Received: by 2002:a05:7412:8d09:b0:fa:4c10:6cad with SMTP id bj9csp415915rdb; Tue, 16 Jan 2024 04:34:27 -0800 (PST) X-Google-Smtp-Source: AGHT+IEEG1pL74nV0gIE4YJCavh5AfufVsg7U+ARmMGqdAL1eqzlAX5P7aEvwFVOIbPYslN5G1em X-Received: by 2002:a05:6402:1506:b0:559:446a:37d8 with SMTP id f6-20020a056402150600b00559446a37d8mr1685082edw.70.1705408467824; Tue, 16 Jan 2024 04:34:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1705408467; cv=none; d=google.com; s=arc-20160816; b=vPgGWRTa3aTzeMez6346XyfuAaJwG/LHsWBxI99/jPj4DQBK5otpYAq8TYWH934LAQ +5rcmg5ukkFNYNYFbqbWCigZUN6SzsHqIELb7VryO778+oX6ef2aeE+TpmsFE79XBh/T F9OWvqsDBjYVkaAXr7F3DuhnyHCP3LC5SKcU3FLHC55A6saOHp63Oj8eBcexA/3ZlPeh 1uQxt5u8yeD5JeRwGC3XERDROfg4+3irxbHOgKXeffeKZyiL7XT5bcRWpU0aplAKsDVW 6FxGRvCnxadZADhB7Nuc7wCiOJrqOjR2feWbafRkGVQwAP/0V3MvijhjJZwxDCpgBNvU Dfcw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from; bh=wTPfZPjUvboaEy2SR4Wh0oN4yoQ+pKPcSGXKD23Do2Q=; fh=KJHWuA4LG/t/4KTo7CJCYZIv21Hbsq4LuP7qeWniKX4=; b=0V9HuZPbxWdVSUna2gDibnw9Nx5y/SlNwPGAwWi1L1u8pGIM8MHngNudYnPo2bEa0u lrKqypQbnpk9ysi/YQ/PB4ZpJwAATTtZz8cBGMN7aJ24C0Tc928TpNPnnRorIibuMNra Nks/fnC+e7acmCyW/KZEP/1Xmo4Y6Z/7AHW9sYMuob62pUN529LrkZxRbsNI1yjnCxvK Wo0r+iiF6hkIbBYFw+sUdtgivISHPgOVCR8b9J2mk0FMxRzI+zuCKsg2HVeN3GeXv87+ iBVuiQRLBVAfbucT14vu+0fqmDEdzoBPtWLAOXL+b6Zrd9DQzXbBRZrHj1S8yDK4ULTP uCKQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-27383-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-27383-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id b6-20020a509f06000000b00559c0797f40si79560edf.451.2024.01.16.04.34.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 Jan 2024 04:34:27 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-27383-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-27383-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-27383-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 93EDE1F24512 for ; Tue, 16 Jan 2024 12:34:27 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id BF1321BC2F; Tue, 16 Jan 2024 12:34:20 +0000 (UTC) Received: from mail114-241.sinamail.sina.com.cn (mail114-241.sinamail.sina.com.cn [218.30.114.241]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 80A481B295 for ; Tue, 16 Jan 2024 12:34:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sina.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sina.com X-SMAIL-HELO: localhost.localdomain Received: from unknown (HELO localhost.localdomain)([113.118.65.196]) by sina.com (172.16.235.24) with ESMTP id 65A67792000039E6; Tue, 16 Jan 2024 20:33:26 +0800 (CST) X-Sender: hdanton@sina.com X-Auth-ID: hdanton@sina.com Authentication-Results: sina.com; spf=none smtp.mailfrom=hdanton@sina.com; dkim=none header.i=none; dmarc=none action=none header.from=hdanton@sina.com X-SMAIL-MID: 29234045089295 X-SMAIL-UIID: 77F30B6FDDA24C0E85023F9AC2B55923-20240116-203326-1 From: Hillf Danton To: syzbot Cc: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [net?] KASAN: slab-out-of-bounds Read in dsa_user_prechangeupper Date: Tue, 16 Jan 2024 20:33:14 +0800 Message-Id: <20240116123314.970-1-hdanton@sina.com> In-Reply-To: <00000000000002faa2060f02e766@google.com> References: <00000000000002faa2060f02e766@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit On Mon, 15 Jan 2024 13:43:20 -0800 > syzbot found the following issue on: > > HEAD commit: 3e7aeb78ab01 Merge tag 'net-next-6.8' of git://git.kernel... > git tree: upstream > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12995b33e80000 #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master --- x/net/dsa/user.c +++ y/net/dsa/user.c @@ -2806,13 +2806,14 @@ EXPORT_SYMBOL_GPL(dsa_user_dev_check); static int dsa_user_changeupper(struct net_device *dev, struct netdev_notifier_changeupper_info *info) { - struct dsa_port *dp = dsa_user_to_port(dev); + struct dsa_port *dp; struct netlink_ext_ack *extack; int err = NOTIFY_DONE; if (!dsa_user_dev_check(dev)) return err; + dp = dsa_user_to_port(dev); extack = netdev_notifier_info_to_extack(&info->info); if (netif_is_bridge_master(info->upper_dev)) { @@ -2865,11 +2866,13 @@ static int dsa_user_changeupper(struct n static int dsa_user_prechangeupper(struct net_device *dev, struct netdev_notifier_changeupper_info *info) { - struct dsa_port *dp = dsa_user_to_port(dev); + struct dsa_port *dp; if (!dsa_user_dev_check(dev)) return NOTIFY_DONE; + dp = dsa_user_to_port(dev); + if (netif_is_bridge_master(info->upper_dev) && !info->linking) dsa_port_pre_bridge_leave(dp, info->upper_dev); else if (netif_is_lag_master(info->upper_dev) && !info->linking) --