DEBIAN-CVE-2023-53021

In the Linux kernel, the following vulnerability has been resolved: net/sched: schtaprio: fix possible use-after-free syzbot reported a nasty crash [1] in nettxaction() which made little sense until we got a repro. This repro installs a taprio qdisc, but providing an invalid TCARATE attribute. qdisccreate() has to destroy the just initialized taprio qdisc, and tapriodestroy() is called. However, the hrtimer used by taprio had already fired, therefore advancesched() called netifschedule(). Then nettxaction was trying to use a destroyed qdisc. We can not undo the _netifschedule(), so we must wait until one cpu serviced the qdisc before we can proceed. Many thanks to Alexander Potapenko for his help. [1] BUG: KMSAN: uninit-value in queuedspintrylock include/asm-generic/qspinlock.h:94 [inline] BUG: KMSAN: uninit-value in dorawspintrylock include/linux/spinlock.h:191 [inline] BUG: KMSAN: uninit-value in _rawspintrylock include/linux/spinlockapismp.h:89 [inline] BUG: KMSAN: uninit-value in rawspintrylock+0x92/0xa0 kernel/locking/spinlock.c:138 queuedspintrylock include/asm-generic/qspinlock.h:94 [inline] dorawspintrylock include/linux/spinlock.h:191 [inline] _rawspintrylock include/linux/spinlockapismp.h:89 [inline] _rawspintrylock+0x92/0xa0 kernel/locking/spinlock.c:138 spintrylock include/linux/spinlock.h:359 [inline] qdiscrunbegin include/net/schgeneric.h:187 [inline] qdiscrun+0xee/0x540 include/net/pktsched.h:125 nettxaction+0x77c/0x9a0 net/core/dev.c:5086 _dosoftirq+0x1cc/0x7fb kernel/softirq.c:571 runksoftirqd+0x2c/0x50 kernel/softirq.c:934 smpbootthreadfn+0x554/0x9f0 kernel/smpboot.c:164 kthread+0x31b/0x430 kernel/kthread.c:376 retfromfork+0x1f/0x30 Uninit was created at: slabpostallochook mm/slab.h:732 [inline] slaballocnode mm/slub.c:3258 [inline] _kmallocnodetrackcaller+0x814/0x1250 mm/slub.c:4970 kmallocreserve net/core/skbuff.c:358 [inline] _allocskb+0x346/0xcf0 net/core/skbuff.c:430 allocskb include/linux/skbuff.h:1257 [inline] nlmsgnew include/net/netlink.h:953 [inline] netlinkack+0x5f3/0x12b0 net/netlink/afnetlink.c:2436 netlinkrcvskb+0x55d/0x6c0 net/netlink/afnetlink.c:2507 rtnetlinkrcv+0x30/0x40 net/core/rtnetlink.c:6108 netlinkunicastkernel net/netlink/afnetlink.c:1319 [inline] netlinkunicast+0xf3b/0x1270 net/netlink/afnetlink.c:1345 netlinksendmsg+0x1288/0x1440 net/netlink/afnetlink.c:1921 socksendmsgnosec net/socket.c:714 [inline] socksendmsg net/socket.c:734 [inline] syssendmsg+0xabc/0xe90 net/socket.c:2482 _syssendmsg+0x2a1/0x3f0 net/socket.c:2536 _syssendmsg net/socket.c:2565 [inline] _dosyssendmsg net/socket.c:2574 [inline] _sesyssendmsg net/socket.c:2572 [inline] _x64syssendmsg+0x367/0x540 net/socket.c:2572 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3d/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64after_hwframe+0x63/0xcd CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 6.0.0-rc2-syzkaller-47461-gac3859c02d7f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022