From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+e34e5e6b5eddb0014def@syzkaller.appspotmail.com,
Yue Haibing <yuehaibing@huawei.com>,
Kuniyuki Iwashima <kuniyu@google.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.6 025/109] atm: clip: Fix NULL pointer dereference in vcc_sendmsg()
Date: Tue, 15 Jul 2025 15:12:41 +0200 [thread overview]
Message-ID: <20250715130759.888124639@linuxfoundation.org> (raw)
In-Reply-To: <20250715130758.864940641@linuxfoundation.org>
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yue Haibing <yuehaibing@huawei.com>
[ Upstream commit 22fc46cea91df3dce140a7dc6847c6fcf0354505 ]
atmarpd_dev_ops does not implement the send method, which may cause crash
as bellow.
BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 0 P4D 0
Oops: Oops: 0010 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc9000d3cf778 EFLAGS: 00010246
RAX: 1ffffffff1910dd1 RBX: 00000000000000c0 RCX: dffffc0000000000
RDX: ffffc9000dc82000 RSI: ffff88803e4c4640 RDI: ffff888052cd0000
RBP: ffffc9000d3cf8d0 R08: ffff888052c9143f R09: 1ffff1100a592287
R10: dffffc0000000000 R11: 0000000000000000 R12: 1ffff92001a79f00
R13: ffff888052cd0000 R14: ffff88803e4c4640 R15: ffffffff8c886e88
FS: 00007fbc762566c0(0000) GS:ffff88808d6c2000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 0000000041f1b000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
vcc_sendmsg+0xa10/0xc50 net/atm/common.c:644
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:727
____sys_sendmsg+0x52d/0x830 net/socket.c:2566
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620
__sys_sendmmsg+0x227/0x430 net/socket.c:2709
__do_sys_sendmmsg net/socket.c:2736 [inline]
__se_sys_sendmmsg net/socket.c:2733 [inline]
__x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2733
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+e34e5e6b5eddb0014def@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/682f82d5.a70a0220.1765ec.0143.GAE@google.com/T
Signed-off-by: Yue Haibing <yuehaibing@huawei.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250705085228.329202-1-yuehaibing@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/atm/clip.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/net/atm/clip.c b/net/atm/clip.c
index 936b9558be4b9..53d62361ae460 100644
--- a/net/atm/clip.c
+++ b/net/atm/clip.c
@@ -632,8 +632,16 @@ static void atmarpd_close(struct atm_vcc *vcc)
module_put(THIS_MODULE);
}
+static int atmarpd_send(struct atm_vcc *vcc, struct sk_buff *skb)
+{
+ atm_return_tx(vcc, skb);
+ dev_kfree_skb_any(skb);
+ return 0;
+}
+
static const struct atmdev_ops atmarpd_dev_ops = {
- .close = atmarpd_close
+ .close = atmarpd_close,
+ .send = atmarpd_send
};
--
2.39.5
next prev parent reply other threads:[~2025-07-15 13:23 UTC|newest]
Thread overview: 112+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-15 13:12 [PATCH 6.6 000/109] 6.6.99-rc1 review Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 001/109] eventpoll: dont decrement ep refcount while still holding the ep mutex Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 002/109] drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 003/109] ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 004/109] perf/core: Fix the WARN_ON_ONCE is out of lock protected region Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 005/109] perf: Revert to requiring CAP_SYS_ADMIN for uprobes Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 006/109] ASoC: cs35l56: probe() should fail if the device ID is not recognized Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 007/109] Bluetooth: hci_sync: Fix not disabling advertising instance Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 008/109] Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 009/109] pinctrl: amd: Clear GPIO debounce for suspend Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 010/109] fix proc_sys_compare() handling of in-lookup dentries Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 011/109] netlink: Fix wraparounds of sk->sk_rmem_alloc Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 012/109] vsock: fix `vsock_proto` declaration Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 013/109] tipc: Fix use-after-free in tipc_conn_close() Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 014/109] tcp: Correct signedness in skb remaining space calculation Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 015/109] vsock: Fix transport_{g2h,h2g} TOCTOU Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 016/109] vsock: Fix transport_* TOCTOU Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 017/109] vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 018/109] net: stmmac: Fix interrupt handling for level-triggered mode in DWC_XGMAC2 Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 019/109] net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 020/109] net: phy: smsc: Force predictable MDI-X state on LAN87xx Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 021/109] net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 022/109] atm: clip: Fix potential null-ptr-deref in to_atmarpd() Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 023/109] atm: clip: Fix memory leak of struct clip_vcc Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 024/109] atm: clip: Fix infinite recursive call of clip_push() Greg Kroah-Hartman
2025-07-15 13:12 ` Greg Kroah-Hartman [this message]
2025-07-15 13:12 ` [PATCH 6.6 026/109] net/sched: Abort __tc_modify_qdisc if parent class does not exist Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 027/109] rxrpc: Fix bug due to prealloc collision Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 028/109] maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 029/109] perf: build: Setup PKG_CONFIG_LIBDIR for cross compilation Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 030/109] Bluetooth: HCI: Set extended advertising data synchronously Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 031/109] rxrpc: Fix oops due to non-existence of prealloc backlog struct Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 032/109] ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 033/109] x86/mce/amd: Add default names for MCA banks and blocks Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 034/109] x86/mce/amd: Fix threshold limit reset Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 035/109] x86/mce: Dont remove sysfs if thresholding sysfs init fails Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 036/109] x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 037/109] KVM: x86/xen: Allow out of range event channel ports in IRQ routing table Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 038/109] KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 039/109] gre: Fix IPv6 multicast route creation Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 040/109] md/md-bitmap: fix GPF in bitmap_get_stats() Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 041/109] pinctrl: qcom: msm: mark certain pins as invalid for interrupts Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 042/109] wifi: prevent A-MSDU attacks in mesh networks Greg Kroah-Hartman
2025-07-15 13:12 ` [PATCH 6.6 043/109] drm/gem: Acquire references on GEM handles for framebuffers Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 044/109] drm/sched: Increment job count before swapping tail spsc queue Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 045/109] drm/ttm: fix error handling in ttm_buffer_object_transfer Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 046/109] drm/gem: Fix race in drm_gem_handle_create_tail() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 047/109] usb: gadget: u_serial: Fix race condition in TTY wakeup Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 048/109] Revert "usb: gadget: u_serial: Add null pointer check in gs_start_io" Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 049/109] drm/framebuffer: Acquire internal references on GEM handles Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 050/109] Revert "ACPI: battery: negate current when discharging" Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 051/109] kallsyms: fix build without execinfo Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 052/109] maple_tree: fix mt_destroy_walk() on root leaf node Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 053/109] mm: fix the inaccurate memory statistics issue for users Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 054/109] scripts/gdb: fix interrupts display after MCP on x86 Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 055/109] scripts/gdb: de-reference per-CPU MCE interrupts Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 056/109] scripts/gdb: fix interrupts.py after maple tree conversion Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 057/109] mm/vmalloc: leave lazy MMU mode on PTE mapping error Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 058/109] pwm: mediatek: Ensure to disable clocks in error path Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 059/109] x86/rdrand: Disable RDSEED on AMD Cyan Skillfish Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 060/109] x86/mm: Disable hugetlb page table sharing on 32-bit Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 061/109] smb: server: make use of rdma_destroy_qp() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 062/109] ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 063/109] erofs: fix to add missing tracepoint in erofs_read_folio() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 064/109] netlink: Fix rmem check in netlink_broadcast_deliver() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 065/109] netlink: make sure we allow at least one dump skb Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 066/109] btrfs: remove noinline from btrfs_update_inode() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 067/109] btrfs: remove redundant root argument from btrfs_update_inode_fallback() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 068/109] btrfs: remove redundant root argument from fixup_inode_link_count() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 069/109] btrfs: return a btrfs_inode from btrfs_iget_logging() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 070/109] btrfs: fix inode lookup error handling during log replay Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 071/109] usb:cdnsp: remove TRB_FLUSH_ENDPOINT command Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 072/109] usb: cdnsp: Replace snprintf() with the safer scnprintf() variant Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 073/109] usb: cdnsp: Fix issue with CV Bad Descriptor test Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 074/109] usb: dwc3: Abort suspend on soft disconnect failure Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 075/109] smb: client: avoid unnecessary reconnects when refreshing referrals Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 076/109] smb: client: fix DFS interlink failover Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 077/109] cifs: all initializations for tcon should happen in tcon_info_alloc Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 078/109] wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 079/109] drm/tegra: nvdec: Fix dma_alloc_coherent error check Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 080/109] md/raid1: Fix stack memory use after return in raid1_reshape Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 081/109] raid10: cleanup memleak at raid10_make_request Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 082/109] nbd: fix uaf in nbd_genl_connect() error path Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 083/109] netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 084/109] net: appletalk: Fix device refcount leak in atrtr_create() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 085/109] ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 086/109] net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 087/109] can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 088/109] net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 089/109] bnxt_en: Fix DCB ETS validation Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 090/109] bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 091/109] ublk: sanity check add_dev input for underflow Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 092/109] atm: idt77252: Add missing `dma_map_error()` Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 093/109] um: vector: Reduce stack usage in vector_eth_configure() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 094/109] io_uring: make fallocate be hashed work Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 095/109] ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 096/109] ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 097/109] net: usb: qmi_wwan: add SIMCom 8230C composition Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 098/109] HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 099/109] net: mana: Record doorbell physical address in PF mode Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 100/109] btrfs: fix assertion when building free space tree Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 101/109] vt: add missing notification when switching back to text mode Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 102/109] bpf: Adjust free target to avoid global starvation of LRU map Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.6 103/109] HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.6 104/109] HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.6 105/109] Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.6 106/109] selftests/bpf: adapt one more case in test_lru_map to the new target_free Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.6 107/109] smb: client: fix potential race in cifs_put_tcon() Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.6 108/109] kasan: remove kasan_find_vm_area() to prevent possible deadlock Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.6 109/109] ksmbd: fix potential use-after-free in oplock/lease break ack Greg Kroah-Hartman
2025-07-15 17:00 ` [PATCH 6.6 000/109] 6.6.99-rc1 review Miguel Ojeda
2025-07-16 14:53 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250715130759.888124639@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+e34e5e6b5eddb0014def@syzkaller.appspotmail.com \
--cc=yuehaibing@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.