lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 20 Dec 2023 19:15:54 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+d4d8c0fd15a0abe39bcf@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [net?] KASAN: slab-use-after-free Read in taprio_dump

On Mon, 18 Dec 2023 06:33:26 -0800
> HEAD commit:    d5b235ec8eab Merge branch 'for-next/core' into for-kernelci
> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15e40371e80000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git  d5b235ec8eab

--- x/net/sched/sch_taprio.c
+++ y/net/sched/sch_taprio.c
@@ -1975,9 +1975,12 @@ static int taprio_change(struct Qdisc *s
 			goto unlock;
 		}
 
+		spin_lock_irqsave(&q->current_entry_lock, flags);
+		admin = rtnl_dereference(q->admin_sched);
 		rcu_assign_pointer(q->admin_sched, new_admin);
 		if (admin)
 			call_rcu(&admin->rcu, taprio_free_sched_cb);
+		spin_unlock_irqrestore(&q->current_entry_lock, flags);
 	} else {
 		setup_first_end_time(q, new_admin, start);
 
@@ -2393,6 +2396,7 @@ static int taprio_dump(struct Qdisc *sch
 	struct sched_gate_list *oper, *admin;
 	struct tc_mqprio_qopt opt = { 0 };
 	struct nlattr *nest, *sched_nest;
+	int active = hrtimer_cancel(&q->advance_timer);
 
 	oper = rtnl_dereference(q->oper_sched);
 	admin = rtnl_dereference(q->admin_sched);
@@ -2436,6 +2440,10 @@ static int taprio_dump(struct Qdisc *sch
 	nla_nest_end(skb, sched_nest);
 
 done:
+	if (active)
+		hrtimer_start(&q->advance_timer,
+				hrtimer_get_expires(&q->advance_timer),
+				HRTIMER_MODE_ABS);
 	return nla_nest_end(skb, nest);
 
 admin_error:
@@ -2445,6 +2453,10 @@ options_error:
 	nla_nest_cancel(skb, nest);
 
 start_error:
+	if (active)
+		hrtimer_start(&q->advance_timer,
+				hrtimer_get_expires(&q->advance_timer),
+				HRTIMER_MODE_ABS);
 	return -ENOSPC;
 }
 
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ