lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aGhr2R3vkwBT/uiv@pop-os.localdomain>
Date: Fri, 4 Jul 2025 17:03:37 -0700
From: Cong Wang <xiyou.wangcong@...il.com>
To: Lizhi Xu <lizhi.xu@...driver.com>
Cc: syzbot+1261670bbdefc5485a06@...kaller.appspotmail.com,
	davem@...emloft.net, edumazet@...gle.com, horms@...nel.org,
	jhs@...atatu.com, jiri@...nulli.us, kuba@...nel.org,
	linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
	pabeni@...hat.com, syzkaller-bugs@...glegroups.com,
	Victor Nogueira <victor@...atatu.com>
Subject: Re: [PATCH] net/sched: Prevent notify to parent who unsupport class
 ops

(Cc Victor)

On Fri, Jul 04, 2025 at 04:04:21PM +0800, Lizhi Xu wrote:
> If the parent qdisc does not support class operations then exit notify.
> 
> In addition, the validity of the cl value is judged before executing the
> notify. Similarly, the notify is exited when the address represented by
> its value is invalid.
> 
> Reported-by: syzbot+1261670bbdefc5485a06@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=1261670bbdefc5485a06
> Tested-by: syzbot+1261670bbdefc5485a06@...kaller.appspotmail.com
> Signed-off-by: Lizhi Xu <lizhi.xu@...driver.com>

Victor also posted a fix here:
https://lore.kernel.org/netdev/20250704163422.160424-1-victor@mojatatu.com/

I asked Victor there if we still need to patch
qdisc_tree_reduce_backlog().

> ---
>  net/sched/sch_api.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
> index d8a33486c51..53fd63af14d 100644
> --- a/net/sched/sch_api.c
> +++ b/net/sched/sch_api.c
> @@ -803,12 +803,13 @@ void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len)
>  			break;
>  		}
>  		cops = sch->ops->cl_ops;
> -		if (notify && cops->qlen_notify) {
> +		if (cops && notify && cops->qlen_notify) {

I think 'notify' should be tested first, as it was.

>  			/* Note that qlen_notify must be idempotent as it may get called
>  			 * multiple times.
>  			 */
>  			cl = cops->find(sch, parentid);
> -			cops->qlen_notify(sch, cl);
> +			if (virt_addr_valid(cl))

This is not how we test NULL or error pointers. Just "if (cl)" should
be sufficient for NULL case.

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ