ACK: [SRU][M][PATCH 0/1] CVE-2024-26803

Cengiz Can cengiz.can at canonical.com
Tue May 7 03:25:05 UTC 2024 

On 01-05-24 17:09:06, Bethany Jamison wrote:
> [Impact]
> 
>  In the Linux kernel, the following vulnerability has been resolved:
> 
>  net: veth: clear GRO when clearing XDP even when down
> 
>  veth sets NETIF_F_GRO automatically when XDP is enabled,
>  because both features use the same NAPI machinery.
> 
>  The logic to clear NETIF_F_GRO sits in veth_disable_xdp() which
>  is called both on ndo_stop and when XDP is turned off.
>  To avoid the flag from being cleared when the device is brought
>  down, the clearing is skipped when IFF_UP is not set.
>  Bringing the device down should indeed not modify its features.
> 
>  Unfortunately, this means that clearing is also skipped when
>  XDP is disabled _while_ the device is down. And there's nothing
>  on the open path to bring the device features back into sync.
>  IOW if user enables XDP, disables it and then brings the device
>  up we'll end up with a stray GRO flag set but no NAPI instances.
> 
>  We don't depend on the GRO flag on the datapath, so the datapath
>  won't crash. We will crash (or hang), however, next time features
>  are sync'ed (either by user via ethtool or peer changing its config).
>  The GRO flag will go away, and veth will try to disable the NAPIs.
>  But the open path never created them since XDP was off, the GRO flag
>  was a stray. If NAPI was initialized before we'll hang in napi_disable().
>  If it never was we'll crash trying to stop uninitialized hrtimer.
> 
>  Move the GRO flag updates to the XDP enable / disable paths,
>  instead of mixing them with the ndo_open / ndo_close paths.
> 
> [Fix]
> 
> Mantic:	Clean cherry-pick from linux-6.6.y
> Jammy:	pending
> Focal:	not-affected
> Bionic: not-affected
> Xenial:	not-affected
> Trusty:	not-affected
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This fix affects those who use the veth (virtual ethernet) driver, an 
> issue with this fix would be visable to the user via a system crash.
> 
> Jakub Kicinski (1):
>   net: veth: clear GRO when clearing XDP even when down

Acked-by: Cengiz Can <cengiz.can at canonical.com>


> 
>  drivers/net/veth.c | 35 +++++++++++++++++------------------
>  1 file changed, 17 insertions(+), 18 deletions(-)
> 
> -- 
> 2.34.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list