Received: by 2002:a05:7208:9594:b0:7e:5202:c8b4 with SMTP id gs20csp139343rbb;
        Fri, 23 Feb 2024 15:02:38 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCUH26MG7mEa8cFFbCGrVSiBi3dg7gOx7zHcGDo1jIYRfKa4dkSPvatENvV11Uf8FFncjnH71M9kImynXOuBUN3DAbnn3jjwnMniyDxF0Q==
X-Google-Smtp-Source: AGHT+IG9jjCL75+fn8V/IbbBUf3SAuYezgSM/kAhUF2nXS9bRpXrA0A988Q3gQUSj89kikbxu2ls
X-Received: by 2002:a05:6a00:87:b0:6e4:e7c3:f148 with SMTP id c7-20020a056a00008700b006e4e7c3f148mr1222005pfj.4.1708729357866;
        Fri, 23 Feb 2024 15:02:37 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1708729357; cv=pass;
        d=google.com; s=arc-20160816;
        b=eEEmiXT5TiNg6UuoeSjZTY6UOK0KqsFNWrUeoUSTjEA6yPrBLSLGbq162CPNEUl2UV
         4vxw+uUjUSRRF0txlOsZ8/33n0MHBIFJ7EcFXxini835B1SFRKEtB6S6ziWVTxfkil2A
         HSiuF/pqzKBx87Z0n5hIFdHgbDPwkdjywhExhzp5rIQqstNnV6k1t16VJUnNLQjwcKMW
         fD3yQ4Lq8jyHnq8oiCoTSQ+p4xdTVFTFO2UsRTZieORBNXxkh3R7RFrKyUHBTVsMRURp
         cw2pvtJ1+vU5O7e59yBtcjaD6AdsuDX5IMneHXv8zmr01XQp1PVOwymlofNS6vYqda8I
         /QQw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from;
        bh=65hlj0sP3AmhdDsrKPAn2OK8xumjmTmomFr1wGQ5IyI=;
        fh=h1CF+sjKn+4UpvTF/dvS9KsiAIUVOdizkEomRaU/0+8=;
        b=i9yRPiiHOjEdUtxvyKHBmlvt51w6Pstq0UjB6FyY8Kwksk0w0B0MVwu4zzEqNZuadH
         Rzoa1dkJNNKFap4R4svJE3C5jc1OScI2sGBBl7op8HOUxX6mkbYSTvvt9nReeiitpAnC
         oiLuMOUh+LiXDDVJQgGC1tZPGgTtUM5egCv53r9uFDLHOqPpxXCMY6xl+T72uWWu/zY9
         sn7l+mcYt453hZz74D8XGHY/mKqNcYVYbHP/vuKN41QbVkyzlH9q6kKdPYyrHB99vt82
         om0HauXgqROTzP6gQAr4u3w8tOlUMp1hoD4qpzJ2hGwf0KF03BNDyHBLr3U+pLnO7ICo
         G4iA==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=sina.com);
       spf=pass (google.com: domain of linux-kernel+bounces-79294-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-79294-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-79294-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id h11-20020a056a00230b00b006e4ea362bfasi5602pfh.106.2024.02.23.15.02.37
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Feb 2024 15:02:37 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-79294-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=sina.com);
       spf=pass (google.com: domain of linux-kernel+bounces-79294-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-79294-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 92E062870B7
	for <linux.lists.archive@gmail.com>; Fri, 23 Feb 2024 23:02:37 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 4386814CAD2;
	Fri, 23 Feb 2024 23:02:32 +0000 (UTC)
Received: from mail115-69.sinamail.sina.com.cn (mail115-69.sinamail.sina.com.cn [218.30.115.69])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 27C9314CACB
	for <linux-kernel@vger.kernel.org>; Fri, 23 Feb 2024 23:02:25 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=218.30.115.69
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1708729351; cv=none; b=hjx8Bxxg6R++kLgrBUohxcfvBq7MY3JlW33Wm86ttjdZ5RfbILBbUqJunAaf0upFk4SBdF/OnxmQoYQWVj/XemHtJGQO52y1AhFPcBISV7MfnwpYtbjVyutJ4hlSrCioxr9OD7kpj7UWHIMmnPH1EZVqSV7VWTBMuMB8jioM3gw=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1708729351; c=relaxed/simple;
	bh=zu4LCqmR8M+WHVQ/Jxn1gK3mfSI7I4iMFrAu8qwIs1E=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version; b=fxjNCb9+9DQZ6ot0sa7KSki37YiqpObQsFNXpFyJFT10GEoHDes9TkZTQwhyYDuw4uGQ9fIb7EOpEM+h6ljMes+qa3tO05YlTNVGZ2ji7bjXH8esaMeRrnllVMxdyFi8IwV4RA6w5Mk5ha8VDOPLX6gfO8KrspR3KeaDZnuJTXU=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sina.com; spf=pass smtp.mailfrom=sina.com; arc=none smtp.client-ip=218.30.115.69
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=sina.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sina.com
X-SMAIL-HELO: localhost.localdomain
Received: from unknown (HELO localhost.localdomain)([113.88.49.139])
	by sina.com (10.75.12.45) with ESMTP
	id 65D923F6000016E5; Fri, 24 Feb 2024 07:02:16 +0800 (CST)
X-Sender: hdanton@sina.com
X-Auth-ID: hdanton@sina.com
Authentication-Results: sina.com;
	 spf=none smtp.mailfrom=hdanton@sina.com;
	 dkim=none header.i=none;
	 dmarc=none action=none header.from=hdanton@sina.com
X-SMAIL-MID: 98315631458029
X-SMAIL-UIID: 35DC0772838140A1BEE8DAAB78546E06-20240224-070216-1
From: Hillf Danton <hdanton@sina.com>
To: syzbot <syzbot+b65e0af58423fc8a73aa@syzkaller.appspotmail.com>
Cc: linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [net?] KASAN: slab-use-after-free Read in advance_sched
Date: Sat, 24 Feb 2024 07:02:04 +0800
Message-Id: <20240223230204.297-1-hdanton@sina.com>
In-Reply-To: <000000000000a9373b0612093168@google.com>
References: 
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

On Fri, 23 Feb 2024 01:29:17 -0800
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    9abbc24128bc Merge branch 'for-next/core' into for-kernelci
> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10a70158180000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git  for-kernelci

--- x/net/sched/sch_taprio.c
+++ y/net/sched/sch_taprio.c
@@ -1984,6 +1984,7 @@ static int taprio_change(struct Qdisc *s
 		/* Protects against advance_sched() */
 		spin_lock_irqsave(&q->current_entry_lock, flags);
 
+		admin = rtnl_dereference(q->admin_sched);
 		taprio_start_sched(sch, start, new_admin);
 
 		rcu_assign_pointer(q->admin_sched, new_admin);
--