* Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb
[not found] <tencent_226A496623B3645B9762576606DE537BE305@qq.com>
@ 2023-11-09 13:02 ` syzbot
2023-11-09 13:28 ` [syzbot] [PATCH] Test for aea6bf908d73 syzbot
` (7 more replies)
0 siblings, 8 replies; 9+ messages in thread
From: syzbot @ 2023-11-09 13:02 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
net/nfc/nci/core.c:1210:30: error: static assertion failed due to requirement '__builtin_types_compatible_p(struct nfc_dev, struct nfc_dev *) || __builtin_types_compatible_p(struct nfc_dev, void)': pointer type mismatch in container_of()
Tested on:
commit: aea6bf90 Merge tag 'f2fs-for-6.7-rc1' of git://git.ker..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=93ac5233c138249e
dashboard link: https://syzkaller.appspot.com/bug?extid=bbe84a4010eeea00982d
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1750e11f680000
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [syzbot] [PATCH] Test for aea6bf908d73
2023-11-09 13:02 ` [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
@ 2023-11-09 13:28 ` syzbot
2023-11-09 14:14 ` syzbot
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: syzbot @ 2023-11-09 13:28 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test for aea6bf908d73
Author: eadavis@qq.com
please test uaf in nfc_alloc_send_skb
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..016364890357 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -1640,11 +1640,14 @@ int nfc_llcp_register_device(struct nfc_dev *ndev)
void nfc_llcp_unregister_device(struct nfc_dev *dev)
{
struct nfc_llcp_local *local = nfc_llcp_remove_local(dev);
+ struct nfc_llcp_sock *nls;
if (local == NULL) {
pr_debug("No such device\n");
return;
}
+ nls = container_of(local, struct nfc_llcp_sock, local);
+ nls->local = NULL;
local_cleanup(local);
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [syzbot] [PATCH] Test for aea6bf908d73
2023-11-09 13:02 ` [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
2023-11-09 13:28 ` [syzbot] [PATCH] Test for aea6bf908d73 syzbot
@ 2023-11-09 14:14 ` syzbot
2023-11-09 14:33 ` syzbot
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: syzbot @ 2023-11-09 14:14 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test for aea6bf908d73
Author: eadavis@qq.com
please test uaf in nfc_alloc_send_skb
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..4959163d8dc5 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -113,6 +113,7 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
bh_unlock_sock(sk);
sk_del_node_init(sk);
+ llcp_sock->local = NULL;
}
write_unlock(&local->sockets.lock);
--
2.25.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [syzbot] [PATCH] Test for aea6bf908d73
2023-11-09 13:02 ` [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
2023-11-09 13:28 ` [syzbot] [PATCH] Test for aea6bf908d73 syzbot
2023-11-09 14:14 ` syzbot
@ 2023-11-09 14:33 ` syzbot
2023-11-09 19:04 ` [syzbot] [PATCH] Fix the null pointer deference in nsim_setup_prog_hw_checks syzbot
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: syzbot @ 2023-11-09 14:33 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test for aea6bf908d73
Author: eadavis@qq.com
please test uaf in nfc_alloc_send_skb
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73
From d6bab181339771591ed9519dced29a8eb20ddadc Mon Sep 17 00:00:00 2001
From: Lizhi Xu <lizhi.xu@windriver.com>
Date: Thu, 9 Nov 2023 21:31:26 +0800
Subject: [PATCH] nfc/nci: fix uaf in nfc_alloc_send_skb
After releasing the nfc/nci device, nfc_llcp_sock->local should be set to null
to avoid referencing expired devices.
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
---
net/nfc/llcp_core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..024cbba26fc8 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -102,6 +102,7 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
accept_sk->sk_state_change(sk);
bh_unlock_sock(accept_sk);
+ lsk->local = NULL;
}
}
@@ -113,6 +114,7 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device,
bh_unlock_sock(sk);
sk_del_node_init(sk);
+ llcp_sock->local = NULL;
}
write_unlock(&local->sockets.lock);
--
2.25.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [syzbot] [PATCH] Fix the null pointer deference in nsim_setup_prog_hw_checks
2023-11-09 13:02 ` [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
` (2 preceding siblings ...)
2023-11-09 14:33 ` syzbot
@ 2023-11-09 19:04 ` syzbot
2023-11-10 0:52 ` [syzbot] [PATCH] test aea6bf908d73 syzbot
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: syzbot @ 2023-11-09 19:04 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] Fix the null pointer deference in nsim_setup_prog_hw_checks
Author: kdipendra88@gmail.com
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git 8de1e7afcc1c
Signed-off-by: Dipendra Khadka <kdipendra88@gmail.com>
---
drivers/net/netdevsim/bpf.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/net/netdevsim/bpf.c b/drivers/net/netdevsim/bpf.c
index f60eb97e3a62..89206278b6cc 100644
--- a/drivers/net/netdevsim/bpf.c
+++ b/drivers/net/netdevsim/bpf.c
@@ -317,9 +317,11 @@ nsim_setup_prog_hw_checks(struct netdevsim *ns, struct netdev_bpf *bpf)
}
state = bpf->prog->aux->offload->dev_priv;
- if (WARN_ON(strcmp(state->state, "xlated"))) {
- NSIM_EA(bpf->extack, "offloading program in bad state");
- return -EINVAL;
+ if(state) {
+ if (WARN_ON(strcmp(state->state, "xlated"))) {
+ NSIM_EA(bpf->extack, "offloading program in bad state");
+ return -EINVAL;
+ }
}
return 0;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [syzbot] [PATCH] test aea6bf908d73
2023-11-09 13:02 ` [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
` (3 preceding siblings ...)
2023-11-09 19:04 ` [syzbot] [PATCH] Fix the null pointer deference in nsim_setup_prog_hw_checks syzbot
@ 2023-11-10 0:52 ` syzbot
2023-11-10 6:32 ` syzbot
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: syzbot @ 2023-11-10 0:52 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] test aea6bf908d73
Author: lizhi.xu@windriver.com
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73
diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index e2680a3bef79..6ba43a0369d3 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -738,7 +738,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
pr_debug("Send UI frame len %zd\n", len);
- local = sock->local;
+ local = nfc_llcp_find_local(sock->dev);
if (local == NULL)
return -ENODEV;
--
2.25.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [syzbot] [PATCH] test aea6bf908d73
2023-11-09 13:02 ` [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
` (4 preceding siblings ...)
2023-11-10 0:52 ` [syzbot] [PATCH] test aea6bf908d73 syzbot
@ 2023-11-10 6:32 ` syzbot
2023-11-10 11:26 ` [syzbot] [PATCH] Test for aea6bf908d73 syzbot
2023-11-10 12:19 ` syzbot
7 siblings, 0 replies; 9+ messages in thread
From: syzbot @ 2023-11-10 6:32 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] test aea6bf908d73
Author: lizhi.xu@windriver.com
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73
diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index e2680a3bef79..6ba43a0369d3 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -738,7 +738,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
pr_debug("Send UI frame len %zd\n", len);
- local = sock->local;
+ local = nfc_llcp_find_local(sock->dev);
if (local == NULL)
return -ENODEV;
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..150d0e24e27c 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -284,6 +284,7 @@ struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev)
spin_lock(&llcp_devices_lock);
list_for_each_entry(local, &llcp_devices, list)
if (local->dev == dev) {
+ printk("finded: %p, d: %p, %s\n", local, dev, __func__);
res = nfc_llcp_local_get(local);
break;
}
@@ -299,6 +300,7 @@ static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev)
spin_lock(&llcp_devices_lock);
list_for_each_entry_safe(local, tmp, &llcp_devices, list)
if (local->dev == dev) {
+ printk("deled: l: %p, d: %p, %s\n", local, dev, __func__);
list_del(&local->list);
spin_unlock(&llcp_devices_lock);
return local;
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [syzbot] [PATCH] Test for aea6bf908d73
2023-11-09 13:02 ` [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
` (5 preceding siblings ...)
2023-11-10 6:32 ` syzbot
@ 2023-11-10 11:26 ` syzbot
2023-11-10 12:19 ` syzbot
7 siblings, 0 replies; 9+ messages in thread
From: syzbot @ 2023-11-10 11:26 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test for aea6bf908d73
Author: eadavis@qq.com
please test uaf in nfc_alloc_send_skb
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73
diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index e2680a3bef79..f5dd2d7e41de 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -738,7 +738,8 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
pr_debug("Send UI frame len %zd\n", len);
- local = sock->local;
+ local = nfc_llcp_find_local(sock->dev);
+ printk("finded: %p, d: %p, %s\n", local, sock->dev, __func__);
if (local == NULL)
return -ENODEV;
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..8d47f17da904 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -299,6 +299,7 @@ static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev)
spin_lock(&llcp_devices_lock);
list_for_each_entry_safe(local, tmp, &llcp_devices, list)
if (local->dev == dev) {
+ printk("deled: l: %p, d: %p, %s\n", local, dev, __func__);
list_del(&local->list);
spin_unlock(&llcp_devices_lock);
return local;
--
2.25.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [syzbot] [PATCH] Test for aea6bf908d73
2023-11-09 13:02 ` [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
` (6 preceding siblings ...)
2023-11-10 11:26 ` [syzbot] [PATCH] Test for aea6bf908d73 syzbot
@ 2023-11-10 12:19 ` syzbot
7 siblings, 0 replies; 9+ messages in thread
From: syzbot @ 2023-11-10 12:19 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test for aea6bf908d73
Author: eadavis@qq.com
please test uaf in nfc_alloc_send_skb
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73
diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index e2680a3bef79..05b21ced9e1f 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -754,6 +754,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
remaining_len = len;
msg_ptr = msg_data;
+ bh_lock_sock(sock);
do {
remote_miu = sock->remote_miu > LLCP_MAX_MIU ?
local->remote_miu : sock->remote_miu;
@@ -784,6 +785,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
remaining_len -= frag_len;
msg_ptr += frag_len;
} while (remaining_len > 0);
+ bh_unlock_sock(sock);
kfree(msg_data);
--
2.25.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
end of thread, other threads:[~2023-11-10 19:46 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <tencent_226A496623B3645B9762576606DE537BE305@qq.com>
2023-11-09 13:02 ` [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in nfc_alloc_send_skb syzbot
2023-11-09 13:28 ` [syzbot] [PATCH] Test for aea6bf908d73 syzbot
2023-11-09 14:14 ` syzbot
2023-11-09 14:33 ` syzbot
2023-11-09 19:04 ` [syzbot] [PATCH] Fix the null pointer deference in nsim_setup_prog_hw_checks syzbot
2023-11-10 0:52 ` [syzbot] [PATCH] test aea6bf908d73 syzbot
2023-11-10 6:32 ` syzbot
2023-11-10 11:26 ` [syzbot] [PATCH] Test for aea6bf908d73 syzbot
2023-11-10 12:19 ` syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).