| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260121131954.2710459-1-p@1g4.org> Date: Wed, 21 Jan 2026 13:20:30 +0000 From: Paul Moses <p@....org> To: netdev@...r.kernel.org Cc: Jamal Hadi Salim <jhs@...atatu.com>, Cong Wang <xiyou.wangcong@...il.com>, Jiri Pirko <jiri@...nulli.us>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>, linux-kernel@...r.kernel.org, Paul Moses <p@....org> Subject: [PATCH net v3 0/7] net/sched: act_gate RCU schedule update fixes This series fixes a schedule lifetime race in `act_gate` between the control-plane replace path and the running hrtimer callback (gate_timer_func). Before this series, a gate action could be replaced via `RTM_NEWACTION | NLM_F_REPLACE` while its hrtimer was armed or executing. The replace path frees the existing schedule entries immediately, but the timer callback may concurrently dereference and walk the old entry list to compute the next expiry. This allows the timer to observe freed memory, leading to UAF or NULL dereference depending on timing and reuse. The fix publishes gate configuration updates using an RCU snapshot pattern. A new parameter set (including the schedule list) is fully constructed first and then swapped in atomically via an RCU-protected pointer. Readers (timer, dump, and accessors) only dereference the current snapshot under RCU, and the old snapshot is reclaimed via `call_rcu()` after the swap. This ensures the timer never observes freed or partially invalid schedules during a replace. Additional hardening included in this series: * Zero-initialize the netlink dump struct to avoid leaking stack padding * Reject empty schedule lists, which result in undefined runtime behavior * Guard against NULL parameters in accessors during teardown * Cancel the hrtimer outside `tcf_lock` to avoid lock inversion with the timer callback; cancellation is limited to clockid changes to avoid unnecessary blocking Stable relevance: * Fixes UAF / NULL deref hazards when a gate action is replaced while the timer, dump, or accessors are active * Fixes a potential deadlock when canceling the hrtimer under `tcf_lock` * Fixes a padding information leak in netlink dumps * Dependency chain: patches 2–7 build on patch 1 and on each other Changes since v2: * Split patch into logical steps * Split hardening into explicit empty-schedule rejection and NULL accessor guards * Align `tcf_gate_init()` initialization with net/sched conventions * Cancel the hrtimer only when the clockid changes on replace * Allow basetime to advance correctly on REPLACE * Make `tcf_gate_copy_entries()` leave cleanup to the caller on failure * Initialize `parse_gate_list()` error handling defensively Paul Moses (7): net/sched: act_gate: zero-initialize netlink dump struct net/sched: act_gate: add RCU support for parameter update net/sched: act_gate: build schedule and RCU-swap net/sched: act_gate: read schedule via RCU net/sched: act_gate: cancel timer outside tcf_lock net/sched: act_gate: reject empty schedule list net/sched: act_gate: guard NULL params in accessors include/net/tc_act/tc_gate.h | 65 ++++++-- net/sched/act_gate.c | 295 ++++++++++++++++++++++++++--------- 2 files changed, 268 insertions(+), 92 deletions(-) -- 2.52.GIT
Powered by blists - more mailing lists