lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20231221043616.1182-1-hdanton@sina.com>
Date: Thu, 21 Dec 2023 12:36:15 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+d4d8c0fd15a0abe39bcf@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [net?] KASAN: slab-use-after-free Read in taprio_dump

On Mon, 18 Dec 2023 06:33:26 -0800
> HEAD commit:    d5b235ec8eab Merge branch 'for-next/core' into for-kernelci
> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15e40371e80000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git  d5b235ec8eab

--- x/net/sched/sch_taprio.c
+++ y/net/sched/sch_taprio.c
@@ -1941,6 +1941,9 @@ static int taprio_change(struct Qdisc *s
 
 	/* Protects against enqueue()/dequeue() */
 	spin_lock_bh(qdisc_lock(sch));
+	spin_lock_irqsave(&q->current_entry_lock, flags);
+	oper = rtnl_dereference(q->oper_sched);
+	admin = rtnl_dereference(q->admin_sched);
 
 	if (tb[TCA_TAPRIO_ATTR_TXTIME_DELAY]) {
 		if (!TXTIME_ASSIST_IS_ENABLED(q->flags)) {
@@ -1981,17 +1984,12 @@ static int taprio_change(struct Qdisc *s
 	} else {
 		setup_first_end_time(q, new_admin, start);
 
-		/* Protects against advance_sched() */
-		spin_lock_irqsave(&q->current_entry_lock, flags);
-
 		taprio_start_sched(sch, start, new_admin);
 
 		rcu_assign_pointer(q->admin_sched, new_admin);
 		if (admin)
 			call_rcu(&admin->rcu, taprio_free_sched_cb);
 
-		spin_unlock_irqrestore(&q->current_entry_lock, flags);
-
 		if (FULL_OFFLOAD_IS_ENABLED(q->flags))
 			taprio_offload_config_changed(q);
 	}
@@ -2004,6 +2002,7 @@ static int taprio_change(struct Qdisc *s
 				   "Size table not specified, frame length estimations may be inaccurate");
 
 unlock:
+	spin_unlock_irqrestore(&q->current_entry_lock, flags);
 	spin_unlock_bh(qdisc_lock(sch));
 
 free_sched:
@@ -2393,6 +2392,7 @@ static int taprio_dump(struct Qdisc *sch
 	struct sched_gate_list *oper, *admin;
 	struct tc_mqprio_qopt opt = { 0 };
 	struct nlattr *nest, *sched_nest;
+	int active = hrtimer_cancel(&q->advance_timer);
 
 	oper = rtnl_dereference(q->oper_sched);
 	admin = rtnl_dereference(q->admin_sched);
@@ -2436,6 +2436,10 @@ static int taprio_dump(struct Qdisc *sch
 	nla_nest_end(skb, sched_nest);
 
 done:
+	if (active)
+		hrtimer_start(&q->advance_timer,
+				hrtimer_get_expires(&q->advance_timer),
+				HRTIMER_MODE_ABS);
 	return nla_nest_end(skb, nest);
 
 admin_error:
@@ -2445,6 +2449,10 @@ options_error:
 	nla_nest_cancel(skb, nest);
 
 start_error:
+	if (active)
+		hrtimer_start(&q->advance_timer,
+				hrtimer_get_expires(&q->advance_timer),
+				HRTIMER_MODE_ABS);
 	return -ENOSPC;
 }
 
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ