Received: by 2002:a05:7412:8d09:b0:fa:4c10:6cad with SMTP id bj9csp332556rdb;
        Tue, 16 Jan 2024 01:22:27 -0800 (PST)
X-Google-Smtp-Source: AGHT+IFEfGF9vtZptDMHdoD4dnQHZoruzQYwKUzbErCQd/8RPUcoUqa80vBn+RVbKkI3Em094icX
X-Received: by 2002:a17:90a:f993:b0:28d:c240:3517 with SMTP id cq19-20020a17090af99300b0028dc2403517mr8249352pjb.49.1705396947703;
        Tue, 16 Jan 2024 01:22:27 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1705396947; cv=none;
        d=google.com; s=arc-20160816;
        b=GiKcr7/d5ImOiGytjwoiNE49kj6/nD2LaDShTZGFddtuA1bGkUfslhjgy9Un+g1C67
         53UNVfkUUwu5UpgIkkxP5xwWqaYXirnFVrqn2JgpHKyaIlpZAD9gY56TGboHoi/BoC00
         WNt6SyNFIZP4/3n6UrDjoTkETKuthkTBAebpRZLGQsA6epnK4HAfWS8HCtRMnos/CPx4
         9xt3nxzWe0N2aceDztSSyv7Yck6wviCYZzPpL5dlNPYyh01bql8Nfa8lDCQ3J64tirI6
         xaiJWZeQLZas+h6g1I7EbDoXcPw5/KUZj8CqIBZJ3n6E1x5hFq9NbuXJ7/CZTGg/CNU7
         WpAw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:date
         :subject:cc:to:from:message-id:dkim-signature;
        bh=lIy9wHh+g96JsNjrDnYthtgcgqnhJ+ghbboFhC4b3To=;
        fh=FsDLK2Pc1gjv4/Dxhiteu8XPW89KtegpBNKpzi/00R4=;
        b=yXJrZ/cfJxr9KtHBnxUwsL4cWexLigONQ/ltdqQrJcbo+U2x2BBC4WjoPzLDHYIosc
         RTk4bl+eqEFJtqpbKCjagl5TSOroHM6K44mzm/ZyeDtdw0h3sL2Tyjnze//la2CeBRvz
         7dPmfmKn2PulS8kcJqK1tCHS3uoXXQeZ/lanHZchcGBtXJxqxVBO6XQv9MBDoQhNF3tB
         8ygiGUOhnfeVu7Y7iwXGpnfDtJBjm11U9a1LBU4eSv8i5TbjWTyUGxYLjfY1grX8q2ew
         5tnWi4P1yRmMg0wYV019OJtsScw3cxM6JL846lm4Y4lHDg3xrk+XI2oQykQCoQkfQB25
         wQ+A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@qq.com header.s=s201512 header.b=GDvzY5ew;
       spf=pass (google.com: domain of linux-kernel+bounces-27166-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-27166-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com
Return-Path: <linux-kernel+bounces-27166-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1])
        by mx.google.com with ESMTPS id q11-20020a17090a9f4b00b0028ded0d5690si10505672pjv.95.2024.01.16.01.22.27
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 16 Jan 2024 01:22:27 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-27166-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@qq.com header.s=s201512 header.b=GDvzY5ew;
       spf=pass (google.com: domain of linux-kernel+bounces-27166-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-27166-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id EE2E2B22207
	for <linux.lists.archive@gmail.com>; Tue, 16 Jan 2024 09:22:21 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 9687812B77;
	Tue, 16 Jan 2024 09:22:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="GDvzY5ew"
Received: from out162-62-58-216.mail.qq.com (out162-62-58-216.mail.qq.com [162.62.58.216])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 19897125B2
	for <linux-kernel@vger.kernel.org>; Tue, 16 Jan 2024 09:22:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
	t=1705396619; bh=lIy9wHh+g96JsNjrDnYthtgcgqnhJ+ghbboFhC4b3To=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=GDvzY5ewoL1j17KitP4H3tK8g2EywKVAr2IQkjbgVQGZUE6X9nZesquh2vLubtaXd
	 lHAx33DgORPvanZ0fW57m41RyIy/Lh8jFU96z90dj6SrqrGbkK3dQeKYRqXcRPAfDc
	 oLffTSYwNrkC/tthZ7+HTm6fM14Dd54AVwxZBmGg=
Received: from pek-lxu-l1.wrs.com ([111.198.225.215])
	by newxmesmtplogicsvrsza1-0.qq.com (NewEsmtp) with SMTP
	id 35E86CCF; Tue, 16 Jan 2024 17:13:30 +0800
X-QQ-mid: xmsmtpt1705396410tsyui8bbs
Message-ID: <tencent_674ACC74C977BF672C3C2F37AC97E236F409@qq.com>
X-QQ-XMAILINFO: NvH2zBBgt3uTqLDJ+oJttz4uiJ218HS117yUUOijsOcEdfAtEXrfmON6pnQFf2
	 hgqXiout9Fq0RRqgkq1zRMqtDmwEChyznopyzyMhizf0sxWr4WIyNeS6fABqIjZh3wqHODFlqkKn
	 dlbv3gZyffNSEI75IJlYEiu3zJ2eNeX990/YlNEMcf+EF+eImZTKCHeox/anL7KI9pSZ0WYuoRoX
	 zO+IkvIBkH+/NmtHsmMrHitu+gzWslPMWpSYLwXwpHpQjlGTWoIF1gjZS6k0uhFdsaXojL5cyhM0
	 nbE+/nH9fMN5isOZskjPoyoa8cpgQ76vu/pkm0+Io1BqK5PSRr4Yqj/OF6Yaf64ZFcMrZB4zCcUR
	 hY1Igpq1vF4d9YnhLhfZyAoxQSEyEbxOPSkbo/fDZmYV52aodqyk8D0c6JAqdyH0FxWFw8pppccI
	 6x5U3ToOU4YxO33jrT2MJZh4eqcsllKI5OPkqgarXPSqvLnif8qvURkJUaB1TAEk1sMZFlCdYe/C
	 QSYAeechqvDZsFHD04nkLf0BbhZdoyCmRdFdlFg4U/ZAmddtU8B8xw0er3DaLm0p2XWbFL9BA73z
	 9jxRXgKMFbtJdBodbBxSiJBl7DjKris0gMNNTfz3ps9sf4V8S0uY5jTdVuFDexapgRf9G6svdiSJ
	 WkryBXrtMIPxhNH0ipq3yXLKUFcTuRc1joY0f+5gu94LzCd87f5FPo/A9mMy6epAr9JyucMRAsTy
	 MtAlBq6ZJb1hYkkewqaEtjp4Ru96+xf8WRLcYM/ysr8f73lGql8lrYCD7OibWNdIS9FzoaveTK1q
	 ZESCWPl5pBHy6iv5LwEoewNkQMrXP2OkHhWSkfblx9HXrzRf3mgSP9usfIGipjs+S9ccUzj9UdM/
	 PhtADsig80062YgrKSn1s1g7TQiGHVDE3UtKdZX0yiXctFIT86rkReIoCuoTGZXiDSFo0OsffFip
	 crc3PiLPU=
X-QQ-XMRINFO: M/715EihBoGSf6IYSX1iLFg=
From: Edward Adam Davis <eadavis@qq.com>
To: syzbot+7ec955e36bb239bd720f@syzkaller.appspotmail.com
Cc: linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [net?] KASAN: slab-out-of-bounds Read in dsa_user_prechangeupper
Date: Tue, 16 Jan 2024 17:13:31 +0800
X-OQ-MSGID: <20240116091330.572860-2-eadavis@qq.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <00000000000002faa2060f02e766@google.com>
References: <00000000000002faa2060f02e766@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

please test slab-out-of-bounds Read in dsa_user_prechangeupper

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3e7aeb78ab01

diff --git a/net/dsa/user.c b/net/dsa/user.c
index b738a466e2dc..e6bb2c527067 100644
--- a/net/dsa/user.c
+++ b/net/dsa/user.c
@@ -2865,7 +2865,8 @@ static int dsa_user_changeupper(struct net_device *dev,
 static int dsa_user_prechangeupper(struct net_device *dev,
 				   struct netdev_notifier_changeupper_info *info)
 {
-	struct dsa_port *dp = dsa_user_to_port(dev);
+	const struct rtnl_link_ops *ops = dev->rtnl_link_ops;
+	struct dsa_port *dp = ops->priv_size ? dsa_user_to_port(dev) : NULL;
 
 	if (!dsa_user_dev_check(dev))
 		return NOTIFY_DONE;