From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+0c77cccd6b7cd917b35a@syzkaller.appspotmail.com,
Kuniyuki Iwashima <kuniyu@google.com>,
Simon Horman <horms@kernel.org>, Jakub Kicinski <kuba@kernel.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 14/77] atm: clip: Fix infinite recursive call of clip_push().
Date: Tue, 15 Jul 2025 15:13:13 +0200 [thread overview]
Message-ID: <20250715130752.266091930@linuxfoundation.org> (raw)
In-Reply-To: <20250715130751.668489382@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit c489f3283dbfc0f3c00c312149cae90d27552c45 ]
syzbot reported the splat below. [0]
This happens if we call ioctl(ATMARP_MKIP) more than once.
During the first call, clip_mkip() sets clip_push() to vcc->push(),
and the second call copies it to clip_vcc->old_push().
Later, when the socket is close()d, vcc_destroy_socket() passes
NULL skb to clip_push(), which calls clip_vcc->old_push(),
triggering the infinite recursion.
Let's prevent the second ioctl(ATMARP_MKIP) by checking
vcc->user_back, which is allocated by the first call as clip_vcc.
Note also that we use lock_sock() to prevent racy calls.
[0]:
BUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000)
Oops: stack guard page: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191
Code: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00
RSP: 0018:ffffc9000d670000 EFLAGS: 00010246
RAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000
RBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e
R10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300
R13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578
FS: 000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0
Call Trace:
<TASK>
clip_push+0x6dc/0x720 net/atm/clip.c:200
clip_push+0x6dc/0x720 net/atm/clip.c:200
clip_push+0x6dc/0x720 net/atm/clip.c:200
...
clip_push+0x6dc/0x720 net/atm/clip.c:200
clip_push+0x6dc/0x720 net/atm/clip.c:200
clip_push+0x6dc/0x720 net/atm/clip.c:200
vcc_destroy_socket net/atm/common.c:183 [inline]
vcc_release+0x157/0x460 net/atm/common.c:205
__sock_release net/socket.c:647 [inline]
sock_close+0xc0/0x240 net/socket.c:1391
__fput+0x449/0xa70 fs/file_table.c:465
task_work_run+0x1d1/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114
exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff31c98e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f
R10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c
R13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090
</TASK>
Modules linked in:
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+0c77cccd6b7cd917b35a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2371d94d248d126c1eb1
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250704062416.1613927-4-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/atm/clip.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/atm/clip.c b/net/atm/clip.c
index 14b485f725d0c..936b9558be4b9 100644
--- a/net/atm/clip.c
+++ b/net/atm/clip.c
@@ -429,6 +429,8 @@ static int clip_mkip(struct atm_vcc *vcc, int timeout)
if (!vcc->push)
return -EBADFD;
+ if (vcc->user_back)
+ return -EINVAL;
clip_vcc = kmalloc(sizeof(struct clip_vcc), GFP_KERNEL);
if (!clip_vcc)
return -ENOMEM;
--
2.39.5
next prev parent reply other threads:[~2025-07-15 13:28 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-15 13:12 [PATCH 5.15 00/77] 5.15.189-rc1 review Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 01/77] drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 02/77] ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 03/77] perf: Revert to requiring CAP_SYS_ADMIN for uprobes Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 04/77] fix proc_sys_compare() handling of in-lookup dentries Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 05/77] netlink: Fix wraparounds of sk->sk_rmem_alloc Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 06/77] tipc: Fix use-after-free in tipc_conn_close() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 07/77] vsock: Fix transport_{g2h,h2g} TOCTOU Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 08/77] vsock: Fix transport_* TOCTOU Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 09/77] vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 10/77] net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 11/77] net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 12/77] atm: clip: Fix potential null-ptr-deref in to_atmarpd() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 13/77] atm: clip: Fix memory leak of struct clip_vcc Greg Kroah-Hartman
2025-07-15 13:13 ` Greg Kroah-Hartman [this message]
2025-07-15 13:13 ` [PATCH 5.15 15/77] atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 16/77] net/sched: Abort __tc_modify_qdisc if parent class does not exist Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 17/77] fs/proc: do_task_stat: use __for_each_thread() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 18/77] ice: safer stats processing Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 19/77] rxrpc: Fix oops due to non-existence of prealloc backlog struct Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 20/77] bpf: fix precision backtracking instruction iteration Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 21/77] thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 22/77] aoe: avoid potential deadlock at set_capacity Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 23/77] bpf, sockmap: Fix skb refcnt race after locking changes Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 24/77] jfs: fix null ptr deref in dtInsertEntry Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 25/77] xen: replace xen_remap() with memremap() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 26/77] x86/mce/amd: Fix threshold limit reset Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 27/77] x86/mce: Dont remove sysfs if thresholding sysfs init fails Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 28/77] x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 29/77] gre: Fix IPv6 multicast route creation Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 30/77] pinctrl: qcom: msm: mark certain pins as invalid for interrupts Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 31/77] drm/sched: Increment job count before swapping tail spsc queue Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 32/77] drm/gem: Fix race in drm_gem_handle_create_tail() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 33/77] usb: gadget: u_serial: Fix race condition in TTY wakeup Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 34/77] Revert "ACPI: battery: negate current when discharging" Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 35/77] btrfs: propagate last_unlink_trans earlier when doing a rmdir Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 36/77] btrfs: use btrfs_record_snapshot_destroy() during rmdir Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 37/77] RDMA/mlx5: Fix vport loopback for MPV device Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 38/77] pwm: mediatek: Ensure to disable clocks in error path Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 39/77] netlink: Fix rmem check in netlink_broadcast_deliver() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 40/77] netlink: make sure we allow at least one dump skb Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 41/77] virtio-net: ensure the received length does not exceed allocated size Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 42/77] xhci: Allow RPM on the USB controller (1022:43f7) by default Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 43/77] usb: xhci: quirk for data loss in ISOC transfers Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 44/77] xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 45/77] Input: xpad - support Acer NGR 200 Controller Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 46/77] usb:cdnsp: remove TRB_FLUSH_ENDPOINT command Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 47/77] usb: cdnsp: Replace snprintf() with the safer scnprintf() variant Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 48/77] usb: cdnsp: Fix issue with CV Bad Descriptor test Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 49/77] usb: dwc3: Abort suspend on soft disconnect failure Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 50/77] dma-buf: add dma_resv_for_each_fence_unlocked v8 Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 51/77] dma-buf: use new iterator in dma_resv_wait_timeout Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 52/77] dma-buf: fix timeout handling in dma_resv_wait_timeout v2 Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 53/77] platform/x86: think-lmi: Fix sysfs group cleanup Greg Kroah-Hartman
2025-07-15 18:38 ` Kurt Borja
2025-07-15 19:00 ` Kurt Borja
2025-07-15 19:04 ` Sasha Levin
2025-07-15 19:22 ` Kurt Borja
2025-07-15 19:12 ` Sasha Levin
2025-07-15 21:18 ` Kurt Borja
2025-07-15 13:13 ` [PATCH 5.15 54/77] wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 55/77] md/raid1: Fix stack memory use after return in raid1_reshape Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 56/77] raid10: cleanup memleak at raid10_make_request Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 57/77] nbd: fix uaf in nbd_genl_connect() error path Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 58/77] smb: server: make use of rdma_destroy_qp() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 59/77] ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 5.15 60/77] netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 5.15 61/77] net: appletalk: Fix device refcount leak in atrtr_create() Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 5.15 62/77] net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 5.15 63/77] can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 5.15 64/77] net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 5.15 65/77] bnxt_en: Fix DCB ETS validation Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 5.15 66/77] bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 5.15 67/77] atm: idt77252: Add missing `dma_map_error()` Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 5.15 68/77] um: vector: Reduce stack usage in vector_eth_configure() Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 5.15 69/77] net: usb: qmi_wwan: add SIMCom 8230C composition Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 5.15 70/77] HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 5.15 71/77] vt: add missing notification when switching back to text mode Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 5.15 72/77] HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 5.15 73/77] HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 5.15 74/77] Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 5.15 75/77] vhost-scsi: protect vq->log_used with vq->mutex Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 5.15 76/77] x86/mm: Disable hugetlb page table sharing on 32-bit Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 5.15 77/77] x86: Fix X86_FEATURE_VERW_CLEAR definition Greg Kroah-Hartman
2025-07-15 16:20 ` [PATCH 5.15 00/77] 5.15.189-rc1 review Vijayendra Suman
2025-07-16 14:59 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250715130752.266091930@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+0c77cccd6b7cd917b35a@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.