lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <5cdd5051-7c7f-6686-88bd-4061f529c064@gmail.com>
Date:   Mon, 13 Jul 2020 20:32:23 -0700
From:   Eric Dumazet <eric.dumazet@...il.com>
To:     qiang.zhang@...driver.com, jmaloy@...hat.com,
        ying.xue@...driver.com, davem@...emloft.net, kuba@...nel.org,
        tuong.t.lien@...tech.com.au
Cc:     netdev@...r.kernel.org, tipc-discussion@...ts.sourceforge.net,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] tipc: Don't using smp_processor_id() in preemptible code



On 7/13/20 6:53 PM, qiang.zhang@...driver.com wrote:
> From: Zhang Qiang <qiang.zhang@...driver.com>
> 
> CPU: 0 PID: 6801 Comm: syz-executor201 Not tainted 5.8.0-rc4-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine,
> BIOS Google 01/01/2011
>
> Reported-by: syzbot+263f8c0d007dc09b2dda@...kaller.appspotmail.com
> Signed-off-by: Zhang Qiang <qiang.zhang@...driver.com>
> ---
>  net/tipc/crypto.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
> index 8c47ded2edb6..520af0afe1b3 100644
> --- a/net/tipc/crypto.c
> +++ b/net/tipc/crypto.c
> @@ -399,9 +399,10 @@ static void tipc_aead_users_set(struct tipc_aead __rcu *aead, int val)
>   */
>  static struct crypto_aead *tipc_aead_tfm_next(struct tipc_aead *aead)
>  {
> -	struct tipc_tfm **tfm_entry = this_cpu_ptr(aead->tfm_entry);
> +	struct tipc_tfm **tfm_entry = get_cpu_ptr(aead->tfm_entry);
>  
>  	*tfm_entry = list_next_entry(*tfm_entry, list);
> +	put_cpu_ptr(tfm_entry);
>  	return (*tfm_entry)->tfm;
>  }
>  
> 

This seems to hide a real bug.

Presumably callers of this function should have disable preemption, and maybe interrupts as well.

In any case, a Fixes: tag would be welcomed.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ