| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 16 Jan 2023 10:07:43 +0800
From: shaozhengchao <shaozhengchao@...wei.com>
To: Cong Wang <xiyou.wangcong@...il.com>,
Eric Dumazet <edumazet@...gle.com>
CC: "David S . Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>, <netdev@...r.kernel.org>,
<eric.dumazet@...il.com>, syzbot <syzkaller@...glegroups.com>,
Alexander Potapenko <glider@...gle.com>,
Vinicius Costa Gomes <vinicius.gomes@...el.com>
Subject: Re: [PATCH net] net/sched: sch_taprio: fix possible use-after-free
On 2023/1/16 8:35, Cong Wang wrote:
> On Fri, Jan 13, 2023 at 04:48:49PM +0000, Eric Dumazet wrote:
>> syzbot reported a nasty crash [1] in net_tx_action() which
>> made little sense until we got a repro.
>>
>> This repro installs a taprio qdisc, but providing an
>> invalid TCA_RATE attribute.
>>
>> qdisc_create() has to destroy the just initialized
>> taprio qdisc, and taprio_destroy() is called.
>>
>> However, the hrtimer used by taprio had already fired,
>> therefore advance_sched() called __netif_schedule().
>>
>> Then net_tx_action was trying to use a destroyed qdisc.
>>
>> We can not undo the __netif_schedule(), so we must wait
>> until one cpu serviced the qdisc before we can proceed.
>>
>
> This workaround looks a bit ugly. I think we _may_ be able to make
> hrtimer_start() as the last step of the initialization, IOW, move other
> validations and allocations before it.
>
> Can you share your reproducer?
>
> Thanks,
Maybe the issue is the same as
https://syzkaller.appspot.com/bug?id=1ccb246eecb5114c440218336e4c7205aed5f2c8
Powered by blists - more mailing lists