mirrors
/
deepin-kernel
mirror of https://github.com/deepin-community/kernel.git
8
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
deepin-kernel/net/core
History
Eric Dumazet 6385c15d4d net/sched: Fix mirred deadlock on device recursion 
mainline inclusion
from mainline-v6.9-rc5
commit 0f022d32c3
category: bugfix
CVE: CVE-2024-27010

When the mirred action is used on a classful egress qdisc and a packet is
mirrored or redirected to self we hit a qdisc lock deadlock.
See trace below.

[..... other info removed for brevity....]
[   82.890906]
[   82.890906] ============================================
[   82.890906] WARNING: possible recursive locking detected
[   82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Tainted: G        W
[   82.890906] --------------------------------------------
[   82.890906] ping/418 is trying to acquire lock:
[   82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:
__dev_queue_xmit+0x1778/0x3550
[   82.890906]
[   82.890906] but task is already holding lock:
[   82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:
__dev_queue_xmit+0x1778/0x3550
[   82.890906]
[   82.890906] other info that might help us debug this:
[   82.890906]  Possible unsafe locking scenario:
[   82.890906]
[   82.890906]        CPU0
[   82.890906]        ----
[   82.890906]   lock(&sch->q.lock);
[   82.890906]   lock(&sch->q.lock);
[   82.890906]
[   82.890906]  *** DEADLOCK ***
[   82.890906]
[..... other info removed for brevity....]

Example setup (eth0->eth0) to recreate
tc qdisc add dev eth0 root handle 1: htb default 30
tc filter add dev eth0 handle 1: protocol ip prio 2 matchall \
     action mirred egress redirect dev eth0

Another example(eth0->eth1->eth0) to recreate
tc qdisc add dev eth0 root handle 1: htb default 30
tc filter add dev eth0 handle 1: protocol ip prio 2 matchall \
     action mirred egress redirect dev eth1

tc qdisc add dev eth1 root handle 1: htb default 30
tc filter add dev eth1 handle 1: protocol ip prio 2 matchall \
     action mirred egress redirect dev eth0

We fix this by adding an owner field (CPU id) to struct Qdisc set after
root qdisc is entered. When the softirq enters it a second time, if the
qdisc owner is the same CPU, the packet is dropped to break the loop.

Reported-by: Mingshuai Ren <renmingshuai@huawei.com>
Closes: https://lore.kernel.org/netdev/20240314111713.5979-1-renmingshuai@huawei.com/
Fixes: 3bcb846ca4 ("net: get rid of spin_trylock() in net_tx_action()")
Fixes: e578d9c025 ("net: sched: use counter to break reclassify loops")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Victor Nogueira <victor@mojatatu.com>
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
Tested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20240415210728.36949-1-victor@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 0f022d32c3)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
 		2025-07-16 13:29:16 +08:00
..
Makefile net: move gso declarations and functions to their own files 2023-06-10 00:11:41 -07:00
bpf_sk_storage.c bpf: Add length check for SK_DIAG_BPF_STORAGE_REQ_MAP_FD parsing 2023-07-27 10:07:56 -07:00
datagram.c net: fix rc7's __skb_datagram_iter() 2024-12-10 20:39:20 +08:00
dev.c net/sched: Fix mirred deadlock on device recursion 2025-07-16 13:29:16 +08:00
dev.h net: fix removing a namespace with conflicting altnames 2024-01-31 16:19:01 -08:00
dev_addr_lists.c
dev_addr_lists_test.c kunit: Use KUNIT_EXPECT_MEMEQ macro 2022-10-27 02:40:14 -06:00
dev_ioctl.c net: omit ndo_hwtstamp_get() call when possible in dev_set_hwtstamp_phylib() 2023-08-06 13:25:10 +01:00
drop_monitor.c drop_monitor: fix incorrect initialization order 2025-03-14 17:42:52 +08:00
dst.c net: decrease cached dst counters in dst_release 2025-04-14 15:51:09 +08:00
dst_cache.c ipv6: introduce dst_rt6_info() helper 2024-12-16 00:22:41 +08:00
failover.c net: failover: use IFF_NO_ADDRCONF flag to prevent ipv6 addrconf 2022-12-12 15:18:25 -08:00
fib_notifier.c
fib_rules.c
filter.c bpf: Fix L4 csum update on IPv6 in CHECKSUM_COMPLETE 2025-07-03 11:32:09 +08:00
flow_dissector.c flow_dissector: Fix port range key handling in BPF conversion 2025-03-14 17:42:52 +08:00
flow_offload.c tc: flower: Enable offload support IPSEC SPI field. 2023-08-02 10:09:32 +01:00
gen_estimator.c net: use unrcu_pointer() helper 2024-12-10 20:44:40 +08:00
gen_stats.c net: Remove the obsolte u64_stats_fetch_*_irq() users (net). 2022-10-28 20:13:54 -07:00
gro.c net: Clear old fragment checksum value in napi_reuse_skb 2025-03-17 20:08:50 +08:00
gro_cells.c net: drop the weight argument from netif_napi_add 2022-09-28 18:57:14 -07:00
gso.c net: move gso declarations and functions to their own files 2023-06-10 00:11:41 -07:00
hwbm.c
link_watch.c ipvlan: Fix use-after-free in ipvlan_get_iflink(). 2025-01-19 12:48:46 +08:00
lwt_bpf.c lwt: Fix return values of BPF xmit ops 2023-08-18 16:05:26 +02:00
lwtunnel.c net: lwtunnel: disable BHs when required 2025-05-09 23:02:20 +08:00
neighbour.c net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES 2025-04-14 13:52:13 +08:00
net-procfs.c net-sysfs: display two backlog queue len separately 2023-03-22 12:03:52 +01:00
net-sysfs.c ethtool: check device is present when getting link settings 2024-12-10 20:41:04 +08:00
net-sysfs.h
net-traces.c udp6: add a missing call into udp_fail_queue_rcv_skb tracepoint 2023-07-07 09:16:52 +01:00
net_namespace.c netns-ipv4: reorganize netns_ipv4 fast path variables 2025-02-10 14:43:27 +08:00
netclassid_cgroup.c core: Variable type completion 2022-08-31 09:40:34 +01:00
netdev-genl-gen.c net: ynl: prefix uAPI header include with uapi/ 2023-05-26 10:30:14 +01:00
netdev-genl-gen.h net: ynl: prefix uAPI header include with uapi/ 2023-05-26 10:30:14 +01:00
netdev-genl.c netdev-genl: use struct genl_info for reply construction 2023-08-15 15:01:03 -07:00
netevent.c
netpoll.c netpoll: hold rcu read lock in __netpoll_send_skb() 2025-03-23 19:26:40 +08:00
netprio_cgroup.c
of_net.c net: Explicitly include correct DT includes 2023-07-27 20:33:16 -07:00
page_pool.c page_pool: avoid infinite loop to schedule delayed worker 2025-05-09 18:47:18 +08:00
pktgen.c net: pktgen: fix access outside of user given buffer in pktgen_thread_write() 2025-06-10 10:35:02 +08:00
ptp_classifier.c
request_sock.c tcp: make sure init the accept_queue's spinlocks once 2024-01-31 16:19:00 -08:00
rtnetlink.c rtnetlink: Allocate vfinfo size for VF GUIDs when supported 2025-04-14 15:49:28 +08:00
scm.c af_unix: Add dead flag to struct scm_fp_list. 2025-06-10 16:18:07 +08:00
secure_seq.c
selftests.c net: selftests: fix TCP packet checksum 2025-07-09 09:50:01 +08:00
skbuff.c ipvs: Always clear ipvs_property flag in skb_scrub_packet() 2025-03-17 20:08:50 +08:00
skmsg.c bpf, sockmap: Fix data lost during EAGAIN retries 2025-07-03 11:32:04 +08:00
sock.c tcp: cache RTAX_QUICKACK metric in a hot cache line 2025-07-14 14:11:44 +08:00
sock_destructor.h
sock_diag.c net: use unrcu_pointer() helper 2024-12-10 20:44:40 +08:00
sock_map.c bpf: Disable non stream socket for strparser 2025-03-14 17:42:52 +08:00
sock_reuseport.c soreuseport: Fix socket selection for SO_INCOMING_CPU. 2022-10-25 11:35:16 +02:00
stream.c net: Return error from sk_stream_wait_connect() if sk_wait_event() fails 2024-01-01 12:42:30 +00:00
sysctl_net_core.c net: set the minimum for net_hotdata.netdev_budget_usecs 2025-03-17 20:08:50 +08:00
timestamping.c
tso.c net: tso: inline tso_count_descs() 2022-12-12 15:04:39 -08:00
utils.c net: Fix checksum update for ILA adj-transport 2025-07-03 11:32:09 +08:00
xdp.c xdp: fix invalid wait context of page_pool_destroy() 2024-12-10 20:39:45 +08:00