CVE-2024-50126

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: sched: use RCU read-side critical section in taprio_dump()<br /> <br /> Fix possible use-after-free in &amp;#39;taprio_dump()&amp;#39; by adding RCU<br /> read-side critical section there. Never seen on x86 but<br /> found on a KASAN-enabled arm64 system when investigating<br /> https://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa:<br /> <br /> [T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0<br /> [T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862<br /> [T15862]<br /> [T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2<br /> [T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024<br /> [T15862] Call trace:<br /> [T15862] dump_backtrace+0x20c/0x220<br /> [T15862] show_stack+0x2c/0x40<br /> [T15862] dump_stack_lvl+0xf8/0x174<br /> [T15862] print_report+0x170/0x4d8<br /> [T15862] kasan_report+0xb8/0x1d4<br /> [T15862] __asan_report_load4_noabort+0x20/0x2c<br /> [T15862] taprio_dump+0xa0c/0xbb0<br /> [T15862] tc_fill_qdisc+0x540/0x1020<br /> [T15862] qdisc_notify.isra.0+0x330/0x3a0<br /> [T15862] tc_modify_qdisc+0x7b8/0x1838<br /> [T15862] rtnetlink_rcv_msg+0x3c8/0xc20<br /> [T15862] netlink_rcv_skb+0x1f8/0x3d4<br /> [T15862] rtnetlink_rcv+0x28/0x40<br /> [T15862] netlink_unicast+0x51c/0x790<br /> [T15862] netlink_sendmsg+0x79c/0xc20<br /> [T15862] __sock_sendmsg+0xe0/0x1a0<br /> [T15862] ____sys_sendmsg+0x6c0/0x840<br /> [T15862] ___sys_sendmsg+0x1ac/0x1f0<br /> [T15862] __sys_sendmsg+0x110/0x1d0<br /> [T15862] __arm64_sys_sendmsg+0x74/0xb0<br /> [T15862] invoke_syscall+0x88/0x2e0<br /> [T15862] el0_svc_common.constprop.0+0xe4/0x2a0<br /> [T15862] do_el0_svc+0x44/0x60<br /> [T15862] el0_svc+0x50/0x184<br /> [T15862] el0t_64_sync_handler+0x120/0x12c<br /> [T15862] el0t_64_sync+0x190/0x194<br /> [T15862]<br /> [T15862] Allocated by task 15857:<br /> [T15862] kasan_save_stack+0x3c/0x70<br /> [T15862] kasan_save_track+0x20/0x3c<br /> [T15862] kasan_save_alloc_info+0x40/0x60<br /> [T15862] __kasan_kmalloc+0xd4/0xe0<br /> [T15862] __kmalloc_cache_noprof+0x194/0x334<br /> [T15862] taprio_change+0x45c/0x2fe0<br /> [T15862] tc_modify_qdisc+0x6a8/0x1838<br /> [T15862] rtnetlink_rcv_msg+0x3c8/0xc20<br /> [T15862] netlink_rcv_skb+0x1f8/0x3d4<br /> [T15862] rtnetlink_rcv+0x28/0x40<br /> [T15862] netlink_unicast+0x51c/0x790<br /> [T15862] netlink_sendmsg+0x79c/0xc20<br /> [T15862] __sock_sendmsg+0xe0/0x1a0<br /> [T15862] ____sys_sendmsg+0x6c0/0x840<br /> [T15862] ___sys_sendmsg+0x1ac/0x1f0<br /> [T15862] __sys_sendmsg+0x110/0x1d0<br /> [T15862] __arm64_sys_sendmsg+0x74/0xb0<br /> [T15862] invoke_syscall+0x88/0x2e0<br /> [T15862] el0_svc_common.constprop.0+0xe4/0x2a0<br /> [T15862] do_el0_svc+0x44/0x60<br /> [T15862] el0_svc+0x50/0x184<br /> [T15862] el0t_64_sync_handler+0x120/0x12c<br /> [T15862] el0t_64_sync+0x190/0x194<br /> [T15862]<br /> [T15862] Freed by task 6192:<br /> [T15862] kasan_save_stack+0x3c/0x70<br /> [T15862] kasan_save_track+0x20/0x3c<br /> [T15862] kasan_save_free_info+0x4c/0x80<br /> [T15862] poison_slab_object+0x110/0x160<br /> [T15862] __kasan_slab_free+0x3c/0x74<br /> [T15862] kfree+0x134/0x3c0<br /> [T15862] taprio_free_sched_cb+0x18c/0x220<br /> [T15862] rcu_core+0x920/0x1b7c<br /> [T15862] rcu_core_si+0x10/0x1c<br /> [T15862] handle_softirqs+0x2e8/0xd64<br /> [T15862] __do_softirq+0x14/0x20