Re: [syzbot] [net?] KASAN: slab-use-after-free Read in taprio_dump
From: Hillf Danton
Date: Tue Dec 19 2023 - 06:02:40 EST
On Mon, 18 Dec 2023 06:33:26 -0800
> HEAD commit: d5b235ec8eab Merge branch 'for-next/core' into for-kernelci
> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15e40371e80000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git d5b235ec8eab
--- x/net/sched/sch_taprio.c
+++ y/net/sched/sch_taprio.c
@@ -2393,6 +2393,7 @@ static int taprio_dump(struct Qdisc *sch
struct sched_gate_list *oper, *admin;
struct tc_mqprio_qopt opt = { 0 };
struct nlattr *nest, *sched_nest;
+ int active = hrtimer_cancel(&q->advance_timer);
oper = rtnl_dereference(q->oper_sched);
admin = rtnl_dereference(q->admin_sched);
@@ -2436,6 +2437,10 @@ static int taprio_dump(struct Qdisc *sch
nla_nest_end(skb, sched_nest);
done:
+ if (active)
+ hrtimer_start(&q->advance_timer,
+ hrtimer_get_expires(&q->advance_timer),
+ HRTIMER_MODE_ABS);
return nla_nest_end(skb, nest);
admin_error:
@@ -2445,6 +2450,10 @@ options_error:
nla_nest_cancel(skb, nest);
start_error:
+ if (active)
+ hrtimer_start(&q->advance_timer,
+ hrtimer_get_expires(&q->advance_timer),
+ HRTIMER_MODE_ABS);
return -ENOSPC;
}
--