ACK: [SRU][F/J][PATCH 0/1] CVE-2024-26669

Thibault Ferrante thibault.ferrante at canonical.com
Tue Sep 17 14:16:15 UTC 2024 

Acked-by: Thibault Ferrante <thibault.ferrante at canonical.com>


On 11-09-2024 03:55, Koichiro Den wrote:
> [Impact]
> 
> net/sched: flower: Fix chain template offload
> 
> When a qdisc is deleted from a net device the stack instructs the
> underlying driver to remove its flow offload callback from the
> associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack
> then continues to replay the removal of the filters in the block for
> this driver by iterating over the chains in the block and invoking the
> 'reoffload' operation of the classifier being used. In turn, the
> classifier in its 'reoffload' operation prepares and emits a
> 'FLOW_CLS_DESTROY' command for each filter.
> 
> However, the stack does not do the same for chain templates and the
> underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when
> a qdisc is deleted. This results in a memory leak [1] which can be
> reproduced using [2].
> 
> Fix by introducing a 'tmplt_reoffload' operation and have the stack
> invoke it with the appropriate arguments as part of the replay.
> Implement the operation in the sole classifier that supports chain
> templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}'
> command based on whether a flow offload callback is being bound to a
> filter block or being unbound from one.
> 
> As far as I can tell, the issue happens since cited commit which
> reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains()
> in __tcf_block_put(). The order cannot be reversed as the filter block
> is expected to be freed after flushing all the chains.
> 
> [1] See the original fix commit message:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=32f2a0afa95fae0d1ceec2ff06e0e816939964b8
> [2]
>   # tc qdisc add dev swp1 clsact
>   # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32
>   # tc qdisc del dev swp1 clsact
>   # devlink dev reload pci/0000:06:00.0
> 
> [Backport]
> 
> Adjusted context due to missing commit 80cd22c35c90
> ("net/sched: cls_api: Support hardware miss to tc action")
> 
> [Fix]
> 
> Noble:  not affected
> Jammy:  Backport - adjusted contexts, see [Backport]
> Focal:  Backport - adjusted contexts, see [Backport]
> Bionic: not affected
> Xenial: not affected
> Trusty: not affected
> 
> [Test case]
> 
> Compile and boot tested
> 
> [Where problems could occur]
> 
> This fix affects those who use tc flower offload, an issue with this fix
> would be visible to the user via memory leak report on qdisc deletion.
> 
> 
> Ido Schimmel (1):
>    net/sched: flower: Fix chain template offload
> 
>   include/net/sch_generic.h |  5 ++++-
>   net/sched/cls_api.c       |  9 ++++++++-
>   net/sched/cls_flower.c    | 23 +++++++++++++++++++++++
>   3 files changed, 35 insertions(+), 2 deletions(-)
> 


-- 
--
Thibault

More information about the kernel-team mailing list