Re: [syzbot] [PATCH] Test for aea6bf908d73
From: syzbot
Date: Fri Nov 10 2023 - 14:46:23 EST
For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx.
***
Subject: [PATCH] Test for aea6bf908d73
Author: eadavis@xxxxxx
please test uaf in nfc_alloc_send_skb
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git aea6bf908d73
diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index e2680a3bef79..f5dd2d7e41de 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -738,7 +738,8 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
pr_debug("Send UI frame len %zd\n", len);
- local = sock->local;
+ local = nfc_llcp_find_local(sock->dev);
+ printk("finded: %p, d: %p, %s\n", local, sock->dev, __func__);
if (local == NULL)
return -ENODEV;
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index 1dac28136e6a..8d47f17da904 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -299,6 +299,7 @@ static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev)
spin_lock(&llcp_devices_lock);
list_for_each_entry_safe(local, tmp, &llcp_devices, list)
if (local->dev == dev) {
+ printk("deled: l: %p, d: %p, %s\n", local, dev, __func__);
list_del(&local->list);
spin_unlock(&llcp_devices_lock);
return local;
--
2.25.1