mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-28 23:24:50 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/sched
History
Eric Dumazet dae05cd371 net/sched: sch_taprio: do not schedule in taprio_reset() 
[ Upstream commit ea4fdbaa2f ]

As reported by syzbot and hinted by Vinicius, I should not have added
a qdisc_synchronize() call in taprio_reset()

taprio_reset() can be called with qdisc spinlock held (and BH disabled)
as shown in included syzbot report [1].

Only taprio_destroy() needed this synchronization, as explained
in the blamed commit changelog.

[1]

BUG: scheduling while atomic: syz-executor150/5091/0x00000202
2 locks held by syz-executor150/5091:
Modules linked in:
Preemption disabled at:
[<0000000000000000>] 0x0
Kernel panic - not syncing: scheduling while atomic: panic_on_warn set ...
CPU: 1 PID: 5091 Comm: syz-executor150 Not tainted 6.2.0-rc3-syzkaller-00219-g010a74f52203 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
panic+0x2cc/0x626 kernel/panic.c:318
check_panic_on_warn.cold+0x19/0x35 kernel/panic.c:238
__schedule_bug.cold+0xd5/0xfe kernel/sched/core.c:5836
schedule_debug kernel/sched/core.c:5865 [inline]
__schedule+0x34e4/0x5450 kernel/sched/core.c:6500
schedule+0xde/0x1b0 kernel/sched/core.c:6682
schedule_timeout+0x14e/0x2a0 kernel/time/timer.c:2167
schedule_timeout_uninterruptible kernel/time/timer.c:2201 [inline]
msleep+0xb6/0x100 kernel/time/timer.c:2322
qdisc_synchronize include/net/sch_generic.h:1295 [inline]
taprio_reset+0x93/0x270 net/sched/sch_taprio.c:1703
qdisc_reset+0x10c/0x770 net/sched/sch_generic.c:1022
dev_reset_queue+0x92/0x130 net/sched/sch_generic.c:1285
netdev_for_each_tx_queue include/linux/netdevice.h:2464 [inline]
dev_deactivate_many+0x36d/0x9f0 net/sched/sch_generic.c:1351
dev_deactivate+0xed/0x1b0 net/sched/sch_generic.c:1374
qdisc_graft+0xe4a/0x1380 net/sched/sch_api.c:1080
tc_modify_qdisc+0xb6b/0x19a0 net/sched/sch_api.c:1689
rtnetlink_rcv_msg+0x43e/0xca0 net/core/rtnetlink.c:6141
netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2564
netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1356
netlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1932
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xd3/0x120 net/socket.c:734
____sys_sendmsg+0x712/0x8c0 net/socket.c:2476
___sys_sendmsg+0x110/0x1b0 net/socket.c:2530
__sys_sendmsg+0xf7/0x1c0 net/socket.c:2559
do_syscall_x64 arch/x86/entry/common.c:50 [inline]

Fixes: 3a415d59c1 ("net/sched: sch_taprio: fix possible use-after-free")
Link: https://lore.kernel.org/netdev/167387581653.2747.13878941339893288655.git-patchwork-notify@kernel.org/T/
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Link: https://lore.kernel.org/r/20230123084552.574396-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-02-06 07:52:46 +01:00
..
act_api.c net/sched: act_api: Notify user space if any actions were flushed before error 2022-07-07 17:36:50 +02:00
act_bpf.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_connmark.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_csum.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_ct.c net/sched: act_ct: fix err check for nf_conntrack_confirm 2021-07-25 14:35:14 +02:00
act_ctinfo.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_gact.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_ife.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_ipt.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_meta_mark.c
act_meta_skbprio.c
act_meta_skbtcindex.c
act_mirred.c net: sched: act_mirred: drop dst for the direction from egress to ingress 2021-11-26 10:47:19 +01:00
act_mpls.c net/sched: act_mpls: Fix warning during failed attribute validation 2023-01-18 11:42:04 +01:00
act_nat.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_pedit.c net/sched: act_pedit: sanitize shift argument before usage 2022-05-25 09:14:35 +02:00
act_police.c net/sched: act_police: more accurate MTU policing 2022-06-22 14:11:24 +02:00
act_sample.c net: sched: lock action when translating it to flow_action infra 2021-12-22 09:29:37 +01:00
act_simple.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_skbedit.c net_sched: defer tcf_idr_insert() in tcf_action_init_1() 2020-10-14 10:33:06 +02:00
act_skbmod.c net/sched: act_skbmod: Skip non-Ethernet packets 2021-07-28 13:30:57 +02:00
act_tunnel_key.c net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels 2020-10-29 09:57:26 +01:00
act_vlan.c net/sched: act_vlan: Fix modify to allow 0 2021-07-14 16:53:27 +02:00
cls_api.c net: sched: fix possible refcount leak in tc_new_tfilter() 2022-09-28 11:04:07 +02:00
cls_basic.c
cls_bpf.c
cls_cgroup.c
cls_flow.c sched: consistently handle layer3 header accesses in the presence of VLANs 2020-07-22 09:32:48 +02:00
cls_flower.c net/sched: flower: fix parsing of ethertype following VLAN header 2022-04-20 09:19:34 +02:00
cls_fw.c
cls_matchall.c
cls_route.c net_sched: cls_route: disallow handle of 0 2022-08-25 11:18:18 +02:00
cls_rsvp.c
cls_rsvp.h
cls_rsvp6.c
cls_tcindex.c net: sched: fix memory leak in tcindex_set_parms 2023-01-18 11:41:57 +01:00
cls_u32.c net/sched: cls_u32: fix possible leak in u32_init_knode() 2022-04-27 13:50:47 +02:00
em_canid.c
em_cmp.c
em_ipset.c sched: consistently handle layer3 header accesses in the presence of VLANs 2020-07-22 09:32:48 +02:00
em_ipt.c sched: consistently handle layer3 header accesses in the presence of VLANs 2020-07-22 09:32:48 +02:00
em_meta.c sched: consistently handle layer3 header accesses in the presence of VLANs 2020-07-22 09:32:48 +02:00
em_nbyte.c
em_text.c
em_u32.c
ematch.c net_sched: reject TCF_EM_SIMPLE case for complex ematch module 2023-01-18 11:41:33 +01:00
Kconfig
Makefile
sch_api.c net: sched: disallow noqueue for qdisc classes 2023-01-18 11:42:00 +01:00
sch_atm.c net: sched: atm: dont intepret cls results when asked to drop 2023-01-18 11:41:58 +01:00
sch_blackhole.c
sch_cake.c net: sched: cake: fix null pointer access issue when cake_init() fails 2022-10-29 10:20:35 +02:00
sch_cbq.c net: sched: cbq: dont intepret cls results when asked to drop 2023-01-18 11:41:58 +01:00
sch_cbs.c net: cbs: Fix software cbs to consider packet sending time 2020-04-01 11:01:33 +02:00
sch_choke.c net: sched: validate stab values 2021-03-30 14:35:25 +02:00
sch_codel.c
sch_drr.c
sch_dsmark.c sch_dsmark: fix a NULL deref in qdisc_reset() 2021-06-03 08:59:15 +02:00
sch_etf.c sched: etf: do not assume all sockets are full blown 2020-04-29 16:33:09 +02:00
sch_fifo.c net_sched: fix NULL deref in fifo_set_limit() 2021-10-13 10:08:18 +02:00
sch_fq.c net: fq: add missing attribute validation for orphan mask 2020-03-18 07:17:45 +01:00
sch_fq_codel.c fq_codel: reject silly quantum parameters 2021-09-22 12:26:45 +02:00
sch_generic.c net: Fix data-races around weight_p and dev_weight_[rt]x_bias. 2022-09-05 10:27:41 +02:00
sch_gred.c net: sched: validate stab values 2021-03-30 14:35:25 +02:00
sch_hfsc.c
sch_hhf.c
sch_htb.c
sch_ingress.c
sch_mq.c net: sched: update default qdisc visibility after Tx queue cnt changes 2021-11-17 09:48:28 +01:00
sch_mqprio.c net: sched: update default qdisc visibility after Tx queue cnt changes 2021-11-17 09:48:28 +01:00
sch_multiq.c
sch_netem.c net/sched: sch_netem: Fix arithmetic in netem_dump() for 32-bit platforms 2022-06-29 08:58:46 +02:00
sch_pie.c
sch_plug.c
sch_prio.c
sch_qfq.c sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc 2022-01-11 15:23:32 +01:00
sch_red.c net: sched: Fix use after free in red_enqueue() 2022-11-10 17:57:50 +01:00
sch_sfb.c sch_sfb: Also store skb len before calling child enqueue 2022-09-15 12:04:56 +02:00
sch_sfq.c net: sched: validate stab values 2021-03-30 14:35:25 +02:00
sch_skbprio.c net_sched: sch_skbprio: add message validation to skbprio_change() 2020-05-14 07:58:21 +02:00
sch_taprio.c net/sched: sch_taprio: do not schedule in taprio_reset() 2023-02-06 07:52:46 +01:00
sch_tbf.c net: sched: tbf: don't call qdisc_put() while holding tree lock 2022-09-15 12:04:50 +02:00
sch_teql.c net: sched: sch_teql: fix null-pointer dereference 2021-04-14 08:24:12 +02:00