ACK: [SRU][J:linux]PATCH v3 0/1] CVE-2024-26837

Stewart Hore stewart.hore at canonical.com
Tue Feb 18 22:40:13 UTC 2025 

On Tue, Feb 18, 2025 at 12:22:59PM +0000, Andrei Gherzan wrote:
> [Impact]
>
> net: bridge: switchdev: Skip MDB replays of deferred events on offload
>
> Before this change, generation of the list of MDB events to replay
> would race against the creation of new group memberships, either from
> the IGMP/MLD snooping logic or from user configuration.
>
> While new memberships are immediately visible to walkers of
> br->mdb_list, the notification of their existence to switchdev event
> subscribers is deferred until a later point in time. So if a replay
> list was generated during a time that overlapped with such a window,
> it would also contain a replay of the not-yet-delivered event.
>
> The driver would thus receive two copies of what the bridge internally
> considered to be one single event. On destruction of the bridge, only
> a single membership deletion event was therefore sent. As a
> consequence of this, drivers which reference count memberships (at
> least DSA), would be left with orphan groups in their hardware
> database when the bridge was destroyed.
>
> This is only an issue when replaying additions. While deletion events
> may still be pending on the deferred queue, they will already have
> been removed from br->mdb_list, so no duplicates can be generated in
> that scenario.
>
> To a user this meant that old group memberships, from a bridge in
> which a port was previously attached, could be reanimated (in
> hardware) when the port joined a new bridge, without the new bridge's
> knowledge.
>
> For example, on an mv88e6xxx system, create a snooping bridge and
> immediately add a port to it:
>
>     root at infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \
>     > ip link set dev x3 up master br0
>
> And then destroy the bridge:
>
>     root at infix-06-0b-00:~$ ip link del dev br0
>     root at infix-06-0b-00:~$ mvls atu
>     ADDRESS             FID  STATE      Q  F  0  1  2  3  4  5  6  7  8  9  a
>     DEV:0 Marvell 88E6393X
>     33:33:00:00:00:6a     1  static     -  -  0  .  .  .  .  .  .  .  .  .  .
>     33:33:ff:87:e4:3f     1  static     -  -  0  .  .  .  .  .  .  .  .  .  .
>     ff:ff:ff:ff:ff:ff     1  static     -  -  0  1  2  3  4  5  6  7  8  9  a
>     root at infix-06-0b-00:~$
>
> The two IPv6 groups remain in the hardware database because the
> port (x3) is notified of the host's membership twice: once via the
> original event and once via a replay. Since only a single delete
> notification is sent, the count remains at 1 when the bridge is
> destroyed.
>
> Then add the same port (or another port belonging to the same hardware
> domain) to a new bridge, this time with snooping disabled:
>
>     root at infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \
>     > ip link set dev x3 up master br1
>
> All multicast, including the two IPv6 groups from br0, should now be
> flooded, according to the policy of br1. But instead the old
> memberships are still active in the hardware database, causing the
> switch to only forward traffic to those groups towards the CPU (port
> 0).
>
> Eliminate the race in two steps:
>
> 1. Grab the write-side lock of the MDB while generating the replay
>    list.
>
> This prevents new memberships from showing up while we are generating
> the replay list. But it leaves the scenario in which a deferred event
> was already generated, but not delivered, before we grabbed the
> lock. Therefore:
>
> 2. Make sure that no deferred version of a replay event is already
>    enqueued to the switchdev deferred queue, before adding it to the
>    replay list, when replaying additions.
>
> [Fix]
>
> oracular: Not affected
> noble: Not affected
> jammy: Fixed by backporting dc489f8 from linux-6.8.y
> 	`br_mdb_queue_one` and `br_mdb_queue_one` were moved out of
> 	`br_mdb.c` along with other functions and as part of a larger
> 	consolidation into `br_switchdev.c`, to avoid a considerable
> 	restructuring backport, the changes were applied on the original
> 	file, `br_mdb.c`.  This patch also has a dependency on the
> 	support for differentiating new VLANs from changed ones, but
> 	given that the dependency is only for the purposes of comparing
> 	two `switchdev_obj_port_vlan` objects, this patch was adapted to
> 	ignore the `changed` struct member.
> focal: Not affected
> bionic: Not affected
> xenial: Not affected
> trusty: Not affected
>
> [Test Case]
>
> * Compile all supported arch
> * Boot tested in a VM
> * Exercised creating and destroying bridge interfaces
>
> [Where problems could occur]
>
> This fix might affect Ethernet Bridging functionality especially:
> - switchdev: module provides glue between core networking code and
>   device drivers
> - IGMP snooping: forward multicast traffic based on IGMP/MLD traffic
>   received from each port
>
> v2: Fixed missing series tag in cover letter subject line
> v3: Fixed backport footer line (commit hash format and provenance)
>
> Tobias Waldekranz (1):
>   net: bridge: switchdev: Skip MDB replays of deferred events on offload
>
>  include/net/switchdev.h   |  3 ++
>  net/bridge/br_mdb.c       | 78 ++++++++++++++++++++++++---------------
>  net/switchdev/switchdev.c | 72 ++++++++++++++++++++++++++++++++++++
>  3 files changed, 123 insertions(+), 30 deletions(-)
>
> --
> 2.43.0

Acked-by: Stewart Hore <stewart.hore at canonical.com>

> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list