Re: [syzbot] [net?] KASAN: slab-out-of-bounds Read in dsa_user_prechangeupper
From: Hillf Danton
Date: Tue Jan 16 2024 - 07:34:25 EST
On Mon, 15 Jan 2024 13:43:20 -0800
> syzbot found the following issue on:
>
> HEAD commit: 3e7aeb78ab01 Merge tag 'net-next-6.8' of git://git.kernel...
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12995b33e80000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
--- x/net/dsa/user.c
+++ y/net/dsa/user.c
@@ -2806,13 +2806,14 @@ EXPORT_SYMBOL_GPL(dsa_user_dev_check);
static int dsa_user_changeupper(struct net_device *dev,
struct netdev_notifier_changeupper_info *info)
{
- struct dsa_port *dp = dsa_user_to_port(dev);
+ struct dsa_port *dp;
struct netlink_ext_ack *extack;
int err = NOTIFY_DONE;
if (!dsa_user_dev_check(dev))
return err;
+ dp = dsa_user_to_port(dev);
extack = netdev_notifier_info_to_extack(&info->info);
if (netif_is_bridge_master(info->upper_dev)) {
@@ -2865,11 +2866,13 @@ static int dsa_user_changeupper(struct n
static int dsa_user_prechangeupper(struct net_device *dev,
struct netdev_notifier_changeupper_info *info)
{
- struct dsa_port *dp = dsa_user_to_port(dev);
+ struct dsa_port *dp;
if (!dsa_user_dev_check(dev))
return NOTIFY_DONE;
+ dp = dsa_user_to_port(dev);
+
if (netif_is_bridge_master(info->upper_dev) && !info->linking)
dsa_port_pre_bridge_leave(dp, info->upper_dev);
else if (netif_is_lag_master(info->upper_dev) && !info->linking)
--