On 7/14/20 1:05 AM, qiang.zh...@windriver.com wrote:
> From: Zhang Qiang <qiang.zh...@windriver.com>
>
> CPU: 0 PID: 6801 Comm: syz-executor201 Not tainted 5.8.0-rc4-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine,
> BIOS Google 01/01/2011
>
> Fixes: fc1b6d6de2208 ("tipc: introduce TIPC encryption & authentication")
> Reported-by: syzbot+263f8c0d007dc09b2...@syzkaller.appspotmail.com
> Signed-off-by: Zhang Qiang <qiang.zh...@windriver.com>
> ---
> v1->v2:
> add fixes tags.
>
> net/tipc/crypto.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
> index 8c47ded2edb6..520af0afe1b3 100644
> --- a/net/tipc/crypto.c
> +++ b/net/tipc/crypto.c
> @@ -399,9 +399,10 @@ static void tipc_aead_users_set(struct tipc_aead __rcu
> *aead, int val)
> */
> static struct crypto_aead *tipc_aead_tfm_next(struct tipc_aead *aead)
> {
> - struct tipc_tfm **tfm_entry = this_cpu_ptr(aead->tfm_entry);
> + struct tipc_tfm **tfm_entry = get_cpu_ptr(aead->tfm_entry);
>
> *tfm_entry = list_next_entry(*tfm_entry, list);
> + put_cpu_ptr(tfm_entry);
> return (*tfm_entry)->tfm;
> }
>
>
You have not explained why this was safe.
This seems to hide a real bug.
Presumably callers of this function should have disable preemption, and maybe
interrupts as well.
Right after put_cpu_ptr(tfm_entry), this thread could migrate to another cpu,
and still access
data owned by the old cpu.
