CVE-2023-53021

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: sch_taprio: fix possible use-after-free<br /> <br /> syzbot reported a nasty crash [1] in net_tx_action() which<br /> made little sense until we got a repro.<br /> <br /> This repro installs a taprio qdisc, but providing an<br /> invalid TCA_RATE attribute.<br /> <br /> qdisc_create() has to destroy the just initialized<br /> taprio qdisc, and taprio_destroy() is called.<br /> <br /> However, the hrtimer used by taprio had already fired,<br /> therefore advance_sched() called __netif_schedule().<br /> <br /> Then net_tx_action was trying to use a destroyed qdisc.<br /> <br /> We can not undo the __netif_schedule(), so we must wait<br /> until one cpu serviced the qdisc before we can proceed.<br /> <br /> Many thanks to Alexander Potapenko for his help.<br /> <br /> [1]<br /> BUG: KMSAN: uninit-value in queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]<br /> BUG: KMSAN: uninit-value in do_raw_spin_trylock include/linux/spinlock.h:191 [inline]<br /> BUG: KMSAN: uninit-value in __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]<br /> BUG: KMSAN: uninit-value in _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138<br /> queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]<br /> do_raw_spin_trylock include/linux/spinlock.h:191 [inline]<br /> __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]<br /> _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138<br /> spin_trylock include/linux/spinlock.h:359 [inline]<br /> qdisc_run_begin include/net/sch_generic.h:187 [inline]<br /> qdisc_run+0xee/0x540 include/net/pkt_sched.h:125<br /> net_tx_action+0x77c/0x9a0 net/core/dev.c:5086<br /> __do_softirq+0x1cc/0x7fb kernel/softirq.c:571<br /> run_ksoftirqd+0x2c/0x50 kernel/softirq.c:934<br /> smpboot_thread_fn+0x554/0x9f0 kernel/smpboot.c:164<br /> kthread+0x31b/0x430 kernel/kthread.c:376<br /> ret_from_fork+0x1f/0x30<br /> <br /> Uninit was created at:<br /> slab_post_alloc_hook mm/slab.h:732 [inline]<br /> slab_alloc_node mm/slub.c:3258 [inline]<br /> __kmalloc_node_track_caller+0x814/0x1250 mm/slub.c:4970<br /> kmalloc_reserve net/core/skbuff.c:358 [inline]<br /> __alloc_skb+0x346/0xcf0 net/core/skbuff.c:430<br /> alloc_skb include/linux/skbuff.h:1257 [inline]<br /> nlmsg_new include/net/netlink.h:953 [inline]<br /> netlink_ack+0x5f3/0x12b0 net/netlink/af_netlink.c:2436<br /> netlink_rcv_skb+0x55d/0x6c0 net/netlink/af_netlink.c:2507<br /> rtnetlink_rcv+0x30/0x40 net/core/rtnetlink.c:6108<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]<br /> netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345<br /> netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921<br /> sock_sendmsg_nosec net/socket.c:714 [inline]<br /> sock_sendmsg net/socket.c:734 [inline]<br /> ____sys_sendmsg+0xabc/0xe90 net/socket.c:2482<br /> ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2536<br /> __sys_sendmsg net/socket.c:2565 [inline]<br /> __do_sys_sendmsg net/socket.c:2574 [inline]<br /> __se_sys_sendmsg net/socket.c:2572 [inline]<br /> __x64_sys_sendmsg+0x367/0x540 net/socket.c:2572<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 6.0.0-rc2-syzkaller-47461-gac3859c02d7f #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022