CVE-2023-53021

In the Linux kernel, the following vulnerability has been resolved:

net/sched: sch_taprio: fix possible use-after-free

syzbot reported a nasty crash [1] in nettxaction() which made little sense until we got a repro.

This repro installs a taprio qdisc, but providing an invalid TCA_RATE attribute.

qdisccreate() has to destroy the just initialized taprio qdisc, and tapriodestroy() is called.

However, the hrtimer used by taprio had already fired, therefore advancesched() called _netif_schedule().

Then nettxaction was trying to use a destroyed qdisc.

We can not undo the _netifschedule(), so we must wait until one cpu serviced the qdisc before we can proceed.

Many thanks to Alexander Potapenko for his help.

[1] BUG: KMSAN: uninit-value in queuedspintrylock include/asm-generic/qspinlock.h:94 [inline] BUG: KMSAN: uninit-value in dorawspintrylock include/linux/spinlock.h:191 [inline] BUG: KMSAN: uninit-value in _rawspintrylock include/linux/spinlockapismp.h:89 [inline] BUG: KMSAN: uninit-value in rawspintrylock+0x92/0xa0 kernel/locking/spinlock.c:138 queuedspintrylock include/asm-generic/qspinlock.h:94 [inline] dorawspintrylock include/linux/spinlock.h:191 [inline] _rawspintrylock include/linux/spinlockapismp.h:89 [inline] _rawspintrylock+0x92/0xa0 kernel/locking/spinlock.c:138 spintrylock include/linux/spinlock.h:359 [inline] qdiscrunbegin include/net/schgeneric.h:187 [inline] qdiscrun+0xee/0x540 include/net/pktsched.h:125 nettxaction+0x77c/0x9a0 net/core/dev.c:5086 _dosoftirq+0x1cc/0x7fb kernel/softirq.c:571 runksoftirqd+0x2c/0x50 kernel/softirq.c:934 smpbootthreadfn+0x554/0x9f0 kernel/smpboot.c:164 kthread+0x31b/0x430 kernel/kthread.c:376 retfromfork+0x1f/0x30

Uninit was created at: slabpostallochook mm/slab.h:732 [inline] slaballocnode mm/slub.c:3258 [inline] kmallocnodetrackcaller+0x814/0x1250 mm/slub.c:4970 kmallocreserve net/core/skbuff.c:358 [inline] _allocskb+0x346/0xcf0 net/core/skbuff.c:430 allocskb include/linux/skbuff.h:1257 [inline] nlmsgnew include/net/netlink.h:953 [inline] netlinkack+0x5f3/0x12b0 net/netlink/afnetlink.c:2436 netlinkrcvskb+0x55d/0x6c0 net/netlink/afnetlink.c:2507 rtnetlinkrcv+0x30/0x40 net/core/rtnetlink.c:6108 netlinkunicastkernel net/netlink/afnetlink.c:1319 [inline] netlinkunicast+0xf3b/0x1270 net/netlink/afnetlink.c:1345 netlinksendmsg+0x1288/0x1440 net/netlink/afnetlink.c:1921 socksendmsgnosec net/socket.c:714 [inline] socksendmsg net/socket.c:734 [inline] _syssendmsg+0xabc/0xe90 net/socket.c:2482 _syssendmsg+0x2a1/0x3f0 net/socket.c:2536 _syssendmsg net/socket.c:2565 [inline] _dosyssendmsg net/socket.c:2574 [inline] _sesyssendmsg net/socket.c:2572 [inline] _x64syssendmsg+0x367/0x540 net/socket.c:2572 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3d/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64after_hwframe+0x63/0xcd

CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 6.0.0-rc2-syzkaller-47461-gac3859c02d7f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022