Juhee Kang <claudiajkang@xxxxxxxxx> wrote: > Currently, when the rule related to IDLETIMER is added, idletimer_tg timer > structure is initialized by kmalloc on executing idletimer_tg_create > function. However, in this process timer->timer_type is not defined to > a specific value. Thus, timer->timer_type has garbage value and it occurs > kernel panic. So, this commit fixes the panic by initializing > timer->timer_type using kzalloc instead of kmalloc. > > Test commands: > # iptables -A OUTPUT -j IDLETIMER --timeout 1 --label test > $ cat /sys/class/xt_idletimer/timers/test > Killed > > Splat looks like: > BUG: KASAN: user-memory-access in alarm_expires_remaining+0x49/0x70 > Read of size 8 at addr 0000002e8c7bc4c8 by task cat/917 > CPU: 12 PID: 917 Comm: cat Not tainted 5.14.0+ #3 79940a339f71eb14fc81aee1757a20d5bf13eb0e > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 > Call Trace: > dump_stack_lvl+0x6e/0x9c > kasan_report.cold+0x112/0x117 > ? alarm_expires_remaining+0x49/0x70 > __asan_load8+0x86/0xb0 > alarm_expires_remaining+0x49/0x70 > idletimer_tg_show+0xe5/0x19b [xt_IDLETIMER 11219304af9316a21bee5ba9d58f76a6b9bccc6d] > Fixes: 0902b469bd250 ("netfilter: xtables: idletimer target implementation") Hmm, I don't think so. Probably: Fixes: 68983a354a65 ("netfilter: xtables: Add snapshot of hardidletimer target") ?