CVE-2021-47512

In the Linux kernel, the following vulnerability has been resolved:

net/sched: fq_pie: prevent dismantle issue

For some reason, fqpiedestroy() did not copy working code from pie_destroy() and other qdiscs, thus causing elusive bug.

Before calling deltimersync(&q->adapt_timer), we need to ensure timer will not rearm itself.

rcu: INFO: rcupreempt self-detected stall on CPU rcu: 0-....: (4416 ticks this GP) idle=60d/1/0x4000000000000000 softirq=10433/10434 fqs=2579 (t=10501 jiffies g=13085 q=3989) NMI backtrace for cpu 0 CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 5.16.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <IRQ> dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0xcd/0x134 lib/dumpstack.c:106 nmicpubacktrace.cold+0x47/0x144 lib/nmibacktrace.c:111 nmitriggercpumaskbacktrace+0x1b3/0x230 lib/nmibacktrace.c:62 triggersinglecpubacktrace include/linux/nmi.h:164 [inline] rcudumpcpustacks+0x25e/0x3f0 kernel/rcu/treestall.h:343 printcpustall kernel/rcu/treestall.h:627 [inline] checkcpustall kernel/rcu/treestall.h:711 [inline] rcupending kernel/rcu/tree.c:3878 [inline] rcuschedclockirq.cold+0x9d/0x746 kernel/rcu/tree.c:2597 updateprocesstimes+0x16d/0x200 kernel/time/timer.c:1785 tickschedhandle+0x9b/0x180 kernel/time/tick-sched.c:226 tickschedtimer+0x1b0/0x2d0 kernel/time/tick-sched.c:1428 _runhrtimer kernel/time/hrtimer.c:1685 [inline] _hrtimerrunqueues+0x1c0/0xe50 kernel/time/hrtimer.c:1749 hrtimerinterrupt+0x31c/0x790 kernel/time/hrtimer.c:1811 localapictimerinterrupt arch/x86/kernel/apic/apic.c:1086 [inline] _sysvecapictimerinterrupt+0x146/0x530 arch/x86/kernel/apic/apic.c:1103 sysvecapictimerinterrupt+0x8e/0xc0 arch/x86/kernel/apic/apic.c:1097 </IRQ> <TASK> asmsysvecapictimerinterrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638 RIP: 0010:writecompdata kernel/kcov.c:221 [inline] RIP: 0010:sanitizercovtraceconstcmp1+0x1d/0x80 kernel/kcov.c:273 Code: 54 c8 20 48 89 10 c3 66 0f 1f 44 00 00 53 41 89 fb 41 89 f1 bf 03 00 00 00 65 48 8b 0c 25 40 70 02 00 48 89 ce 4c 8b 54 24 08 <e8> 4e f7 ff ff 84 c0 74 51 48 8b 81 88 15 00 00 44 8b 81 84 15 00 RSP: 0018:ffffc90000d27b28 EFLAGS: 00000246 RAX: 0000000000000000 RBX: ffff888064bf1bf0 RCX: ffff888011928000 RDX: ffff888011928000 RSI: ffff888011928000 RDI: 0000000000000003 RBP: ffff888064bf1c28 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff875d8295 R11: 0000000000000000 R12: 0000000000000000 R13: ffff8880783dd300 R14: 0000000000000000 R15: 0000000000000000 piecalculateprobability+0x405/0x7c0 net/sched/schpie.c:418 fqpietimer+0x170/0x2a0 net/sched/schfqpie.c:383 calltimerfn+0x1a5/0x6b0 kernel/time/timer.c:1421 expiretimers kernel/time/timer.c:1466 [inline] _runtimers.part.0+0x675/0xa20 kernel/time/timer.c:1734 _runtimers kernel/time/timer.c:1715 [inline] runtimersoftirq+0xb3/0x1d0 kernel/time/timer.c:1747 _dosoftirq+0x29b/0x9c2 kernel/softirq.c:558 runksoftirqd kernel/softirq.c:921 [inline] runksoftirqd+0x2d/0x60 kernel/softirq.c:913 smpbootthreadfn+0x645/0x9c0 kernel/smpboot.c:164 kthread+0x405/0x4f0 kernel/kthread.c:327 retfromfork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK>