lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 21 Mar 2020 11:19:20 +0100 From: Thomas Gleixner <tglx@...utronix.de> To: syzbot <syzbot+46f513c3033d592409d2@...kaller.appspotmail.com>, davem@...emloft.net, jhs@...atatu.com, jiri@...nulli.us, kuba@...nel.org, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, syzkaller-bugs@...glegroups.com, xiyou.wangcong@...il.com Subject: Re: WARNING: ODEBUG bug in tcindex_destroy_work (3) syzbot <syzbot+46f513c3033d592409d2@...kaller.appspotmail.com> writes: > syzbot has found a reproducer for the following crash on: > > HEAD commit: 74522e7b net: sched: set the hw_stats_type in pedit loop > git tree: net-next > console output: https://syzkaller.appspot.com/x/log.txt?x=14c85173e00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=b5acf5ac38a50651 > dashboard link: https://syzkaller.appspot.com/bug?extid=46f513c3033d592409d2 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17bfff65e00000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+46f513c3033d592409d2@...kaller.appspotmail.com > > ------------[ cut here ]------------ > ODEBUG: free active (active state 0) object type: work_struct hint: tcindex_destroy_rexts_work+0x0/0x20 net/sched/cls_tcindex.c:143 ... > __debug_check_no_obj_freed lib/debugobjects.c:967 [inline] > debug_check_no_obj_freed+0x2e1/0x445 lib/debugobjects.c:998 > kfree+0xf6/0x2b0 mm/slab.c:3756 > tcindex_destroy_work+0x2e/0x70 net/sched/cls_tcindex.c:231 So this is: kfree(p->perfect); Looking at the place which queues that work: tcindex_destroy() if (p->perfect) { if (tcf_exts_get_net(&r->exts)) tcf_queue_work(&r-rwork, tcindex_destroy_rexts_work); else __tcindex_destroy_rexts(r) } ..... tcf_queue_work(&p->rwork, tcindex_destroy_work); So obviously if tcindex_destroy_work() runs before tcindex_destroy_rexts_work() then the above happens. Thanks, tglx
Powered by blists - more mailing lists