Re: net/nfc: GPF in llcp_sock_getname
On Fri, Jan 1, 2016 at 5:58 AM, Dmitry Vyukov wrote: > GPF seems to be caused by a data race on socket state. Seems you are right, I think the following patch should work: diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index ecf0a01..5a91997 100644 --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -500,7 +500,7 @@ static int llcp_sock_getname(struct socket *sock, struct sockaddr *uaddr, struct nfc_llcp_sock *llcp_sock = nfc_llcp_sock(sk); DECLARE_SOCKADDR(struct sockaddr_nfc_llcp *, llcp_addr, uaddr); - if (llcp_sock == NULL || llcp_sock->dev == NULL) + if (llcp_sock == NULL || sk->sk_state == LLCP_CLOSED) return -EBADFD; pr_debug("%p %d %d %d\n", sk, llcp_sock->target_idx, -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: net/nfc: GPF in llcp_sock_getname
On Fri, Jan 1, 2016 at 12:58 PM, Cong Wang wrote: > > It looks like we forget to initialize ->service_name_len > and ->servicce_name before bind(). Never mind, __GFP_ZERO is passed in sk_alloc()... -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: net/nfc: GPF in llcp_sock_getname
On Fri, Jan 1, 2016 at 5:58 AM, Dmitry Vyukov wrote: > > kasan: GPF could be caused by NULL-ptr deref or user memory > accessgeneral protection fault: [#51] SMP KASAN > Modules linked in: > CPU: 2 PID: 4207 Comm: a.out Not tainted 4.4.0-rc7+ #184 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > task: 8800683e9780 ti: 880064c7 task.ti: 880064c7 > RIP: 0010:[] [] > kasan_report_error+0x1b/0x560 > RSP: 0018:880064c77c90 EFLAGS: 00010286 > RAX: dc00 RBX: 0003 RCX: dc00 > RDX: RSI: 0003 RDI: 880064c77c98 > RBP: 880064c77cc0 R08: ed000c98efd6 R09: 880064c77e58 > R10: 8800639670a0 R11: 880063967098 R12: 880064c77e6a > R13: R14: R15: 880063967088 > FS: 018ca880(0063) GS:88006da0() knlGS: > CS: 0010 DS: ES: CR0: 8005003b > CR2: 00c8200012e0 CR3: 64c59000 CR4: 06e0 > Stack: > 816d25d4 0018 0003 > 00034000 816d17ed 880064c77cd0 816d1264 > 880064c77cf8 816d17ed 880064c77e58 > Call Trace: > [< inline >] check_memory_region mm/kasan/kasan.c:264 > [] __asan_loadN+0x124/0x1a0 mm/kasan/kasan.c:512 > [] memcpy+0x1d/0x40 mm/kasan/kasan.c:297 > [] llcp_sock_getname+0x424/0x600 net/nfc/llcp_sock.c:519 > [] SYSC_getsockname+0x1bd/0x220 net/socket.c:1570 > [] SyS_getsockname+0x24/0x30 net/socket.c:1555 > [] entry_SYSCALL_64_fastpath+0x16/0x7a > arch/x86/entry/entry_64.S:185 > Code: 48 01 c7 e8 38 2b fc ff 5d c3 66 0f 1f 44 00 00 48 8b 17 48 b9 > 00 00 00 00 00 fc ff df 48 8b 77 10 48 89 d0 48 c1 e8 03 48 01 c8 <80> > 38 00 75 1d 48 01 d6 eb 13 48 83 c2 08 48 89 d0 48 c1 e8 03 > RIP [] kasan_report_error+0x1b/0x560 mm/kasan/report.c:214 > RSP > ---[ end trace b0c68fb0d02b9447 ]--- > > On commit 8513342170278468bac126640a5d2d12ffbff106 (Dec 28). > GPF seems to be caused by a data race on socket state. It looks like we forget to initialize ->service_name_len and ->servicce_name before bind(). Could you try the following patch? Thanks! -> diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index ecf0a01..252f3c0 100644 --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -961,6 +961,8 @@ struct sock *nfc_llcp_sock_alloc(struct socket *sock, int type, gfp_t gfp, int k llcp_sock->ssap = 0; llcp_sock->dsap = LLCP_SAP_SDP; + llcp_sock->service_name_len = 0; + llcp_sock->service_name = NULL; llcp_sock->rw = LLCP_MAX_RW + 1; llcp_sock->miux = cpu_to_be16(LLCP_MAX_MIUX + 1); llcp_sock->send_n = llcp_sock->send_ack_n = 0; -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
net/nfc: GPF in llcp_sock_getname
Hello, The following program triggers GPF in llcp_sock_getname: // autogenerated by syzkaller (http://github.com/google/syzkaller) #include #include #include #include #include #include #include #include int fd; void *thr(void *arg) { struct sockaddr_nfc_llcp sa; sa.sa_family = AF_NFC; sa.dev_idx = 0; sa.target_idx = 0x24a8; sa.nfc_protocol = 0; sa.dsap = 0; sa.ssap = 2; sa.service_name[0] = 7; sa.service_name[1] = 9; sa.service_name[2] = 3; sa.service_name_len = 3; bind(fd, (struct sockaddr*)&sa, sizeof(sa)); return 0; } int main() { fd = socket(AF_NFC, 0x2ul, 0x1ul); pthread_t th; pthread_create(&th, 0, thr, 0); struct sockaddr_nfc_llcp sa; int len = sizeof(sa); getsockname(fd, (struct sockaddr*)&sa, &len); return 0; } kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: [#51] SMP KASAN Modules linked in: CPU: 2 PID: 4207 Comm: a.out Not tainted 4.4.0-rc7+ #184 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: 8800683e9780 ti: 880064c7 task.ti: 880064c7 RIP: 0010:[] [] kasan_report_error+0x1b/0x560 RSP: 0018:880064c77c90 EFLAGS: 00010286 RAX: dc00 RBX: 0003 RCX: dc00 RDX: RSI: 0003 RDI: 880064c77c98 RBP: 880064c77cc0 R08: ed000c98efd6 R09: 880064c77e58 R10: 8800639670a0 R11: 880063967098 R12: 880064c77e6a R13: R14: R15: 880063967088 FS: 018ca880(0063) GS:88006da0() knlGS: CS: 0010 DS: ES: CR0: 8005003b CR2: 00c8200012e0 CR3: 64c59000 CR4: 06e0 Stack: 816d25d4 0018 0003 00034000 816d17ed 880064c77cd0 816d1264 880064c77cf8 816d17ed 880064c77e58 Call Trace: [< inline >] check_memory_region mm/kasan/kasan.c:264 [] __asan_loadN+0x124/0x1a0 mm/kasan/kasan.c:512 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:297 [] llcp_sock_getname+0x424/0x600 net/nfc/llcp_sock.c:519 [] SYSC_getsockname+0x1bd/0x220 net/socket.c:1570 [] SyS_getsockname+0x24/0x30 net/socket.c:1555 [] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 Code: 48 01 c7 e8 38 2b fc ff 5d c3 66 0f 1f 44 00 00 48 8b 17 48 b9 00 00 00 00 00 fc ff df 48 8b 77 10 48 89 d0 48 c1 e8 03 48 01 c8 <80> 38 00 75 1d 48 01 d6 eb 13 48 83 c2 08 48 89 d0 48 c1 e8 03 RIP [] kasan_report_error+0x1b/0x560 mm/kasan/report.c:214 RSP ---[ end trace b0c68fb0d02b9447 ]--- On commit 8513342170278468bac126640a5d2d12ffbff106 (Dec 28). GPF seems to be caused by a data race on socket state. -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html