!10343 fix CVE-2024-27010

Merge Pull Request from: @ci-robot PR sync from: Zhengchao Shao <shaozhengchao@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/UQNRJA4W6B3YIUNLYG7OUBGLFMMUWO6Z/ Fix CVE-2024-27010 Eric Dumazet (1): net/sched: Fix mirred deadlock on device recursion Johannes Berg (1): net/sched: initialize noop_qdisc owner Zhengchao Shao (1): net/sched: fix kabi change in struct Qdisc -- 2.34.1 https://gitee.com/src-openeuler/kernel/issues/I9L5IO https://gitee.com/openeuler/kernel/issues/I9L5IO Link:https://gitee.com/openeuler/kernel/pulls/10343 Reviewed-by: Yue Haibing <yuehaibing@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
openeuler-mirror · Jul 30, 2024 · eaf5cff · eaf5cff
2 parents 1728b0b + f55c326
commit eaf5cff
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 1 deletion.
diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
@@ -115,7 +115,7 @@ struct Qdisc {
 	bool			empty;
 	struct rcu_head		rcu;
 
-	KABI_RESERVE(1)
+	KABI_USE(1, int owner)
 	KABI_RESERVE(2)
 
 	/* private data */

diff --git a/net/core/dev.c b/net/core/dev.c
@@ -3785,6 +3785,10 @@ static inline int __dev_xmit_skb(struct sk_buff *skb, struct Qdisc *q,
 		return rc;
 	}
 
+	if (unlikely(READ_ONCE(q->owner) == smp_processor_id())) {
+		kfree_skb(skb);
+		return NET_XMIT_DROP;
+	}
 	/*
 	 * Heuristic to force contended enqueues to serialize on a
 	 * separate lock before trying to get qdisc main lock.
@@ -3820,7 +3824,9 @@ static inline int __dev_xmit_skb(struct sk_buff *skb, struct Qdisc *q,
 		qdisc_run_end(q);
 		rc = NET_XMIT_SUCCESS;
 	} else {
+		WRITE_ONCE(q->owner, smp_processor_id());
 		rc = q->enqueue(skb, q, &to_free) & NET_XMIT_MASK;
+		WRITE_ONCE(q->owner, -1);
 		if (qdisc_run_begin(q)) {
 			if (unlikely(contended)) {
 				spin_unlock(&q->busylock);

diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
@@ -592,6 +592,7 @@ struct Qdisc noop_qdisc = {
 		.qlen = 0,
 		.lock = __SPIN_LOCK_UNLOCKED(noop_qdisc.skb_bad_txq.lock),
 	},
+	.owner = -1,
 };
 EXPORT_SYMBOL(noop_qdisc);
 
@@ -899,6 +900,7 @@ struct Qdisc *qdisc_alloc(struct netdev_queue *dev_queue,
 	sch->dequeue = ops->dequeue;
 	sch->dev_queue = dev_queue;
 	sch->empty = true;
+	sch->owner = -1;
 	dev_hold(dev);
 	refcount_set(&sch->refcnt, 1);