Message-ID: <3df56245-d104-4ce2-ab88-0fb1d29cd629@siddh.me>
Date: Tue, 14 Nov 2023 17:36:27 +0530
From: Siddh Raman Pant <code@...dh.me>
To: syzbot+bbe84a4010eeea00982d@...kaller.appspotmail.com
Cc: linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
 syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [net?] [nfc?] KASAN: slab-use-after-free Read in
 nfc_alloc_send_skb

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---
 net/nfc/llcp_sock.c | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 645677f84dba..699f7f6cc0b8 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -791,33 +791,39 @@ static int llcp_sock_sendmsg(struct socket *sock, struct msghdr *msg,
 	lock_sock(sk);
 
 	if (!llcp_sock->local) {
-		release_sock(sk);
-		return -ENODEV;
+		ret = -ENODEV;
+		goto out;
 	}
 
 	if (sk->sk_type == SOCK_DGRAM) {
+		if (sk->sk_state != LLCP_BOUND) {
+			ret = -ENOLINK;
+			goto out;
+		}
+
 		DECLARE_SOCKADDR(struct sockaddr_nfc_llcp *, addr,
 				 msg->msg_name);
 
 		if (msg->msg_namelen < sizeof(*addr)) {
-			release_sock(sk);
-			return -EINVAL;
+			ret = -EINVAL;
+			goto out;
 		}
 
-		release_sock(sk);
-
-		return nfc_llcp_send_ui_frame(llcp_sock, addr->dsap, addr->ssap,
-					      msg, len);
+		ret = nfc_llcp_send_ui_frame(llcp_sock, addr->dsap, addr->ssap,
+					     msg, len);
+		goto out;
 	}
 
 	if (sk->sk_state != LLCP_CONNECTED) {
-		release_sock(sk);
-		return -ENOTCONN;
+		ret = -ENOTCONN;
+		goto out;
 	}
 
-	release_sock(sk);
+	ret = nfc_llcp_send_i_frame(llcp_sock, msg, len);
 
-	return nfc_llcp_send_i_frame(llcp_sock, msg, len);
+out:
+	release_sock(sk);
+	return ret;
 }
 
 static int llcp_sock_recvmsg(struct socket *sock, struct msghdr *msg,
-- 
2.42.0

Powered by blists - more mailing lists