CVE-2021-47598

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sch_cake: do not call cake_destroy() from cake_init()<br /> <br /> qdiscs are not supposed to call their own destroy() method<br /> from init(), because core stack already does that.<br /> <br /> syzbot was able to trigger use after free:<br /> <br /> DEBUG_LOCKS_WARN_ON(lock-&gt;magic != lock)<br /> WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock_common kernel/locking/mutex.c:586 [inline]<br /> WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740<br /> Modules linked in:<br /> CPU: 0 PID: 21902 Comm: syz-executor189 Not tainted 5.16.0-rc4-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011<br /> RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:586 [inline]<br /> RIP: 0010:__mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740<br /> Code: 08 84 d2 0f 85 19 08 00 00 8b 05 97 38 4b 04 85 c0 0f 85 27 f7 ff ff 48 c7 c6 20 00 ac 89 48 c7 c7 a0 fe ab 89 e8 bf 76 ba ff 0b e9 0d f7 ff ff 48 8b 44 24 40 48 8d b8 c8 08 00 00 48 89 f8<br /> RSP: 0018:ffffc9000627f290 EFLAGS: 00010282<br /> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000<br /> RDX: ffff88802315d700 RSI: ffffffff815f1db8 RDI: fffff52000c4fe44<br /> RBP: ffff88818f28e000 R08: 0000000000000000 R09: 0000000000000000<br /> R10: ffffffff815ebb5e R11: 0000000000000000 R12: 0000000000000000<br /> R13: dffffc0000000000 R14: ffffc9000627f458 R15: 0000000093c30000<br /> FS: 0000555556abc400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007fda689c3303 CR3: 000000001cfbb000 CR4: 0000000000350ef0<br /> Call Trace:<br /> <br /> tcf_chain0_head_change_cb_del+0x2e/0x3d0 net/sched/cls_api.c:810<br /> tcf_block_put_ext net/sched/cls_api.c:1381 [inline]<br /> tcf_block_put_ext net/sched/cls_api.c:1376 [inline]<br /> tcf_block_put+0xbc/0x130 net/sched/cls_api.c:1394<br /> cake_destroy+0x3f/0x80 net/sched/sch_cake.c:2695<br /> qdisc_create.constprop.0+0x9da/0x10f0 net/sched/sch_api.c:1293<br /> tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660<br /> rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571<br /> netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2496<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]<br /> netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345<br /> netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921<br /> sock_sendmsg_nosec net/socket.c:704 [inline]<br /> sock_sendmsg+0xcf/0x120 net/socket.c:724<br /> ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409<br /> ___sys_sendmsg+0xf3/0x170 net/socket.c:2463<br /> __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x7f1bb06badb9<br /> Code: Unable to access opcode bytes at RIP 0x7f1bb06bad8f.<br /> RSP: 002b:00007fff3012a658 EFLAGS: 00000246 ORIG_RAX: 000000000000002e<br /> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1bb06badb9<br /> RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000003<br /> RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003<br /> R10: 0000000000000003 R11: 0000000000000246 R12: 00007fff3012a688<br /> R13: 00007fff3012a6a0 R14: 00007fff3012a6e0 R15: 00000000000013c2<br />