Google Git
Sign in
cos / third_party / kernel / b1b40873b95a40789a541ebf0fc9b1ff42d90903
commitb1b40873b95a40789a541ebf0fc9b1ff42d90903[log] [tgz]
authorDavide Caratti <[email protected]>Tue May 16 22:00:40 2023 +0300
committerArnav Kansal <[email protected]>Fri Jun 09 22:59:52 2023 +0000
tree9dc719ad72c6985a8f5a25f73d55c9f11a030c3a
parent03b0bcab25e4b4da8647c53f1a851d8eac95dda5 [diff]
act_mirred: use the backlog for nested calls to mirred ingress

[ Upstream commit ca22da2fbd693b54dc8e3b7b54ccc9f7e9ba3640 ]

William reports kernel soft-lockups on some OVS topologies when TC mirred
egress->ingress action is hit by local TCP traffic [1].
The same can also be reproduced with SCTP (thanks Xin for verifying), when
client and server reach themselves through mirred egress to ingress, and
one of the two peers sends a "heartbeat" packet (from within a timer).

Enqueueing to backlog proved to fix this soft lockup; however, as Cong
noticed [2], we should preserve - when possible - the current mirred
behavior that counts as "overlimits" any eventual packet drop subsequent to
the mirred forwarding action [3]. A compromise solution might use the
backlog only when tcf_mirred_act() has a nest level greater than one:
change tcf_mirred_forward() accordingly.

Also, add a kselftest that can reproduce the lockup and verifies TC mirred
ability to account for further packet drops after TC mirred egress->ingress
(when the nest level is 1).

 [1] https://lore.kernel.org/netdev/33dc43f587ec1388ba456b4915c75f02a8aae226.1663945716.git.dcaratti@redhat.com/
 [2] https://lore.kernel.org/netdev/Y0w%[email protected]/
 [3] such behavior is not guaranteed: for example, if RPS or skb RX
     timestamping is enabled on the mirred target device, the kernel
     can defer receiving the skb and return NET_RX_SUCCESS inside
     tcf_mirred_forward().

BUG=b/261837566
RELEASE_NOTE=Fixed CVE-2022-4269 in the Linux kernel.

Reported-by: William Zhao <[email protected]>
CC: Xin Long <[email protected]>
Change-Id: Id9ca648d87513b96a6ca2a1dfe939e04a0dd4c24
Signed-off-by: Davide Caratti <[email protected]>
Reviewed-by: Marcelo Ricardo Leitner <[email protected]>
Acked-by: Jamal Hadi Salim <[email protected]>
Signed-off-by: Paolo Abeni <[email protected]>
[DP: adjusted context for linux-5.10.y]
Signed-off-by: Dragos-Marian Panait <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/50520
Tested-by: Cusky Presubmit Bot <[email protected]>
Reviewed-by: Meena Shanmugam <[email protected]>
2 files changed
tree: 9dc719ad72c6985a8f5a25f73d55c9f11a030c3a
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. fs/
  8. google/
  9. include/
  10. init/
  11. io_uring/
  12. ipc/
  13. kernel/
  14. lib/
  15. LICENSES/
  16. mm/
  17. net/
  18. samples/
  19. scripts/
  20. security/
  21. sound/
  22. tools/
  23. usr/
  24. virt/
  25. .clang-format
  26. .cocciconfig
  27. .get_maintainer.ignore
  28. .gitattributes
  29. .gitignore
  30. .mailmap
  31. COPYING
  32. CREDITS
  33. Kbuild
  34. Kconfig
  35. MAINTAINERS
  36. Makefile
  37. PRESUBMIT.cfg
  38. README