lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20251211182303.5251e1e2@kernel.org>
Date: Thu, 11 Dec 2025 18:23:03 +0900
From: Jakub Kicinski <kuba@...nel.org>
To: Xiang Mei <xmei5@....edu>
Cc: Cong Wang <xiyou.wangcong@...il.com>, security@...nel.org,
 netdev@...r.kernel.org, jhs@...atatu.com, jiri@...nulli.us
Subject: Re: [PATCH net] net/sched: sch_qfq: Fix NULL deref when
 deactivating

On Mon, 8 Dec 2025 15:17:57 -0700 Xiang Mei wrote:
> Sorry for not explaining that. This PoC could be complex to use TC to
> trigger. I was thinking about the same thing: transforming this C
> program to `tc` commands so we can have a tc-tests case, but this bug
> is related to a race condition.
> 
> We have to use racing to create the state mentioned in the commit
> message: "Two qfq_class objects may point to the same
> leaf_qdisc"(Racing between tc_new_tfilter and qdisc_delete). I failed
> to find a clean way to use `tc` to trigger this race after several
> hours of trial, so I gave up on that. For non-race condition bugs,
> I'll try to provide self-tests.

Speaking under correction here, but you can submit the test as C code
to the tools/testing/selftests/net directory. It doesn't have to use
existing bash tooling. It needs to follow kernel coding style as Cong
alluded to, however. Ideally if you could rewrite the reproducer to use
YNL C that'd be save a lot of netlink boilerplate.. I think QFQ is
supported by YNL tho not sure if that support is sufficient.

Two more asks/questions
 - could you please add the crash info to the commit message
 - there is a similar code construct in qfq_deact_rm_from_agg()
   does it also need to be fixed?

And a reminder to not top post on the kernel mailing lists, please.
-- 
pw-bot: cr

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ