From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
To: Dmitry Antipov <dmantipov@yandex.ru>
Cc: Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
netdev@vger.kernel.org, lvc-project@linuxtesting.org,
Dmitry Antipov <dmantipov@yandex.ru>,
syzbot+b65e0af58423fc8a73aa@syzkaller.appspotmail.com
Subject: Re: [PATCH] net: sched: fix use-after-free in taprio_change()
Date: Tue, 06 Aug 2024 20:56:41 -0700 [thread overview]
Message-ID: <87sevhx9xi.fsf@intel.com> (raw)
In-Reply-To: <20240805135145.37604-1-dmantipov@yandex.ru>
Hi,
Dmitry Antipov <dmantipov@yandex.ru> writes:
> In 'taprio_change()', 'admin' pointer may become dangling due to sched
> switch / removal caused by 'advance_sched()', and critical section
> protected by 'q->current_entry_lock' is too small to prevent from such
> a scenario (which causes use-after-free detected by KASAN). Fix this
> by prefer 'rcu_replace_pointer()' over 'rcu_assign_pointer()' to update
> 'admin' immediately before an attempt to schedule freeing.
>
> Fixes: a3d43c0d56f1 ("taprio: Add support adding an admin schedule")
> Reported-by: syzbot+b65e0af58423fc8a73aa@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa
> Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
> ---
> net/sched/sch_taprio.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
> index cc2df9f8c14a..59fad74d5ff9 100644
> --- a/net/sched/sch_taprio.c
> +++ b/net/sched/sch_taprio.c
> @@ -1963,7 +1963,8 @@ static int taprio_change(struct Qdisc *sch, struct nlattr *opt,
>
> taprio_start_sched(sch, start, new_admin);
>
> - rcu_assign_pointer(q->admin_sched, new_admin);
> + admin = rcu_replace_pointer(q->admin_sched, new_admin,
> + lockdep_rtnl_is_held());
What I am thinking if, for consistency, the same change could be applied
to the other branch of this comparison (the txtime one). Could be a
separate patch, as the txtime branch is not going to race with
advance_sched().
For this patch:
Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Cheers,
--
Vinicius
prev parent reply other threads:[~2024-08-07 3:56 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-05 13:51 [PATCH] net: sched: fix use-after-free in taprio_change() Dmitry Antipov
2024-08-07 3:56 ` Vinicius Costa Gomes [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sevhx9xi.fsf@intel.com \
--to=vinicius.gomes@intel.com \
--cc=dmantipov@yandex.ru \
--cc=kuba@kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+b65e0af58423fc8a73aa@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.