Re: net/nfc: GPF in llcp_sock_getname

2016-01-01 Thread Cong Wang 
On Fri, Jan 1, 2016 at 5:58 AM, Dmitry Vyukov  wrote:
> GPF seems to be caused by a data race on socket state.

Seems you are right, I think the following patch should work:

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index ecf0a01..5a91997 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -500,7 +500,7 @@ static int llcp_sock_getname(struct socket *sock,
struct sockaddr *uaddr,
struct nfc_llcp_sock *llcp_sock = nfc_llcp_sock(sk);
DECLARE_SOCKADDR(struct sockaddr_nfc_llcp *, llcp_addr, uaddr);

-   if (llcp_sock == NULL || llcp_sock->dev == NULL)
+   if (llcp_sock == NULL || sk->sk_state == LLCP_CLOSED)
return -EBADFD;

pr_debug("%p %d %d %d\n", sk, llcp_sock->target_idx,
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: net/nfc: GPF in llcp_sock_getname

2016-01-01 Thread Cong Wang 
On Fri, Jan 1, 2016 at 12:58 PM, Cong Wang  wrote:
>
> It looks like we forget to initialize ->service_name_len
> and ->servicce_name before bind().

Never mind, __GFP_ZERO is passed in sk_alloc()...
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: net/nfc: GPF in llcp_sock_getname

2016-01-01 Thread Cong Wang 
On Fri, Jan 1, 2016 at 5:58 AM, Dmitry Vyukov  wrote:
>
> kasan: GPF could be caused by NULL-ptr deref or user memory
> accessgeneral protection fault:  [#51] SMP KASAN
> Modules linked in:
> CPU: 2 PID: 4207 Comm: a.out Not tainted 4.4.0-rc7+ #184
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> task: 8800683e9780 ti: 880064c7 task.ti: 880064c7
> RIP: 0010:[]  []
> kasan_report_error+0x1b/0x560
> RSP: 0018:880064c77c90  EFLAGS: 00010286
> RAX: dc00 RBX: 0003 RCX: dc00
> RDX:  RSI: 0003 RDI: 880064c77c98
> RBP: 880064c77cc0 R08: ed000c98efd6 R09: 880064c77e58
> R10: 8800639670a0 R11: 880063967098 R12: 880064c77e6a
> R13:  R14:  R15: 880063967088
> FS:  018ca880(0063) GS:88006da0() knlGS:
> CS:  0010 DS:  ES:  CR0: 8005003b
> CR2: 00c8200012e0 CR3: 64c59000 CR4: 06e0
> Stack:
>  816d25d4  0018 0003
>  00034000 816d17ed 880064c77cd0 816d1264
>  880064c77cf8 816d17ed  880064c77e58
> Call Trace:
>  [< inline >] check_memory_region mm/kasan/kasan.c:264
>  [] __asan_loadN+0x124/0x1a0 mm/kasan/kasan.c:512
>  [] memcpy+0x1d/0x40 mm/kasan/kasan.c:297
>  [] llcp_sock_getname+0x424/0x600 net/nfc/llcp_sock.c:519
>  [] SYSC_getsockname+0x1bd/0x220 net/socket.c:1570
>  [] SyS_getsockname+0x24/0x30 net/socket.c:1555
>  [] entry_SYSCALL_64_fastpath+0x16/0x7a
> arch/x86/entry/entry_64.S:185
> Code: 48 01 c7 e8 38 2b fc ff 5d c3 66 0f 1f 44 00 00 48 8b 17 48 b9
> 00 00 00 00 00 fc ff df 48 8b 77 10 48 89 d0 48 c1 e8 03 48 01 c8 <80>
> 38 00 75 1d 48 01 d6 eb 13 48 83 c2 08 48 89 d0 48 c1 e8 03
> RIP  [] kasan_report_error+0x1b/0x560 mm/kasan/report.c:214
>  RSP 
> ---[ end trace b0c68fb0d02b9447 ]---
>
> On commit 8513342170278468bac126640a5d2d12ffbff106 (Dec 28).
> GPF seems to be caused by a data race on socket state.

It looks like we forget to initialize ->service_name_len
and ->servicce_name before bind().

Could you try the following patch?

Thanks!

->

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index ecf0a01..252f3c0 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -961,6 +961,8 @@ struct sock *nfc_llcp_sock_alloc(struct socket
*sock, int type, gfp_t gfp, int k

llcp_sock->ssap = 0;
llcp_sock->dsap = LLCP_SAP_SDP;
+   llcp_sock->service_name_len = 0;
+   llcp_sock->service_name = NULL;
llcp_sock->rw = LLCP_MAX_RW + 1;
llcp_sock->miux = cpu_to_be16(LLCP_MAX_MIUX + 1);
llcp_sock->send_n = llcp_sock->send_ack_n = 0;
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

net/nfc: GPF in llcp_sock_getname

2016-01-01 Thread Dmitry Vyukov 
Hello,

The following program triggers GPF in llcp_sock_getname:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

int fd;

void *thr(void *arg)
{
struct sockaddr_nfc_llcp sa;
sa.sa_family = AF_NFC;
sa.dev_idx = 0;
sa.target_idx = 0x24a8;
sa.nfc_protocol = 0;
sa.dsap = 0;
sa.ssap = 2;
sa.service_name[0] = 7;
sa.service_name[1] = 9;
sa.service_name[2] = 3;
sa.service_name_len = 3;
bind(fd, (struct sockaddr*)&sa, sizeof(sa));
return 0;
}

int main()
{
fd = socket(AF_NFC, 0x2ul, 0x1ul);
pthread_t th;
pthread_create(&th, 0, thr, 0);
struct sockaddr_nfc_llcp sa;
int len = sizeof(sa);
getsockname(fd, (struct sockaddr*)&sa, &len);
return 0;
}


kasan: GPF could be caused by NULL-ptr deref or user memory
accessgeneral protection fault:  [#51] SMP KASAN
Modules linked in:
CPU: 2 PID: 4207 Comm: a.out Not tainted 4.4.0-rc7+ #184
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: 8800683e9780 ti: 880064c7 task.ti: 880064c7
RIP: 0010:[]  []
kasan_report_error+0x1b/0x560
RSP: 0018:880064c77c90  EFLAGS: 00010286
RAX: dc00 RBX: 0003 RCX: dc00
RDX:  RSI: 0003 RDI: 880064c77c98
RBP: 880064c77cc0 R08: ed000c98efd6 R09: 880064c77e58
R10: 8800639670a0 R11: 880063967098 R12: 880064c77e6a
R13:  R14:  R15: 880063967088
FS:  018ca880(0063) GS:88006da0() knlGS:
CS:  0010 DS:  ES:  CR0: 8005003b
CR2: 00c8200012e0 CR3: 64c59000 CR4: 06e0
Stack:
 816d25d4  0018 0003
 00034000 816d17ed 880064c77cd0 816d1264
 880064c77cf8 816d17ed  880064c77e58
Call Trace:
 [< inline >] check_memory_region mm/kasan/kasan.c:264
 [] __asan_loadN+0x124/0x1a0 mm/kasan/kasan.c:512
 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:297
 [] llcp_sock_getname+0x424/0x600 net/nfc/llcp_sock.c:519
 [] SYSC_getsockname+0x1bd/0x220 net/socket.c:1570
 [] SyS_getsockname+0x24/0x30 net/socket.c:1555
 [] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
Code: 48 01 c7 e8 38 2b fc ff 5d c3 66 0f 1f 44 00 00 48 8b 17 48 b9
00 00 00 00 00 fc ff df 48 8b 77 10 48 89 d0 48 c1 e8 03 48 01 c8 <80>
38 00 75 1d 48 01 d6 eb 13 48 83 c2 08 48 89 d0 48 c1 e8 03
RIP  [] kasan_report_error+0x1b/0x560 mm/kasan/report.c:214
 RSP 
---[ end trace b0c68fb0d02b9447 ]---

On commit 8513342170278468bac126640a5d2d12ffbff106 (Dec 28).
GPF seems to be caused by a data race on socket state.
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html