Re: [syzbot] [net?] KASAN: slab-use-after-free Read in __ethtool_get_link_ksettings

From: Hillf Danton
Date: Sat Sep 28 2024 - 04:22:29 EST


> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: d505d3593b52 net: wwan: qcom_bam_dmux: Fix missing pm_runt..
> git tree: net
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=150d959f980000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 61387b8dcf1d

--- l/drivers/infiniband/core/verbs.c
+++ v/drivers/infiniband/core/verbs.c
@@ -1976,15 +1976,14 @@ int ib_get_eth_speed(struct ib_device *d
if (rdma_port_get_link_layer(dev, port_num) != IB_LINK_LAYER_ETHERNET)
return -EINVAL;

- netdev = ib_device_get_netdev(dev, port_num);
- if (!netdev)
- return -ENODEV;
-
rtnl_lock();
- rc = __ethtool_get_link_ksettings(netdev, &lksettings);
+ netdev = ib_device_get_netdev(dev, port_num);
+ if (netdev)
+ rc = __ethtool_get_link_ksettings(netdev, &lksettings);
rtnl_unlock();

- dev_put(netdev);
+ if (!netdev)
+ return -ENODEV;

if (!rc && lksettings.base.speed != (u32)SPEED_UNKNOWN) {
netdev_speed = lksettings.base.speed;
@@ -1995,6 +1994,7 @@ int ib_get_eth_speed(struct ib_device *d
netdev->name, netdev_speed);
}

+ dev_put(netdev);
ib_get_width_and_speed(netdev_speed, lksettings.lanes,
speed, width);

--