| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250705084214.2579-1-hdanton@sina.com>
Date: Sat, 5 Jul 2025 16:42:12 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+1261670bbdefc5485a06@...kaller.appspotmail.com>
Cc: Cong Wang <xiyou.wangcong@...il.com>,
Lizhi Xu <lizhi.xu@...driver.com>,
linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [net?] general protection fault in qdisc_tree_reduce_backlog
> > Date: Thu, 03 Jul 2025 22:20:37 -0700
> > syzbot found the following issue on:
> >
> > HEAD commit: bd475eeaaf3c Merge branch '200GbE' of git://git.kernel.org..
> > git tree: net
> > console+strace: https://syzkaller.appspot.com/x/log.txt?x=12f0b3d4580000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=36b0e72cad5298f8
> > dashboard link: https://syzkaller.appspot.com/bug?extid=1261670bbdefc5485a06
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=164d8c8c580000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14839ebc580000
>
> Date: Fri, 4 Jul 2025 22:07:34 -0700 Cong Wang wrote:
> Maybe I didn't make it clear, I think Victor's patch also fixes this
> bug.
>
> https://lore.kernel.org/netdev/20250704163422.160424-1-victor@mojatatu.com/
>
> Can you check if you still see the crash with his fix?
#syz test
--- x/net/sched/sch_api.c
+++ y/net/sched/sch_api.c
@@ -336,17 +336,22 @@ out:
return q;
}
-static struct Qdisc *qdisc_leaf(struct Qdisc *p, u32 classid)
+static struct Qdisc *qdisc_leaf(struct Qdisc *p, u32 classid,
+ struct netlink_ext_ack *extack)
{
unsigned long cl;
const struct Qdisc_class_ops *cops = p->ops->cl_ops;
- if (cops == NULL)
- return NULL;
+ if (cops == NULL) {
+ NL_SET_ERR_MSG(extack, "Parent qdisc is not classful");
+ return ERR_PTR(-EOPNOTSUPP);
+ }
cl = cops->find(p, classid);
- if (cl == 0)
- return NULL;
+ if (cl == 0) {
+ NL_SET_ERR_MSG(extack, "Specified class not found");
+ return ERR_PTR(-ENOENT);
+ }
return cops->leaf(p, cl);
}
@@ -1490,16 +1495,20 @@ static int __tc_get_qdisc(struct sk_buff
NL_SET_ERR_MSG(extack, "Failed to find qdisc with specified classid");
return -ENOENT;
}
- q = qdisc_leaf(p, clid);
+ q = qdisc_leaf(p, clid, extack);
} else if (dev_ingress_queue(dev)) {
q = rtnl_dereference(dev_ingress_queue(dev)->qdisc_sleeping);
}
} else {
q = rtnl_dereference(dev->qdisc);
}
- if (!q) {
- NL_SET_ERR_MSG(extack, "Cannot find specified qdisc on specified device");
- return -ENOENT;
+ if (IS_ERR_OR_NULL(q)) {
+ if (!q) {
+ NL_SET_ERR_MSG(extack,
+ "Cannot find specified qdisc on specified device");
+ return -ENOENT;
+ }
+ return PTR_ERR(q);
}
if (tcm->tcm_handle && q->handle != tcm->tcm_handle) {
@@ -1602,7 +1611,9 @@ static int __tc_modify_qdisc(struct sk_b
NL_SET_ERR_MSG(extack, "Failed to find specified qdisc");
return -ENOENT;
}
- q = qdisc_leaf(p, clid);
+ q = qdisc_leaf(p, clid, extack);
+ if (IS_ERR(q))
+ return PTR_ERR(q);
} else if (dev_ingress_queue_create(dev)) {
q = rtnl_dereference(dev_ingress_queue(dev)->qdisc_sleeping);
}
--
Powered by blists - more mailing lists