lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 14 Mar 2020 20:42:03 -0700 (PDT) From: David Miller <davem@...emloft.net> To: xiyou.wangcong@...il.com Cc: netdev@...r.kernel.org, syzbot+653090db2562495901dc@...kaller.appspotmail.com, jhs@...atatu.com, jiri@...nulli.us Subject: Re: [Patch net] net_sched: hold rtnl lock in tcindex_partial_destroy_work() From: Cong Wang <xiyou.wangcong@...il.com> Date: Wed, 11 Mar 2020 22:42:27 -0700 > syzbot reported a use-after-free in tcindex_dump(). This is due to > the lack of RTNL in the deferred rcu work. We queue this work with > RTNL in tcindex_change(), later, tcindex_dump() is called: > > fh = tp->ops->get(tp, t->tcm_handle); > ... > err = tp->ops->change(..., &fh, ...); > tfilter_notify(..., fh, ...); > > but there is nothing to serialize the pending > tcindex_partial_destroy_work() with tcindex_dump(). > > Fix this by simply holding RTNL in tcindex_partial_destroy_work(), > so that it won't be called until RTNL is released after > tc_new_tfilter() is completed. > > Reported-and-tested-by: syzbot+653090db2562495901dc@...kaller.appspotmail.com > Fixes: 3d210534cc93 ("net_sched: fix a race condition in tcindex_destroy()") > Cc: Jamal Hadi Salim <jhs@...atatu.com> > Cc: Jiri Pirko <jiri@...nulli.us> > Signed-off-by: Cong Wang <xiyou.wangcong@...il.com> Applied and queued up for -stable, thanks Cong.
Powered by blists - more mailing lists