Sven,
cancel_delayed_work_sync() and queue_delayed_work()
use WORK_STRUCT_PENDING_BIT in work->data to synchronize.
INIT_DELAYED_WORK() clears this bit.
The situation is : __cancel_work_timer() sets WORK_STRUCT_PENDING_BIT
but INIT_DELAYED_WORK() in batadv_dat_start_timer() clears it
and
On Friday, 26 May 2023 18:16:32 CEST Vladislav Efanov wrote:
> Syzkaller got a lot of crashes like:
> KASAN: use-after-free Write in *_timers*
>
> All of these crashes point to the same memory area:
>
> The buggy address belongs to the object at 88801f87
> which belongs to the cache
On Friday, 26 May 2023 18:16:32 CEST Vladislav Efanov wrote:
> The reason for these issues is the lack of synchronization. Delayed
> work (batadv_dat_purge) schedules new timer/work while the device
> is being deleted. As the result new timer/delayed work is set after
> cancel_delayed_work_sync()
Syzkaller got a lot of crashes like:
KASAN: use-after-free Write in *_timers*
All of these crashes point to the same memory area:
The buggy address belongs to the object at 88801f87
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 5320 bytes inside of
