, netdev, syzkaller-bugs
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
net/nfc/llcp_sock.c | 30 ++++++++++++++++++------------
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 645677f84dba..699f7f6cc0b8 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -791,33 +791,39 @@ static int llcp_sock_sendmsg(struct socket *sock, struct msghdr *msg,
lock_sock(sk);
if (!llcp_sock->local) {
- release_sock(sk);
- return -ENODEV;
+ ret = -ENODEV;
+ goto out;
}
if (sk->sk_type == SOCK_DGRAM) {
+ if (sk->sk_state != LLCP_BOUND) {
+ ret = -ENOLINK;
+ goto out;
+ }
+
DECLARE_SOCKADDR(struct sockaddr_nfc_llcp *, addr,
msg->msg_name);
if (msg->msg_namelen < sizeof(*addr)) {
- release_sock(sk);
- return -EINVAL;
+ ret = -EINVAL;
+ goto out;
}
- release_sock(sk);
-
- return nfc_llcp_send_ui_frame(llcp_sock, addr->dsap, addr->ssap,
- msg, len);
+ ret = nfc_llcp_send_ui_frame(llcp_sock, addr->dsap, addr->ssap,
+ msg, len);
+ goto out;
}
if (sk->sk_state != LLCP_CONNECTED) {
- release_sock(sk);
- return -ENOTCONN;
+ ret = -ENOTCONN;
+ goto out;
}
- release_sock(sk);
+ ret = nfc_llcp_send_i_frame(llcp_sock, msg, len);
- return nfc_llcp_send_i_frame(llcp_sock, msg, len);
+out:
+ release_sock(sk);
+ return ret;
}
static int llcp_sock_recvmsg(struct socket *sock, struct msghdr *msg,
--
2.42.0
^ permalink raw reply related [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-11-14 12:06 ` Siddh Raman Pant
@ 2023-11-14 12:31 ` syzbot
0 siblings, 0 replies; 45+ messages in thread
From: syzbot @ 2023-11-14 12:31 UTC (permalink / raw)
To: code, linux-kernel, netdev, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in nfc_alloc_send_skb
==================================================================
BUG: KASAN: slab-use-after-free in nfc_alloc_send_skb+0x189/0x1c0 net/nfc/core.c:726
Read of size 4 at addr ffff888028ecd548 by task syz-executor.0/5548
CPU: 0 PID: 5548 Comm: syz-executor.0 Not tainted 6.7.0-rc1-syzkaller-00012-g9bacdd8996c7-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x163/0x540 mm/kasan/report.c:475
kasan_report+0x142/0x170 mm/kasan/report.c:588
nfc_alloc_send_skb+0x189/0x1c0 net/nfc/core.c:726
nfc_llcp_send_ui_frame+0x2ac/0x670 net/nfc/llcp_commands.c:766
llcp_sock_sendmsg+0x24d/0x380 net/nfc/llcp_sock.c:812
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x592/0x890 net/socket.c:2584
___sys_sendmsg net/socket.c:2638 [inline]
__sys_sendmmsg+0x3b2/0x730 net/socket.c:2724
__do_sys_sendmmsg net/socket.c:2753 [inline]
__se_sys_sendmmsg net/socket.c:2750 [inline]
__x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2750
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f47e707cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f47e63fe0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007f47e719bf80 RCX: 00007f47e707cae9
RDX: 0000000000000001 RSI: 00000000200013c0 RDI: 0000000000000004
RBP: 00007f47e70c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f47e719bf80 R15: 00007ffc0cfc6608
</TASK>
Allocated by task 5548:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:383
kmalloc include/linux/slab.h:600 [inline]
kzalloc include/linux/slab.h:721 [inline]
nfc_allocate_device+0x12f/0x520 net/nfc/core.c:1065
nci_allocate_device+0x1e2/0x360 net/nfc/nci/core.c:1179
virtual_ncidev_open+0x75/0x1b0 drivers/nfc/virtual_ncidev.c:136
misc_open+0x30b/0x380 drivers/char/misc.c:165
chrdev_open+0x5ab/0x630 fs/char_dev.c:414
do_dentry_open+0x8fd/0x1590 fs/open.c:948
do_open fs/namei.c:3622 [inline]
path_openat+0x2845/0x3280 fs/namei.c:3779
do_filp_open+0x234/0x490 fs/namei.c:3809
do_sys_openat2+0x13e/0x1d0 fs/open.c:1440
do_sys_open fs/open.c:1455 [inline]
__do_sys_openat fs/open.c:1471 [inline]
__se_sys_openat fs/open.c:1466 [inline]
__x64_sys_openat+0x247/0x290 fs/open.c:1466
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Freed by task 5547:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
kasan_save_free_info+0x28/0x40 mm/kasan/generic.c:522
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook mm/slub.c:1826 [inline]
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0x263/0x3a0 mm/slub.c:3822
device_release+0x95/0x1c0
kobject_cleanup lib/kobject.c:682 [inline]
kobject_release lib/kobject.c:716 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1ee/0x430 lib/kobject.c:733
nfc_free_device include/net/nfc/nfc.h:213 [inline]
nci_free_device+0x38/0x50 net/nfc/nci/core.c:1209
virtual_ncidev_close+0x70/0x90 drivers/nfc/virtual_ncidev.c:164
__fput+0x3cc/0xa10 fs/file_table.c:394
__do_sys_close fs/open.c:1590 [inline]
__se_sys_close+0x15f/0x220 fs/open.c:1575
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
The buggy address belongs to the object at ffff888028ecd000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1352 bytes inside of
freed 2048-byte region [ffff888028ecd000, ffff888028ecd800)
The buggy address belongs to the physical page:
page:ffffea0000a3b200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28ec8
head:ffffea0000a3b200 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888012c42000 0000000000000000 0000000000000001
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 11, tgid 11 (kworker/u4:0), ts 67750501743, free_ts 67716621887
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1544 [inline]
get_page_from_freelist+0x339a/0x3530 mm/page_alloc.c:3312
__alloc_pages+0x255/0x670 mm/page_alloc.c:4568
alloc_pages_mpol+0x3de/0x640 mm/mempolicy.c:2133
alloc_slab_page+0x6a/0x160 mm/slub.c:1870
allocate_slab mm/slub.c:2017 [inline]
new_slab+0x84/0x2f0 mm/slub.c:2070
___slab_alloc+0xc85/0x1310 mm/slub.c:3223
__slab_alloc mm/slub.c:3322 [inline]
__slab_alloc_node mm/slub.c:3375 [inline]
slab_alloc_node mm/slub.c:3468 [inline]
__kmem_cache_alloc_node+0x21d/0x300 mm/slub.c:3517
__do_kmalloc_node mm/slab_common.c:1006 [inline]
__kmalloc_node_track_caller+0xa5/0x230 mm/slab_common.c:1027
kmalloc_reserve+0xf3/0x260 net/core/skbuff.c:582
__alloc_skb+0x1b1/0x420 net/core/skbuff.c:651
alloc_skb include/linux/skbuff.h:1286 [inline]
nlmsg_new include/net/netlink.h:1010 [inline]
rtmsg_ifinfo_build_skb+0x89/0x280 net/core/rtnetlink.c:4067
unregister_netdevice_many_notify+0xe2a/0x1710 net/core/dev.c:10987
unregister_netdevice_many net/core/dev.c:11039 [inline]
default_device_exit_batch+0x5c4/0x630 net/core/dev.c:11508
ops_exit_list net/core/net_namespace.c:175 [inline]
cleanup_net+0x767/0xb80 net/core/net_namespace.c:614
process_one_work kernel/workqueue.c:2630 [inline]
process_scheduled_works+0x90f/0x1400 kernel/workqueue.c:2703
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1137 [inline]
free_unref_page_prepare+0x92a/0xa50 mm/page_alloc.c:2347
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2487
__slab_free+0x2f6/0x390 mm/slub.c:3715
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0x75/0xe0 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x14b/0x160 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x23/0x70 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook+0x6c/0x3c0 mm/slab.h:763
slab_alloc_node mm/slub.c:3478 [inline]
__kmem_cache_alloc_node+0x1d0/0x300 mm/slub.c:3517
kmalloc_trace+0x2a/0xe0 mm/slab_common.c:1098
kmalloc include/linux/slab.h:600 [inline]
netdevice_queue_work drivers/infiniband/core/roce_gid_mgmt.c:643 [inline]
netdevice_event+0x37d/0x950 drivers/infiniband/core/roce_gid_mgmt.c:802
notifier_call_chain+0x18c/0x3a0 kernel/notifier.c:93
call_netdevice_notifiers_extack net/core/dev.c:2003 [inline]
call_netdevice_notifiers net/core/dev.c:2017 [inline]
unregister_netdevice_many_notify+0xd87/0x1710 net/core/dev.c:10983
unregister_netdevice_many net/core/dev.c:11039 [inline]
default_device_exit_batch+0x5c4/0x630 net/core/dev.c:11508
ops_exit_list net/core/net_namespace.c:175 [inline]
cleanup_net+0x767/0xb80 net/core/net_namespace.c:614
process_one_work kernel/workqueue.c:2630 [inline]
process_scheduled_works+0x90f/0x1400 kernel/workqueue.c:2703
worker_thread+0xa5f/0xff0 kernel/workqueue.c:2784
Memory state around the buggy address:
ffff888028ecd400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888028ecd480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888028ecd500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888028ecd580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888028ecd600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 9bacdd89 Merge tag 'for-6.7-rc1-tag' of git://git.kern..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=17b024fb680000
kernel config: https://syzkaller.appspot.com/x/.config?x=b5bf1661f609e7f0
dashboard link: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=17bb8f5b680000
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-11-09 8:36 [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
` (2 preceding siblings ...)
2023-11-14 12:06 ` Siddh Raman Pant
@ 2023-11-16 16:55 ` Siddh Raman Pant
2023-11-17 12:48 ` Krzysztof Kozlowski
2023-11-25 17:17 ` Siddh Raman Pant
` (7 subsequent siblings)
11 siblings, 1 reply; 45+ messages in thread
From: Siddh Raman Pant @ 2023-11-16 16:55 UTC (permalink / raw)
To: davem, edumazet, krzysztof.kozlowski, kuba, pabeni
Cc: linux-kernel, netdev, syzkaller-bugs, syzbot+bbe84a4010eeea00982d
TLDR: Different stages of 1 and 2 can race with each other causing UAF.
1. llcp_sock_sendmsg -> nfc_llcp_send_ui_frame -> loop call (nfc_alloc_send_skb(nfc_dev))
2. virtual_ncidev_close -> [... -> nfc_llcp_socket_release -> ...] -> [... -> nfc_free_device]
---
Hi,
I've been trying to fix this bug for some time but ending up getting
stuck every now and then. If someone could give more inputs or fix it,
it will be really helpful.
This bug is due to racing between sendmsg and freeing of nfc_dev.
For connectionless transmission, llcp_sock_sendmsg() codepath will
eventually call nfc_alloc_send_skb() which takes in an nfc_dev as
an argument for calculating the total size for skb allocation.
virtual_ncidev_close() codepath eventually releases socket by calling
nfc_llcp_socket_release() (which sets the sk->sk_state to LLCP_CLOSED)
and afterwards the nfc_dev will be eventually freed.
When an ndev gets freed, llcp_sock_sendmsg() will result in an
use-after-free as it
(1) doesn't have any checks in place for avoiding the datagram sending.
(1.1) Checking for LLCP_CLOSED in llcp_sock_sendmsg() does make
the racing less likely. For -smp 6 it did not trigger on
my PC, leading me to naively think that was the solution
until syzbot told me quite some time later that it isn't.
(2) calls nfc_llcp_send_ui_frame(), which also has a do-while loop which
can race with freeing (a msg with size of 4096 is sent in chunks of
128 in this repro).
(2.1) By this I mean just moving the nfc_dev access from
nfc_alloc_send_skb to inside this function, be it
inside or outside the loop, naturally doesn't work.
When an nfc_dev is freed and we happened to get headroom and tailroom,
PDU skb seems to be not allocated and ENXIO is returned.
I tried to look at other code in net subsystem to get an idea how other
places handle it, but accessing device later in the codepath does not
seem to not be a norm. So I am starting to think some refactoring of the
locking logic may be needed (or maybe RCU protect headroom and tailroom?).
I don't know if I'm correct, but anyways where does one start?
Thanks,
Siddh
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-11-16 16:55 ` Siddh Raman Pant
@ 2023-11-17 12:48 ` Krzysztof Kozlowski
2023-11-17 13:17 ` Siddh Raman Pant
0 siblings, 1 reply; 45+ messages in thread
From: Krzysztof Kozlowski @ 2023-11-17 12:48 UTC (permalink / raw)
To: Siddh Raman Pant, davem, edumazet, kuba, pabeni
Cc: linux-kernel, netdev, syzkaller-bugs, syzbot+bbe84a4010eeea00982d
On 16/11/2023 17:55, Siddh Raman Pant wrote:
> TLDR: Different stages of 1 and 2 can race with each other causing UAF.
>
> 1. llcp_sock_sendmsg -> nfc_llcp_send_ui_frame -> loop call (nfc_alloc_send_skb(nfc_dev))
>
> 2. virtual_ncidev_close -> [... -> nfc_llcp_socket_release -> ...] -> [... -> nfc_free_device]
>
> ---
>
> Hi,
>
> I've been trying to fix this bug for some time but ending up getting
> stuck every now and then. If someone could give more inputs or fix it,
> it will be really helpful.
>
> This bug is due to racing between sendmsg and freeing of nfc_dev.
>
> For connectionless transmission, llcp_sock_sendmsg() codepath will
> eventually call nfc_alloc_send_skb() which takes in an nfc_dev as
> an argument for calculating the total size for skb allocation.
>
> virtual_ncidev_close() codepath eventually releases socket by calling
> nfc_llcp_socket_release() (which sets the sk->sk_state to LLCP_CLOSED)
> and afterwards the nfc_dev will be eventually freed.
>
> When an ndev gets freed, llcp_sock_sendmsg() will result in an
> use-after-free as it
>
> (1) doesn't have any checks in place for avoiding the datagram sending.
> (1.1) Checking for LLCP_CLOSED in llcp_sock_sendmsg() does make
> the racing less likely. For -smp 6 it did not trigger on
> my PC, leading me to naively think that was the solution
> until syzbot told me quite some time later that it isn't.
>
> (2) calls nfc_llcp_send_ui_frame(), which also has a do-while loop which
> can race with freeing (a msg with size of 4096 is sent in chunks of
> 128 in this repro).
> (2.1) By this I mean just moving the nfc_dev access from
> nfc_alloc_send_skb to inside this function, be it
> inside or outside the loop, naturally doesn't work.
>
> When an nfc_dev is freed and we happened to get headroom and tailroom,
> PDU skb seems to be not allocated and ENXIO is returned.
>
> I tried to look at other code in net subsystem to get an idea how other
> places handle it, but accessing device later in the codepath does not
> seem to not be a norm. So I am starting to think some refactoring of the
> locking logic may be needed (or maybe RCU protect headroom and tailroom?).
>
> I don't know if I'm correct, but anyways where does one start?
Any checks would need to have proper locking. Or at least barriers...
Adding checks without locks usually does not solve race conditions.
Other start is proper ref counting, so the structures are not released
too early. We have several bugs like this in NFC before, so you can take
a look at their fixes.
Best regards,
Krzysztof
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-11-17 12:48 ` Krzysztof Kozlowski
@ 2023-11-17 13:17 ` Siddh Raman Pant
0 siblings, 0 replies; 45+ messages in thread
From: Siddh Raman Pant @ 2023-11-17 13:17 UTC (permalink / raw)
To: Krzysztof Kozlowski
Cc: davem, edumazet, kuba, pabeni, linux-kernel, netdev,
syzkaller-bugs, syzbot+bbe84a4010eeea00982d
On Fri, 17 Nov 2023 18:18:56 +0530, Krzysztof Kozlowski wrote:
> Any checks would need to have proper locking. Or at least barriers...
> Adding checks without locks usually does not solve race conditions.
Yes of course. I just wanted to put whatever I tested out there.
> Other start is proper ref counting, so the structures are not released
> too early. We have several bugs like this in NFC before, so you can take
> a look at their fixes.
Sure.
Thanks,
Siddh
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-11-09 8:36 [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
` (3 preceding siblings ...)
2023-11-16 16:55 ` Siddh Raman Pant
@ 2023-11-25 17:17 ` Siddh Raman Pant
2023-11-25 17:33 ` syzbot
2023-12-02 14:12 ` Siddh Raman Pant
` (6 subsequent siblings)
11 siblings, 1 reply; 45+ messages in thread
From: Siddh Raman Pant @ 2023-11-25 17:17 UTC (permalink / raw)
To: syzbot+bbe84a4010eeea00982d; +Cc: linux-kernel, netdev, syzkaller-bugs
#syz test https://github.com/siddhpant/linux.git lock
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-11-25 17:17 ` Siddh Raman Pant
@ 2023-11-25 17:33 ` syzbot
2023-11-25 18:18 ` Siddh Raman Pant
0 siblings, 1 reply; 45+ messages in thread
From: syzbot @ 2023-11-25 17:33 UTC (permalink / raw)
To: code, linux-kernel, netdev, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: sleeping function called from invalid context in nfc_llcp_socket_release
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5478, name: syz-executor.0
preempt_count: 2, expected: 0
RCU nest depth: 0, expected: 0
2 locks held by syz-executor.0/5478:
#0: ffff88806cd22468 (&local->sockets.lock){++++}-{2:2}, at: nfc_llcp_socket_release+0x56/0xb90 net/nfc/llcp_core.c:90
#1: ffff88806cd5c0b0 (slock-AF_NFC){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
#1: ffff88806cd5c0b0 (slock-AF_NFC){+.+.}-{2:2}, at: nfc_llcp_socket_release+0xcb/0xb90 net/nfc/llcp_core.c:95
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 0 PID: 5478 Comm: syz-executor.0 Not tainted 6.7.0-rc2-syzkaller-00198-g7ac1c88a5daa #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
__might_resched+0x5cf/0x780 kernel/sched/core.c:10151
__mutex_lock_common kernel/locking/mutex.c:580 [inline]
__mutex_lock+0xc1/0xd60 kernel/locking/mutex.c:747
nfc_llcp_sock_close net/nfc/llcp_core.c:33 [inline]
nfc_llcp_socket_release+0x498/0xb90 net/nfc/llcp_core.c:120
local_cleanup+0x28/0xe0 net/nfc/llcp_core.c:161
nfc_llcp_unregister_device+0x160/0x240 net/nfc/llcp_core.c:1655
nfc_unregister_device+0x167/0x2a0 net/nfc/core.c:1179
virtual_ncidev_close+0x59/0x90 drivers/nfc/virtual_ncidev.c:163
__fput+0x3cc/0xa10 fs/file_table.c:394
__do_sys_close fs/open.c:1590 [inline]
__se_sys_close+0x15f/0x220 fs/open.c:1575
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fe8ddc7b9da
Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
RSP: 002b:00007fffdaf3d080 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe8ddc7b9da
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007fe8ddd9d980 R08: 0000001b2e060000 R09: 00007fffdaf810b0
R10: 00007fffdaf81080 R11: 0000000000000293 R12: 00000000000151df
R13: ffffffffffffffff R14: 00007fe8dd800000 R15: 0000000000014e9e
</TASK>
=============================
[ BUG: Invalid wait context ]
6.7.0-rc2-syzkaller-00198-g7ac1c88a5daa #0 Tainted: G W
-----------------------------
syz-executor.0/5478 is trying to lock:
ffff88806cd5c590 (&llcp_sock->lock){+.+.}-{3:3}, at: nfc_llcp_sock_close net/nfc/llcp_core.c:33 [inline]
ffff88806cd5c590 (&llcp_sock->lock){+.+.}-{3:3}, at: nfc_llcp_socket_release+0x498/0xb90 net/nfc/llcp_core.c:120
other info that might help us debug this:
context-{4:4}
2 locks held by syz-executor.0/5478:
#0: ffff88806cd22468 (&local->sockets.lock){++++}-{2:2}, at: nfc_llcp_socket_release+0x56/0xb90 net/nfc/llcp_core.c:90
#1: ffff88806cd5c0b0 (slock-AF_NFC){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
#1: ffff88806cd5c0b0 (slock-AF_NFC){+.+.}-{2:2}, at: nfc_llcp_socket_release+0xcb/0xb90 net/nfc/llcp_core.c:95
stack backtrace:
CPU: 0 PID: 5478 Comm: syz-executor.0 Tainted: G W 6.7.0-rc2-syzkaller-00198-g7ac1c88a5daa #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_lock_invalid_wait_context kernel/locking/lockdep.c:4750 [inline]
check_wait_context kernel/locking/lockdep.c:4820 [inline]
__lock_acquire+0x1825/0x7f70 kernel/locking/lockdep.c:5086
lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5753
__mutex_lock_common kernel/locking/mutex.c:603 [inline]
__mutex_lock+0x136/0xd60 kernel/locking/mutex.c:747
nfc_llcp_sock_close net/nfc/llcp_core.c:33 [inline]
nfc_llcp_socket_release+0x498/0xb90 net/nfc/llcp_core.c:120
local_cleanup+0x28/0xe0 net/nfc/llcp_core.c:161
nfc_llcp_unregister_device+0x160/0x240 net/nfc/llcp_core.c:1655
nfc_unregister_device+0x167/0x2a0 net/nfc/core.c:1179
virtual_ncidev_close+0x59/0x90 drivers/nfc/virtual_ncidev.c:163
__fput+0x3cc/0xa10 fs/file_table.c:394
__do_sys_close fs/open.c:1590 [inline]
__se_sys_close+0x15f/0x220 fs/open.c:1575
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fe8ddc7b9da
Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
RSP: 002b:00007fffdaf3d080 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe8ddc7b9da
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007fe8ddd9d980 R08: 0000001b2e060000 R09: 00007fffdaf810b0
R10: 00007fffdaf81080 R11: 0000000000000293 R12: 00000000000151df
R13: ffffffffffffffff R14: 00007fe8dd800000 R15: 0000000000014e9e
</TASK>
Tested on:
commit: 7ac1c88a lock
git tree: https://github.com/siddhpant/linux.git lock
console output: https://syzkaller.appspot.com/x/log.txt?x=11f333af680000
kernel config: https://syzkaller.appspot.com/x/.config?x=1e6a76f6c7029ca2
dashboard link: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-11-09 8:36 [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
` (4 preceding siblings ...)
2023-11-25 17:17 ` Siddh Raman Pant
@ 2023-12-02 14:12 ` Siddh Raman Pant
2023-12-02 14:37 ` syzbot
2023-12-02 14:14 ` Siddh Raman Pant
` (5 subsequent siblings)
11 siblings, 1 reply; 45+ messages in thread
From: Siddh Raman Pant @ 2023-12-02 14:12 UTC (permalink / raw)
To: syzbot+bbe84a4010eeea00982d; +Cc: linux-kernel, netdev, syzkaller-bugs
Test repro on main.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-12-02 14:12 ` Siddh Raman Pant
@ 2023-12-02 14:37 ` syzbot
0 siblings, 0 replies; 45+ messages in thread
From: syzbot @ 2023-12-02 14:37 UTC (permalink / raw)
To: code, linux-kernel, netdev, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in nfc_alloc_send_skb
llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)
==================================================================
BUG: KASAN: slab-use-after-free in nfc_alloc_send_skb+0x149/0x1c0 net/nfc/core.c:722
Read of size 4 at addr ffff8880213d0548 by task syz-executor.0/5687
CPU: 0 PID: 5687 Comm: syz-executor.0 Not tainted 6.7.0-rc3-syzkaller-00686-g7453d7a633d0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x163/0x540 mm/kasan/report.c:475
kasan_report+0x142/0x170 mm/kasan/report.c:588
nfc_alloc_send_skb+0x149/0x1c0 net/nfc/core.c:722
nfc_llcp_send_ui_frame+0x2ac/0x670 net/nfc/llcp_commands.c:766
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x592/0x890 net/socket.c:2584
___sys_sendmsg net/socket.c:2638 [inline]
__sys_sendmmsg+0x3b2/0x730 net/socket.c:2724
__do_sys_sendmmsg net/socket.c:2753 [inline]
__se_sys_sendmmsg net/socket.c:2750 [inline]
__x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2750
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fa12c27cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa12d00b0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007fa12c39bf80 RCX: 00007fa12c27cae9
RDX: 0000000000000001 RSI: 00000000200013c0 RDI: 0000000000000004
RBP: 00007fa12c2c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fa12c39bf80 R15: 00007ffd319ae358
</TASK>
Allocated by task 5687:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:383
kmalloc include/linux/slab.h:600 [inline]
kzalloc include/linux/slab.h:721 [inline]
nfc_allocate_device+0x12f/0x520 net/nfc/core.c:1065
nci_allocate_device+0x1e2/0x360 net/nfc/nci/core.c:1179
virtual_ncidev_open+0x75/0x1b0 drivers/nfc/virtual_ncidev.c:141
misc_open+0x30b/0x380 drivers/char/misc.c:165
chrdev_open+0x5ab/0x630 fs/char_dev.c:414
do_dentry_open+0x8fd/0x1590 fs/open.c:948
do_open fs/namei.c:3622 [inline]
path_openat+0x2845/0x3280 fs/namei.c:3779
do_filp_open+0x234/0x490 fs/namei.c:3809
do_sys_openat2+0x13e/0x1d0 fs/open.c:1440
do_sys_open fs/open.c:1455 [inline]
__do_sys_openat fs/open.c:1471 [inline]
__se_sys_openat fs/open.c:1466 [inline]
__x64_sys_openat+0x247/0x290 fs/open.c:1466
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Freed by task 5686:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
kasan_save_free_info+0x28/0x40 mm/kasan/generic.c:522
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook mm/slub.c:1826 [inline]
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0x263/0x3a0 mm/slub.c:3822
device_release+0x95/0x1c0
kobject_cleanup lib/kobject.c:682 [inline]
kobject_release lib/kobject.c:716 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1ee/0x430 lib/kobject.c:733
nfc_free_device include/net/nfc/nfc.h:213 [inline]
nci_free_device+0x38/0x50 net/nfc/nci/core.c:1209
virtual_ncidev_close+0x70/0x90 drivers/nfc/virtual_ncidev.c:169
__fput+0x3cc/0xa10 fs/file_table.c:394
__do_sys_close fs/open.c:1590 [inline]
__se_sys_close+0x15f/0x220 fs/open.c:1575
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Last potentially related work creation:
kasan_save_stack+0x3f/0x60 mm/kasan/common.c:45
__kasan_record_aux_stack+0xad/0xc0 mm/kasan/generic.c:492
__call_rcu_common kernel/rcu/tree.c:2681 [inline]
call_rcu+0x167/0xa70 kernel/rcu/tree.c:2795
netlink_release+0x162a/0x1b00 net/netlink/af_netlink.c:831
__sock_release net/socket.c:659 [inline]
sock_close+0xb8/0x230 net/socket.c:1419
__fput+0x3cc/0xa10 fs/file_table.c:394
task_work_run+0x24a/0x300 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa34/0x2750 kernel/exit.c:871
do_group_exit+0x206/0x2c0 kernel/exit.c:1021
__do_sys_exit_group kernel/exit.c:1032 [inline]
__se_sys_exit_group kernel/exit.c:1030 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1030
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
The buggy address belongs to the object at ffff8880213d0000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1352 bytes inside of
freed 2048-byte region [ffff8880213d0000, ffff8880213d0800)
The buggy address belongs to the physical page:
page:ffffea000084f400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x213d0
head:ffffea000084f400 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888012c42000 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 4501, tgid 4501 (udevd), ts 68833145467, free_ts 66934106075
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1544
prep_new_page mm/page_alloc.c:1551 [inline]
get_page_from_freelist+0x339a/0x3530 mm/page_alloc.c:3319
__alloc_pages+0x255/0x670 mm/page_alloc.c:4575
alloc_pages_mpol+0x3de/0x640 mm/mempolicy.c:2133
alloc_slab_page+0x6a/0x160 mm/slub.c:1870
allocate_slab mm/slub.c:2017 [inline]
new_slab+0x84/0x2f0 mm/slub.c:2070
___slab_alloc+0xc85/0x1310 mm/slub.c:3223
__slab_alloc mm/slub.c:3322 [inline]
__slab_alloc_node mm/slub.c:3375 [inline]
slab_alloc_node mm/slub.c:3468 [inline]
__kmem_cache_alloc_node+0x21d/0x300 mm/slub.c:3517
__do_kmalloc_node mm/slab_common.c:1006 [inline]
__kmalloc+0xa8/0x230 mm/slab_common.c:1020
kmalloc include/linux/slab.h:604 [inline]
sk_prot_alloc+0xe0/0x210 net/core/sock.c:2075
sk_alloc+0x38/0x370 net/core/sock.c:2128
__netlink_create+0x6b/0x2c0 net/netlink/af_netlink.c:647
netlink_create+0x3d4/0x590 net/netlink/af_netlink.c:712
__sock_create+0x48c/0x910 net/socket.c:1569
sock_create net/socket.c:1620 [inline]
__sys_socket_create net/socket.c:1657 [inline]
__sys_socket+0x14f/0x3b0 net/socket.c:1704
__do_sys_socket net/socket.c:1718 [inline]
__se_sys_socket net/socket.c:1716 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1716
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1144 [inline]
free_unref_page_prepare+0x958/0xa70 mm/page_alloc.c:2354
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2494
discard_slab mm/slub.c:2116 [inline]
__unfreeze_partials+0x1dc/0x220 mm/slub.c:2655
put_cpu_partial+0x17b/0x250 mm/slub.c:2731
__slab_free+0x2b6/0x390 mm/slub.c:3679
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0x75/0xe0 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x14b/0x160 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x23/0x70 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook+0x6c/0x3c0 mm/slab.h:763
slab_alloc_node mm/slub.c:3478 [inline]
slab_alloc mm/slub.c:3486 [inline]
__kmem_cache_alloc_lru mm/slub.c:3493 [inline]
kmem_cache_alloc+0x1be/0x350 mm/slub.c:3502
getname_flags+0xbc/0x4f0 fs/namei.c:140
vfs_fstatat+0x11c/0x190 fs/stat.c:298
__do_sys_newfstatat fs/stat.c:463 [inline]
__se_sys_newfstatat fs/stat.c:457 [inline]
__x64_sys_newfstatat+0x117/0x190 fs/stat.c:457
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Memory state around the buggy address:
ffff8880213d0400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880213d0480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880213d0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880213d0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880213d0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 7453d7a6 nfp: ethtool: expose transmit SO_TIMESTAMPING..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main
console output: https://syzkaller.appspot.com/x/log.txt?x=136fe752e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=94286555cac4ea49
dashboard link: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-11-09 8:36 [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
` (5 preceding siblings ...)
2023-12-02 14:12 ` Siddh Raman Pant
@ 2023-12-02 14:14 ` Siddh Raman Pant
2023-12-02 14:56 ` syzbot
2023-12-03 18:22 ` Siddh Raman Pant
` (4 subsequent siblings)
11 siblings, 1 reply; 45+ messages in thread
From: Siddh Raman Pant @ 2023-12-02 14:14 UTC (permalink / raw)
To: syzbot+bbe84a4010eeea00982d
Cc: davem, edumazet, krzysztof.kozlowski, kuba, linux-kernel, netdev,
pabeni, syzkaller-bugs
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..e071cb15bce2 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -145,6 +145,12 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
static struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local)
{
+ struct nfc_dev *d;
+
+ d = nfc_get_device(local->dev->idx);
+ if (!d)
+ return NULL;
+
kref_get(&local->ref);
return local;
@@ -180,6 +186,7 @@ int nfc_llcp_local_put(struct nfc_llcp_local *local)
if (local == NULL)
return 0;
+ nfc_put_device(local->dev);
return kref_put(&local->ref, local_release);
}
@@ -959,8 +966,17 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
}
new_sock = nfc_llcp_sock(new_sk);
- new_sock->dev = local->dev;
+
new_sock->local = nfc_llcp_local_get(local);
+ if (!new_sock->local) {
+ reason = LLCP_DM_REJ;
+ release_sock(&sock->sk);
+ sock_put(&sock->sk);
+ sock_put(&new_sock->sk);
+ goto fail;
+ }
+
+ new_sock->dev = local->dev;
new_sock->rw = sock->rw;
new_sock->miux = sock->miux;
new_sock->nfc_protocol = sock->nfc_protocol;
@@ -1597,7 +1613,11 @@ int nfc_llcp_register_device(struct nfc_dev *ndev)
if (local == NULL)
return -ENOMEM;
- local->dev = ndev;
+ /* Hold a reference to the device. */
+ local->dev = nfc_get_device(ndev->idx);
+ if (!local->dev)
+ return -ENODEV;
+
INIT_LIST_HEAD(&local->list);
kref_init(&local->ref);
mutex_init(&local->sdp_lock);
^ permalink raw reply related [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-12-02 14:14 ` Siddh Raman Pant
@ 2023-12-02 14:56 ` syzbot
0 siblings, 0 replies; 45+ messages in thread
From: syzbot @ 2023-12-02 14:56 UTC (permalink / raw)
To: code, davem, edumazet, krzysztof.kozlowski, kuba, linux-kernel,
netdev, pabeni, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+bbe84a4010eeea00982d@syzkaller.appspotmail.com
Tested on:
commit: 7453d7a6 nfp: ethtool: expose transmit SO_TIMESTAMPING..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main
console output: https://syzkaller.appspot.com/x/log.txt?x=1632f254e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=94286555cac4ea49
dashboard link: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11d5552ce80000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-11-09 8:36 [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
` (6 preceding siblings ...)
2023-12-02 14:14 ` Siddh Raman Pant
@ 2023-12-03 18:22 ` Siddh Raman Pant
2023-12-03 18:46 ` syzbot
2023-12-09 9:27 ` Siddh Raman Pant
` (3 subsequent siblings)
11 siblings, 1 reply; 45+ messages in thread
From: Siddh Raman Pant @ 2023-12-03 18:22 UTC (permalink / raw)
To: syzbot+bbe84a4010eeea00982d; +Cc: linux-kernel, syzkaller-bugs
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main
---
net/nfc/llcp_core.c | 24 ++++++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..9d45ce6dcdca 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -145,6 +145,9 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
static struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local)
{
+ if (!nfc_get_device(local->dev->idx))
+ return NULL;
+
kref_get(&local->ref);
return local;
@@ -180,6 +183,7 @@ int nfc_llcp_local_put(struct nfc_llcp_local *local)
if (local == NULL)
return 0;
+ nfc_put_device(local->dev);
return kref_put(&local->ref, local_release);
}
@@ -959,8 +963,18 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
}
new_sock = nfc_llcp_sock(new_sk);
- new_sock->dev = local->dev;
+
new_sock->local = nfc_llcp_local_get(local);
+ if (!new_sock->local) {
+ reason = LLCP_DM_REJ;
+ release_sock(&sock->sk);
+ sock_put(&sock->sk);
+ sock_put(&new_sock->sk);
+ nfc_llcp_sock_free(new_sock);
+ goto fail;
+ }
+
+ new_sock->dev = local->dev;
new_sock->rw = sock->rw;
new_sock->miux = sock->miux;
new_sock->nfc_protocol = sock->nfc_protocol;
@@ -1597,7 +1611,13 @@ int nfc_llcp_register_device(struct nfc_dev *ndev)
if (local == NULL)
return -ENOMEM;
- local->dev = ndev;
+ /* Hold a reference to the device. */
+ local->dev = nfc_get_device(ndev->idx);
+ if (!local->dev) {
+ kfree(local);
+ return -ENODEV;
+ }
+
INIT_LIST_HEAD(&local->list);
kref_init(&local->ref);
mutex_init(&local->sdp_lock);
--
2.42.0
^ permalink raw reply related [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-11-09 8:36 [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
` (7 preceding siblings ...)
2023-12-03 18:22 ` Siddh Raman Pant
@ 2023-12-09 9:27 ` Siddh Raman Pant
2023-12-09 9:44 ` syzbot
2023-12-12 18:11 ` Siddh Raman Pant
` (2 subsequent siblings)
11 siblings, 1 reply; 45+ messages in thread
From: Siddh Raman Pant @ 2023-12-09 9:27 UTC (permalink / raw)
To: syzbot+bbe84a4010eeea00982d; +Cc: linux-kernel, netdev, syzkaller-bugs
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main
---
net/nfc/llcp_core.c | 40 +++++++++++++++++++++++++++++++++++++---
1 file changed, 37 insertions(+), 3 deletions(-)
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..fadc8a9ec4df 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -145,6 +145,13 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
static struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local)
{
+ /* Since using nfc_llcp_local may result in usage of nfc_dev, whenever
+ * we hold a reference to local, we also need to hold a reference to
+ * the device to avoid UAF.
+ */
+ if (!nfc_get_device(local->dev->idx))
+ return NULL;
+
kref_get(&local->ref);
return local;
@@ -177,10 +184,18 @@ static void local_release(struct kref *ref)
int nfc_llcp_local_put(struct nfc_llcp_local *local)
{
+ struct nfc_dev *dev;
+ int ret;
+
if (local == NULL)
return 0;
- return kref_put(&local->ref, local_release);
+ dev = local->dev;
+
+ ret = kref_put(&local->ref, local_release);
+ nfc_put_device(dev);
+
+ return ret;
}
static struct nfc_llcp_sock *nfc_llcp_sock_get(struct nfc_llcp_local *local,
@@ -959,8 +974,18 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
}
new_sock = nfc_llcp_sock(new_sk);
- new_sock->dev = local->dev;
+
new_sock->local = nfc_llcp_local_get(local);
+ if (!new_sock->local) {
+ reason = LLCP_DM_REJ;
+ release_sock(&sock->sk);
+ sock_put(&sock->sk);
+ sock_put(&new_sock->sk);
+ nfc_llcp_sock_free(new_sock);
+ goto fail;
+ }
+
+ new_sock->dev = local->dev;
new_sock->rw = sock->rw;
new_sock->miux = sock->miux;
new_sock->nfc_protocol = sock->nfc_protocol;
@@ -1597,7 +1622,16 @@ int nfc_llcp_register_device(struct nfc_dev *ndev)
if (local == NULL)
return -ENOMEM;
- local->dev = ndev;
+ /* As we are going to initialize local's refcount, we need to get the
+ * nfc_dev to avoid UAF, otherwise there is no point in continuing.
+ * See nfc_llcp_local_get().
+ */
+ local->dev = nfc_get_device(ndev->idx);
+ if (!local->dev) {
+ kfree(local);
+ return -ENODEV;
+ }
+
INIT_LIST_HEAD(&local->list);
kref_init(&local->ref);
mutex_init(&local->sdp_lock);
--
2.42.0
^ permalink raw reply related [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-12-09 9:27 ` Siddh Raman Pant
@ 2023-12-09 9:44 ` syzbot
2023-12-09 9:55 ` Siddh Raman Pant
0 siblings, 1 reply; 45+ messages in thread
From: syzbot @ 2023-12-09 9:44 UTC (permalink / raw)
To: code, linux-kernel, netdev, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
T5050] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 62.857361][ T5050] hsr_slave_0: entered promiscuous mode
[ 62.864126][ T5050] hsr_slave_1: entered promiscuous mode
[ 62.979501][ T5050] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 62.996696][ T5050] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 63.006256][ T5050] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 63.015837][ T5050] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 63.041312][ T5050] bridge0: port 2(bridge_slave_1) entered blocking state
[ 63.048641][ T5050] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 63.056959][ T5050] bridge0: port 1(bridge_slave_0) entered blocking state
[ 63.064263][ T5050] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 63.119861][ T5050] 8021q: adding VLAN 0 to HW filter on device bond0
[ 63.148864][ T1634] bridge0: port 1(bridge_slave_0) entered disabled state
[ 63.157999][ T1634] bridge0: port 2(bridge_slave_1) entered disabled state
[ 179.731056][ C0] ------------[ cut here ]------------
[ 179.737601][ C0] WARNING: CPU: 0 PID: 11 at kernel/rcu/tree_stall.h:990 rcu_check_gp_start_stall+0x2c8/0x450
[ 179.748258][ C0] Modules linked in:
[ 179.752699][ C0] CPU: 0 PID: 11 Comm: kworker/u4:0 Not tainted 6.7.0-rc4-syzkaller-00840-ga3c205d0560f-dirty #0
[ 179.763989][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
[ 179.774762][ C0] Workqueue: events_unbound toggle_allocation_gate
[ 179.781293][ C0] RIP: 0010:rcu_check_gp_start_stall+0x2c8/0x450
[ 179.787811][ C0] Code: c7 c7 20 03 61 92 be 04 00 00 00 e8 c2 b0 73 00 b8 01 00 00 00 87 05 17 88 e9 10 85 c0 0f 85 1c ff ff ff 48 c7 c0 40 23 93 8d <0f> 0b 49 39 c7 74 47 48 c7 c0 fc cb 00 8f 48 c1 e8 03 42 0f b6 04
[ 179.808399][ C0] RSP: 0018:ffffc90000007bd8 EFLAGS: 00010046
[ 179.814568][ C0] RAX: ffffffff8d932340 RBX: 00000000ffffcb7c RCX: ffffffff81777afe
[ 179.822636][ C0] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffff92610320
[ 179.830613][ C0] RBP: ffffc90000007e30 R08: 0000000000000003 R09: fffffbfff24c2064
[ 179.840847][ C0] R10: dffffc0000000000 R11: fffffbfff24c2064 R12: dffffc0000000000
[ 179.849003][ C0] R13: dffffc0000000000 R14: 0000000000000246 R15: ffffffff8d932340
[ 179.857082][ C0] FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
[ 179.866546][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 179.873705][ C0] CR2: 00007ffdeb775fe8 CR3: 000000000d730000 CR4: 00000000003506f0
[ 179.881843][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 179.890277][ C0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 179.898361][ C0] Call Trace:
[ 179.901772][ C0] <IRQ>
[ 179.904649][ C0] ? __warn+0x162/0x4a0
[ 179.909260][ C0] ? rcu_check_gp_start_stall+0x2c8/0x450
[ 179.915024][ C0] ? report_bug+0x2b3/0x500
[ 179.919734][ C0] ? rcu_check_gp_start_stall+0x2c8/0x450
[ 179.925470][ C0] ? handle_bug+0x3d/0x70
[ 179.930252][ C0] ? exc_invalid_op+0x1a/0x50
[ 179.935586][ C0] ? asm_exc_invalid_op+0x1a/0x20
[ 179.940822][ C0] ? rcu_check_gp_start_stall+0x2ae/0x450
[ 179.946630][ C0] ? rcu_check_gp_start_stall+0x2c8/0x450
[ 179.952413][ C0] ? rcu_check_gp_start_stall+0x2ae/0x450
[ 179.958459][ C0] rcu_core+0x663/0x17a0
[ 179.962834][ C0] ? read_lock_is_recursive+0x20/0x20
[ 179.968258][ C0] ? ktime_get+0x83/0x270
[ 179.972813][ C0] ? rcu_cpu_kthread_park+0x90/0x90
[ 179.978055][ C0] ? kvm_sched_clock_read+0x11/0x20
[ 179.983302][ C0] ? sched_clock+0x4a/0x60
[ 179.987843][ C0] ? mark_lock+0x9a/0x340
[ 179.992197][ C0] ? lockdep_hardirqs_on_prepare+0x43c/0x7a0
[ 179.998196][ C0] ? print_irqtrace_events+0x220/0x220
[ 180.003697][ C0] ? do_raw_spin_unlock+0x13b/0x8b0
[ 180.008968][ C0] __do_softirq+0x2bf/0x93a
[ 180.013814][ C0] ? __irq_exit_rcu+0xf1/0x1b0
[ 180.018616][ C0] ? __lock_text_end+0xc/0xc
[ 180.023225][ C0] ? irqtime_account_irq+0xd4/0x1e0
[ 180.028445][ C0] __irq_exit_rcu+0xf1/0x1b0
[ 180.033142][ C0] ? irq_exit_rcu+0x20/0x20
[ 180.037866][ C0] irq_exit_rcu+0x9/0x20
[ 180.042408][ C0] sysvec_apic_timer_interrupt+0x95/0xb0
[ 180.048243][ C0] </IRQ>
[ 180.051182][ C0] <TASK>
[ 180.054123][ C0] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 180.060165][ C0] RIP: 0010:__sanitizer_cov_trace_pc+0x36/0x60
[ 180.066365][ C0] Code: b0 f0 74 7e 65 8b 15 b1 f0 74 7e f7 c2 00 01 ff 00 74 11 f7 c2 00 01 00 00 74 35 83 b9 fc 15 00 00 00 74 2c 8b 91 d8 15 00 00 <83> fa 02 75 21 48 8b 91 e0 15 00 00 48 8b 32 48 8d 7e 01 8b 89 dc
[ 180.086252][ C0] RSP: 0018:ffffc90000107718 EFLAGS: 00000246
[ 180.092428][ C0] RAX: ffffffff81833ce4 RBX: 1ffff110173282d5 RCX: ffff888017a43b80
[ 180.100441][ C0] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[ 180.108510][ C0] RBP: ffffc90000107920 R08: ffffffff81833cb3 R09: 1ffffffff21bac6c
[ 180.116949][ C0] R10: dffffc0000000000 R11: fffffbfff21bac6d R12: dffffc0000000000
[ 180.125132][ C0] R13: ffff8880b99416a8 R14: ffff8880b983d480 R15: 0000000000000001
[ 180.133973][ C0] ? smp_call_function_many_cond+0x1813/0x2900
[ 180.140795][ C0] ? smp_call_function_many_cond+0x1844/0x2900
[ 180.147370][ C0] smp_call_function_many_cond+0x1844/0x2900
[ 180.154212][ C0] ? text_poke_sync+0x30/0x30
[ 180.159289][ C0] ? text_poke+0xc0/0xc0
[ 180.163738][ C0] ? smp_call_function_many+0x40/0x40
[ 180.169302][ C0] ? __might_sleep+0xc0/0xc0
[ 180.174016][ C0] ? __mutex_trylock_common+0x182/0x2e0
[ 180.180065][ C0] ? __might_sleep+0xc0/0xc0
[ 180.185033][ C0] ? text_poke_sync+0x30/0x30
[ 180.189811][ C0] on_each_cpu_cond_mask+0x3f/0x80
[ 180.194980][ C0] text_poke_bp_batch+0x350/0xb20
[ 180.200672][ C0] ? text_poke_loc_init+0x860/0x860
[ 180.206308][ C0] ? mutex_lock_nested+0x20/0x20
[ 180.211647][ C0] ? arch_jump_label_transform_queue+0x97/0xf0
[ 180.218209][ C0] text_poke_finish+0x30/0x50
[ 180.223276][ C0] arch_jump_label_transform_apply+0x1c/0x30
[ 180.229554][ C0] static_key_enable_cpuslocked+0x132/0x250
[ 180.235503][ C0] static_key_enable+0x1a/0x20
[ 180.240314][ C0] toggle_allocation_gate+0xb5/0x250
[ 180.245881][ C0] ? show_object+0x70/0x70
[ 180.250317][ C0] ? print_irqtrace_events+0x220/0x220
[ 180.256155][ C0] ? process_scheduled_works+0x825/0x1400
[ 180.262276][ C0] process_scheduled_works+0x90f/0x1400
[ 180.268186][ C0] ? assign_work+0x3d0/0x3d0
[ 180.273104][ C0] ? assign_work+0x364/0x3d0
[ 180.277830][ C0] worker_thread+0xa5f/0xff0
[ 180.282565][ C0] kthread+0x2d3/0x370
[ 180.286912][ C0] ? pr_cont_work+0x5e0/0x5e0
[ 180.291599][ C0] ? kthread_blkcg+0xd0/0xd0
[ 180.296209][ C0] ret_from_fork+0x48/0x80
[ 180.300811][ C0] ? kthread_blkcg+0xd0/0xd0
[ 180.305778][ C0] ret_from_fork_asm+0x11/0x20
[ 180.310869][ C0] </TASK>
[ 180.314004][ C0] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 180.321584][ C0] CPU: 0 PID: 11 Comm: kworker/u4:0 Not tainted 6.7.0-rc4-syzkaller-00840-ga3c205d0560f-dirty #0
[ 180.332897][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
[ 180.343222][ C0] Workqueue: events_unbound toggle_allocation_gate
[ 180.349953][ C0] Call Trace:
[ 180.353457][ C0] <IRQ>
[ 180.356398][ C0] dump_stack_lvl+0x1e7/0x2d0
[ 180.361313][ C0] ? tcp_gro_dev_warn+0x260/0x260
[ 180.366935][ C0] ? panic+0x850/0x850
[ 180.371612][ C0] ? _printk+0xd5/0x120
[ 180.376277][ C0] ? vscnprintf+0x5d/0x80
[ 180.380716][ C0] panic+0x349/0x850
[ 180.384982][ C0] ? __warn+0x171/0x4a0
[ 180.389284][ C0] ? __memcpy_flushcache+0x2b0/0x2b0
[ 180.394850][ C0] ? show_trace_log_lvl+0x4e4/0x520
[ 180.400541][ C0] ? ret_from_fork_asm+0x11/0x20
[ 180.405614][ C0] __warn+0x314/0x4a0
[ 180.409706][ C0] ? rcu_check_gp_start_stall+0x2c8/0x450
[ 180.415699][ C0] report_bug+0x2b3/0x500
[ 180.420350][ C0] ? rcu_check_gp_start_stall+0x2c8/0x450
[ 180.426187][ C0] handle_bug+0x3d/0x70
[ 180.430438][ C0] exc_invalid_op+0x1a/0x50
[ 180.435077][ C0] asm_exc_invalid_op+0x1a/0x20
[ 180.440048][ C0] RIP: 0010:rcu_check_gp_start_stall+0x2c8/0x450
[ 180.446418][ C0] Code: c7 c7 20 03 61 92 be 04 00 00 00 e8 c2 b0 73 00 b8 01 00 00 00 87 05 17 88 e9 10 85 c0 0f 85 1c ff ff ff 48 c7 c0 40 23 93 8d <0f> 0b 49 39 c7 74 47 48 c7 c0 fc cb 00 8f 48 c1 e8 03 42 0f b6 04
[ 180.466139][ C0] RSP: 0018:ffffc90000007bd8 EFLAGS: 00010046
[ 180.473016][ C0] RAX: ffffffff8d932340 RBX: 00000000ffffcb7c RCX: ffffffff81777afe
[ 180.481308][ C0] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffff92610320
[ 180.489668][ C0] RBP: ffffc90000007e30 R08: 0000000000000003 R09: fffffbfff24c2064
[ 180.497745][ C0] R10: dffffc0000000000 R11: fffffbfff24c2064 R12: dffffc0000000000
[ 180.506192][ C0] R13: dffffc0000000000 R14: 0000000000000246 R15: ffffffff8d932340
[ 180.514479][ C0] ? rcu_check_gp_start_stall+0x2ae/0x450
[ 180.520417][ C0] ? rcu_check_gp_start_stall+0x2ae/0x450
[ 180.526323][ C0] rcu_core+0x663/0x17a0
[ 180.530685][ C0] ? read_lock_is_recursive+0x20/0x20
[ 180.536185][ C0] ? ktime_get+0x83/0x270
[ 180.540680][ C0] ? rcu_cpu_kthread_park+0x90/0x90
[ 180.545998][ C0] ? kvm_sched_clock_read+0x11/0x20
[ 180.551211][ C0] ? sched_clock+0x4a/0x60
[ 180.555991][ C0] ? mark_lock+0x9a/0x340
[ 180.560424][ C0] ? lockdep_hardirqs_on_prepare+0x43c/0x7a0
[ 180.566502][ C0] ? print_irqtrace_events+0x220/0x220
[ 180.572211][ C0] ? do_raw_spin_unlock+0x13b/0x8b0
[ 180.577746][ C0] __do_softirq+0x2bf/0x93a
[ 180.582760][ C0] ? __irq_exit_rcu+0xf1/0x1b0
[ 180.587741][ C0] ? __lock_text_end+0xc/0xc
[ 180.592355][ C0] ? irqtime_account_irq+0xd4/0x1e0
[ 180.597657][ C0] __irq_exit_rcu+0xf1/0x1b0
[ 180.602619][ C0] ? irq_exit_rcu+0x20/0x20
[ 180.607243][ C0] irq_exit_rcu+0x9/0x20
[ 180.612553][ C0] sysvec_apic_timer_interrupt+0x95/0xb0
[ 180.618722][ C0] </IRQ>
[ 180.621714][ C0] <TASK>
[ 180.624742][ C0] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 180.631115][ C0] RIP: 0010:__sanitizer_cov_trace_pc+0x36/0x60
[ 180.637594][ C0] Code: b0 f0 74 7e 65 8b 15 b1 f0 74 7e f7 c2 00 01 ff 00 74 11 f7 c2 00 01 00 00 74 35 83 b9 fc 15 00 00 00 74 2c 8b 91 d8 15 00 00 <83> fa 02 75 21 48 8b 91 e0 15 00 00 48 8b 32 48 8d 7e 01 8b 89 dc
[ 180.657407][ C0] RSP: 0018:ffffc90000107718 EFLAGS: 00000246
[ 180.663507][ C0] RAX: ffffffff81833ce4 RBX: 1ffff110173282d5 RCX: ffff888017a43b80
[ 180.671669][ C0] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[ 180.679908][ C0] RBP: ffffc90000107920 R08: ffffffff81833cb3 R09: 1ffffffff21bac6c
[ 180.687996][ C0] R10: dffffc0000000000 R11: fffffbfff21bac6d R12: dffffc0000000000
[ 180.696061][ C0] R13: ffff8880b99416a8 R14: ffff8880b983d480 R15: 0000000000000001
[ 180.704055][ C0] ? smp_call_function_many_cond+0x1813/0x2900
[ 180.710320][ C0] ? smp_call_function_many_cond+0x1844/0x2900
[ 180.716692][ C0] smp_call_function_many_cond+0x1844/0x2900
[ 180.722873][ C0] ? text_poke_sync+0x30/0x30
[ 180.727835][ C0] ? text_poke+0xc0/0xc0
[ 180.732236][ C0] ? smp_call_function_many+0x40/0x40
[ 180.737749][ C0] ? __might_sleep+0xc0/0xc0
[ 180.742376][ C0] ? __mutex_trylock_common+0x182/0x2e0
[ 180.748112][ C0] ? __might_sleep+0xc0/0xc0
[ 180.752894][ C0] ? text_poke_sync+0x30/0x30
[ 180.757714][ C0] on_each_cpu_cond_mask+0x3f/0x80
[ 180.763241][ C0] text_poke_bp_batch+0x350/0xb20
[ 180.768493][ C0] ? text_poke_loc_init+0x860/0x860
[ 180.773704][ C0] ? mutex_lock_nested+0x20/0x20
[ 180.779139][ C0] ? arch_jump_label_transform_queue+0x97/0xf0
[ 180.785588][ C0] text_poke_finish+0x30/0x50
[ 180.790541][ C0] arch_jump_label_transform_apply+0x1c/0x30
[ 180.797351][ C0] static_key_enable_cpuslocked+0x132/0x250
[ 180.803757][ C0] static_key_enable+0x1a/0x20
[ 180.809346][ C0] toggle_allocation_gate+0xb5/0x250
[ 180.814653][ C0] ? show_object+0x70/0x70
[ 180.819152][ C0] ? print_irqtrace_events+0x220/0x220
[ 180.824746][ C0] ? process_scheduled_works+0x825/0x1400
[ 180.830604][ C0] process_scheduled_works+0x90f/0x1400
[ 180.836209][ C0] ? assign_work+0x3d0/0x3d0
[ 180.840832][ C0] ? assign_work+0x364/0x3d0
[ 180.845529][ C0] worker_thread+0xa5f/0xff0
[ 180.850253][ C0] kthread+0x2d3/0x370
[ 180.854449][ C0] ? pr_cont_work+0x5e0/0x5e0
[ 180.859271][ C0] ? kthread_blkcg+0xd0/0xd0
[ 180.864084][ C0] ret_from_fork+0x48/0x80
[ 180.868617][ C0] ? kthread_blkcg+0xd0/0xd0
[ 180.873223][ C0] ret_from_fork_asm+0x11/0x20
[ 180.878369][ C0] </TASK>
[ 182.025765][ C0] Shutting down cpus with NMI
[ 182.030790][ C0] Kernel Offset: disabled
[ 182.035896][ C0] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs-2/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs-2/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1579409592=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at 500bfdc41
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=500bfdc41735bc8d617cbfd4f1ab6b5980c8f1e5 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20231103-130513'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=500bfdc41735bc8d617cbfd4f1ab6b5980c8f1e5 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20231103-130513'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=500bfdc41735bc8d617cbfd4f1ab6b5980c8f1e5 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20231103-130513'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"500bfdc41735bc8d617cbfd4f1ab6b5980c8f1e5\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=12d84132e80000
Tested on:
commit: a3c205d0 ipv6: do not check fib6_has_expires() in fib6..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main
kernel config: https://syzkaller.appspot.com/x/.config?x=57866e264f623c10
dashboard link: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=13b2124ce80000
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-12-09 9:44 ` syzbot
@ 2023-12-09 9:55 ` Siddh Raman Pant
2023-12-09 10:20 ` syzbot
0 siblings, 1 reply; 45+ messages in thread
From: Siddh Raman Pant @ 2023-12-09 9:55 UTC (permalink / raw)
To: syzbot+bbe84a4010eeea00982d; +Cc: code, linux-kernel, netdev, syzkaller-bugs
Build failing on net-next. Test on mainline.
It's okay because the nfc commits are the same.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
net/nfc/llcp_core.c | 40 +++++++++++++++++++++++++++++++++++++---
1 file changed, 37 insertions(+), 3 deletions(-)
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..fadc8a9ec4df 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -145,6 +145,13 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
static struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local)
{
+ /* Since using nfc_llcp_local may result in usage of nfc_dev, whenever
+ * we hold a reference to local, we also need to hold a reference to
+ * the device to avoid UAF.
+ */
+ if (!nfc_get_device(local->dev->idx))
+ return NULL;
+
kref_get(&local->ref);
return local;
@@ -177,10 +184,18 @@ static void local_release(struct kref *ref)
int nfc_llcp_local_put(struct nfc_llcp_local *local)
{
+ struct nfc_dev *dev;
+ int ret;
+
if (local == NULL)
return 0;
- return kref_put(&local->ref, local_release);
+ dev = local->dev;
+
+ ret = kref_put(&local->ref, local_release);
+ nfc_put_device(dev);
+
+ return ret;
}
static struct nfc_llcp_sock *nfc_llcp_sock_get(struct nfc_llcp_local *local,
@@ -959,8 +974,18 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
}
new_sock = nfc_llcp_sock(new_sk);
- new_sock->dev = local->dev;
+
new_sock->local = nfc_llcp_local_get(local);
+ if (!new_sock->local) {
+ reason = LLCP_DM_REJ;
+ release_sock(&sock->sk);
+ sock_put(&sock->sk);
+ sock_put(&new_sock->sk);
+ nfc_llcp_sock_free(new_sock);
+ goto fail;
+ }
+
+ new_sock->dev = local->dev;
new_sock->rw = sock->rw;
new_sock->miux = sock->miux;
new_sock->nfc_protocol = sock->nfc_protocol;
@@ -1597,7 +1622,16 @@ int nfc_llcp_register_device(struct nfc_dev *ndev)
if (local == NULL)
return -ENOMEM;
- local->dev = ndev;
+ /* As we are going to initialize local's refcount, we need to get the
+ * nfc_dev to avoid UAF, otherwise there is no point in continuing.
+ * See nfc_llcp_local_get().
+ */
+ local->dev = nfc_get_device(ndev->idx);
+ if (!local->dev) {
+ kfree(local);
+ return -ENODEV;
+ }
+
INIT_LIST_HEAD(&local->list);
kref_init(&local->ref);
mutex_init(&local->sdp_lock);
--
2.42.0
^ permalink raw reply related [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-12-09 9:55 ` Siddh Raman Pant
@ 2023-12-09 10:20 ` syzbot
2023-12-09 10:39 ` Siddh Raman Pant
0 siblings, 1 reply; 45+ messages in thread
From: syzbot @ 2023-12-09 10:20 UTC (permalink / raw)
To: code, linux-kernel, netdev, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+bbe84a4010eeea00982d@syzkaller.appspotmail.com
Tested on:
commit: f2e8a57e Merge tag 'scsi-fixes' of git://git.kernel.or..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=117f5cf4e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=99a0b898611ad691
dashboard link: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=134888b6e80000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-12-09 10:20 ` syzbot
@ 2023-12-09 10:39 ` Siddh Raman Pant
2023-12-09 11:03 ` syzbot
2023-12-11 8:44 ` Paolo Abeni
0 siblings, 2 replies; 45+ messages in thread
From: Siddh Raman Pant @ 2023-12-09 10:39 UTC (permalink / raw)
To: syzbot+bbe84a4010eeea00982d; +Cc: code, linux-kernel, netdev, syzkaller-bugs
Final test
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
net/nfc/llcp_core.c | 55 ++++++++++++++++++++++++++++++++++-----------
1 file changed, 42 insertions(+), 13 deletions(-)
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..0ae89ab42aaa 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -145,6 +145,13 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
static struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local)
{
+ /* Since using nfc_llcp_local may result in usage of nfc_dev, whenever
+ * we hold a reference to local, we also need to hold a reference to
+ * the device to avoid UAF.
+ */
+ if (!nfc_get_device(local->dev->idx))
+ return NULL;
+
kref_get(&local->ref);
return local;
@@ -177,10 +184,18 @@ static void local_release(struct kref *ref)
int nfc_llcp_local_put(struct nfc_llcp_local *local)
{
+ struct nfc_dev *dev;
+ int ret;
+
if (local == NULL)
return 0;
- return kref_put(&local->ref, local_release);
+ dev = local->dev;
+
+ ret = kref_put(&local->ref, local_release);
+ nfc_put_device(dev);
+
+ return ret;
}
static struct nfc_llcp_sock *nfc_llcp_sock_get(struct nfc_llcp_local *local,
@@ -930,9 +945,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
if (sk_acceptq_is_full(parent)) {
reason = LLCP_DM_REJ;
- release_sock(&sock->sk);
- sock_put(&sock->sk);
- goto fail;
+ goto fail_put_sock;
}
if (sock->ssap == LLCP_SDP_UNBOUND) {
@@ -942,9 +955,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
if (ssap == LLCP_SAP_MAX) {
reason = LLCP_DM_REJ;
- release_sock(&sock->sk);
- sock_put(&sock->sk);
- goto fail;
+ goto fail_put_sock;
}
sock->ssap = ssap;
@@ -953,14 +964,18 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
new_sk = nfc_llcp_sock_alloc(NULL, parent->sk_type, GFP_ATOMIC, 0);
if (new_sk == NULL) {
reason = LLCP_DM_REJ;
- release_sock(&sock->sk);
- sock_put(&sock->sk);
- goto fail;
+ goto fail_put_sock;
}
new_sock = nfc_llcp_sock(new_sk);
- new_sock->dev = local->dev;
+
new_sock->local = nfc_llcp_local_get(local);
+ if (!new_sock->local) {
+ reason = LLCP_DM_REJ;
+ goto fail_free_new_sock;
+ }
+
+ new_sock->dev = local->dev;
new_sock->rw = sock->rw;
new_sock->miux = sock->miux;
new_sock->nfc_protocol = sock->nfc_protocol;
@@ -1004,8 +1019,13 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
return;
+fail_free_new_sock:
+ sock_put(&new_sock->sk);
+ nfc_llcp_sock_free(new_sock);
+fail_put_sock:
+ release_sock(&sock->sk);
+ sock_put(&sock->sk);
fail:
- /* Send DM */
nfc_llcp_send_dm(local, dsap, ssap, reason);
}
@@ -1597,7 +1617,16 @@ int nfc_llcp_register_device(struct nfc_dev *ndev)
if (local == NULL)
return -ENOMEM;
- local->dev = ndev;
+ /* As we are going to initialize local's refcount, we need to get the
+ * nfc_dev to avoid UAF, otherwise there is no point in continuing.
+ * See nfc_llcp_local_get().
+ */
+ local->dev = nfc_get_device(ndev->idx);
+ if (!local->dev) {
+ kfree(local);
+ return -ENODEV;
+ }
+
INIT_LIST_HEAD(&local->list);
kref_init(&local->ref);
mutex_init(&local->sdp_lock);
--
2.42.0
^ permalink raw reply related [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-12-09 10:39 ` Siddh Raman Pant
@ 2023-12-09 11:03 ` syzbot
2023-12-11 8:44 ` Paolo Abeni
1 sibling, 0 replies; 45+ messages in thread
From: syzbot @ 2023-12-09 11:03 UTC (permalink / raw)
To: code, linux-kernel, netdev, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+bbe84a4010eeea00982d@syzkaller.appspotmail.com
Tested on:
commit: f2e8a57e Merge tag 'scsi-fixes' of git://git.kernel.or..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1714d166e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=99a0b898611ad691
dashboard link: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1330e596e80000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-12-09 10:39 ` Siddh Raman Pant
2023-12-09 11:03 ` syzbot
@ 2023-12-11 8:44 ` Paolo Abeni
1 sibling, 0 replies; 45+ messages in thread
From: Paolo Abeni @ 2023-12-11 8:44 UTC (permalink / raw)
To: Siddh Raman Pant, syzbot+bbe84a4010eeea00982d
Cc: linux-kernel, netdev, syzkaller-bugs
On Sat, 2023-12-09 at 16:09 +0530, Siddh Raman Pant wrote:
> Final test
>
> #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Please, don't cc the netdev ML for tentative syzbot-related fixes: it
confuses patchwork and increases the traffic here for no good reasons.
Thanks!
Paolo
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-11-09 8:36 [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
` (8 preceding siblings ...)
2023-12-09 9:27 ` Siddh Raman Pant
@ 2023-12-12 18:11 ` Siddh Raman Pant
2023-12-12 18:48 ` syzbot
2023-12-17 12:40 ` Siddh Raman Pant
2023-12-18 19:00 ` Siddh Raman Pant
11 siblings, 1 reply; 45+ messages in thread
From: Siddh Raman Pant @ 2023-12-12 18:11 UTC (permalink / raw)
To: syzbot+bbe84a4010eeea00982d; +Cc: linux-kernel, syzkaller-bugs
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
net/nfc/llcp_core.c | 72 +++++++++++++++++++++++++++++----------------
1 file changed, 47 insertions(+), 25 deletions(-)
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..2f77200a3720 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -145,6 +145,13 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
static struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local)
{
+ /* Since using nfc_llcp_local may result in usage of nfc_dev, whenever
+ * we hold a reference to local, we also need to hold a reference to
+ * the device to avoid UAF.
+ */
+ if (!nfc_get_device(local->dev->idx))
+ return NULL;
+
kref_get(&local->ref);
return local;
@@ -177,10 +184,18 @@ static void local_release(struct kref *ref)
int nfc_llcp_local_put(struct nfc_llcp_local *local)
{
+ struct nfc_dev *dev;
+ int ret;
+
if (local == NULL)
return 0;
- return kref_put(&local->ref, local_release);
+ dev = local->dev;
+
+ ret = kref_put(&local->ref, local_release);
+ nfc_put_device(dev);
+
+ return ret;
}
static struct nfc_llcp_sock *nfc_llcp_sock_get(struct nfc_llcp_local *local,
@@ -901,7 +916,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
if (dsap != LLCP_SAP_SDP) {
sock = nfc_llcp_sock_get(local, dsap, LLCP_SAP_SDP);
- if (sock == NULL || sock->sk.sk_state != LLCP_LISTEN) {
+ if (!sock || sock->sk.sk_state != LLCP_LISTEN) {
reason = LLCP_DM_NOBOUND;
goto fail;
}
@@ -910,7 +925,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
size_t sn_len;
sn = nfc_llcp_connect_sn(skb, &sn_len);
- if (sn == NULL) {
+ if (!sn) {
reason = LLCP_DM_NOBOUND;
goto fail;
}
@@ -918,7 +933,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
pr_debug("Service name length %zu\n", sn_len);
sock = nfc_llcp_sock_get_sn(local, sn, sn_len);
- if (sock == NULL) {
+ if (!sock) {
reason = LLCP_DM_NOBOUND;
goto fail;
}
@@ -928,39 +943,31 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
parent = &sock->sk;
- if (sk_acceptq_is_full(parent)) {
- reason = LLCP_DM_REJ;
- release_sock(&sock->sk);
- sock_put(&sock->sk);
- goto fail;
- }
+ if (sk_acceptq_is_full(parent))
+ goto fail_put_sock;
if (sock->ssap == LLCP_SDP_UNBOUND) {
u8 ssap = nfc_llcp_reserve_sdp_ssap(local);
pr_debug("First client, reserving %d\n", ssap);
- if (ssap == LLCP_SAP_MAX) {
- reason = LLCP_DM_REJ;
- release_sock(&sock->sk);
- sock_put(&sock->sk);
- goto fail;
- }
+ if (ssap == LLCP_SAP_MAX)
+ goto fail_put_sock;
sock->ssap = ssap;
}
new_sk = nfc_llcp_sock_alloc(NULL, parent->sk_type, GFP_ATOMIC, 0);
- if (new_sk == NULL) {
- reason = LLCP_DM_REJ;
- release_sock(&sock->sk);
- sock_put(&sock->sk);
- goto fail;
- }
+ if (!new_sk)
+ goto fail_put_sock;
new_sock = nfc_llcp_sock(new_sk);
- new_sock->dev = local->dev;
+
new_sock->local = nfc_llcp_local_get(local);
+ if (!new_sock->local)
+ goto fail_free_new_sock;
+
+ new_sock->dev = local->dev;
new_sock->rw = sock->rw;
new_sock->miux = sock->miux;
new_sock->nfc_protocol = sock->nfc_protocol;
@@ -1004,8 +1011,14 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
return;
+fail_free_new_sock:
+ sock_put(&new_sock->sk);
+ nfc_llcp_sock_free(new_sock);
+fail_put_sock:
+ reason = LLCP_DM_REJ;
+ release_sock(&sock->sk);
+ sock_put(&sock->sk);
fail:
- /* Send DM */
nfc_llcp_send_dm(local, dsap, ssap, reason);
}
@@ -1597,7 +1610,16 @@ int nfc_llcp_register_device(struct nfc_dev *ndev)
if (local == NULL)
return -ENOMEM;
- local->dev = ndev;
+ /* As we are going to initialize local's refcount, we need to get the
+ * nfc_dev to avoid UAF, otherwise there is no point in continuing.
+ * See nfc_llcp_local_get().
+ */
+ local->dev = nfc_get_device(ndev->idx);
+ if (!local->dev) {
+ kfree(local);
+ return -ENODEV;
+ }
+
INIT_LIST_HEAD(&local->list);
kref_init(&local->ref);
mutex_init(&local->sdp_lock);
--
2.42.0
^ permalink raw reply related [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-11-09 8:36 [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
` (9 preceding siblings ...)
2023-12-12 18:11 ` Siddh Raman Pant
@ 2023-12-17 12:40 ` Siddh Raman Pant
2023-12-17 13:08 ` syzbot
2023-12-18 19:00 ` Siddh Raman Pant
11 siblings, 1 reply; 45+ messages in thread
From: Siddh Raman Pant @ 2023-12-17 12:40 UTC (permalink / raw)
To: syzbot+bbe84a4010eeea00982d; +Cc: linux-kernel, syzkaller-bugs
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main
---
net/nfc/llcp_core.c | 40 +++++++++++++++++++++++++++++++++++++---
1 file changed, 37 insertions(+), 3 deletions(-)
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..fadc8a9ec4df 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -145,6 +145,13 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
static struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local)
{
+ /* Since using nfc_llcp_local may result in usage of nfc_dev, whenever
+ * we hold a reference to local, we also need to hold a reference to
+ * the device to avoid UAF.
+ */
+ if (!nfc_get_device(local->dev->idx))
+ return NULL;
+
kref_get(&local->ref);
return local;
@@ -177,10 +184,18 @@ static void local_release(struct kref *ref)
int nfc_llcp_local_put(struct nfc_llcp_local *local)
{
+ struct nfc_dev *dev;
+ int ret;
+
if (local == NULL)
return 0;
- return kref_put(&local->ref, local_release);
+ dev = local->dev;
+
+ ret = kref_put(&local->ref, local_release);
+ nfc_put_device(dev);
+
+ return ret;
}
static struct nfc_llcp_sock *nfc_llcp_sock_get(struct nfc_llcp_local *local,
@@ -959,8 +974,18 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
}
new_sock = nfc_llcp_sock(new_sk);
- new_sock->dev = local->dev;
+
new_sock->local = nfc_llcp_local_get(local);
+ if (!new_sock->local) {
+ reason = LLCP_DM_REJ;
+ release_sock(&sock->sk);
+ sock_put(&sock->sk);
+ sock_put(&new_sock->sk);
+ nfc_llcp_sock_free(new_sock);
+ goto fail;
+ }
+
+ new_sock->dev = local->dev;
new_sock->rw = sock->rw;
new_sock->miux = sock->miux;
new_sock->nfc_protocol = sock->nfc_protocol;
@@ -1597,7 +1622,16 @@ int nfc_llcp_register_device(struct nfc_dev *ndev)
if (local == NULL)
return -ENOMEM;
- local->dev = ndev;
+ /* As we are going to initialize local's refcount, we need to get the
+ * nfc_dev to avoid UAF, otherwise there is no point in continuing.
+ * See nfc_llcp_local_get().
+ */
+ local->dev = nfc_get_device(ndev->idx);
+ if (!local->dev) {
+ kfree(local);
+ return -ENODEV;
+ }
+
INIT_LIST_HEAD(&local->list);
kref_init(&local->ref);
mutex_init(&local->sdp_lock);
--
2.42.0
^ permalink raw reply related [flat|nested] 45+ messages in thread
* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
2023-11-09 8:36 [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
` (10 preceding siblings ...)
2023-12-17 12:40 ` Siddh Raman Pant
@ 2023-12-18 19:00 ` Siddh Raman Pant
2023-12-19 1:26 ` syzbot
11 siblings, 1 reply; 45+ messages in thread
From: Siddh Raman Pant @ 2023-12-18 19:00 UTC (permalink / raw)
To: syzbot+bbe84a4010eeea00982d; +Cc: linux-kernel, syzkaller-bugs
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main
---
net/nfc/llcp_core.c | 39 ++++++++++++++++++++++++++++++++++++---
1 file changed, 36 insertions(+), 3 deletions(-)
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..18be13fb9b75 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -145,6 +145,13 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
static struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local)
{
+ /* Since using nfc_llcp_local may result in usage of nfc_dev, whenever
+ * we hold a reference to local, we also need to hold a reference to
+ * the device to avoid UAF.
+ */
+ if (!nfc_get_device(local->dev->idx))
+ return NULL;
+
kref_get(&local->ref);
return local;
@@ -177,10 +184,18 @@ static void local_release(struct kref *ref)
int nfc_llcp_local_put(struct nfc_llcp_local *local)
{
+ struct nfc_dev *dev;
+ int ret;
+
if (local == NULL)
return 0;
- return kref_put(&local->ref, local_release);
+ dev = local->dev;
+
+ ret = kref_put(&local->ref, local_release);
+ nfc_put_device(dev);
+
+ return ret;
}
static struct nfc_llcp_sock *nfc_llcp_sock_get(struct nfc_llcp_local *local,
@@ -959,8 +974,17 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
}
new_sock = nfc_llcp_sock(new_sk);
- new_sock->dev = local->dev;
+
new_sock->local = nfc_llcp_local_get(local);
+ if (!new_sock->local) {
+ reason = LLCP_DM_REJ;
+ sock_put(&new_sock->sk);
+ release_sock(&sock->sk);
+ sock_put(&sock->sk);
+ goto fail;
+ }
+
+ new_sock->dev = local->dev;
new_sock->rw = sock->rw;
new_sock->miux = sock->miux;
new_sock->nfc_protocol = sock->nfc_protocol;
@@ -1597,7 +1621,16 @@ int nfc_llcp_register_device(struct nfc_dev *ndev)
if (local == NULL)
return -ENOMEM;
- local->dev = ndev;
+ /* As we are going to initialize local's refcount, we need to get the
+ * nfc_dev to avoid UAF, otherwise there is no point in continuing.
+ * See nfc_llcp_local_get().
+ */
+ local->dev = nfc_get_device(ndev->idx);
+ if (!local->dev) {
+ kfree(local);
+ return -ENODEV;
+ }
+
INIT_LIST_HEAD(&local->list);
kref_init(&local->ref);
mutex_init(&local->sdp_lock);
--
2.43.0
^ permalink raw reply related [flat|nested] 45+ messages in thread