Unverified Commit 0a8d8bc5 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!8036 fix CVE-2024-27010 

Merge Pull Request from: @ci-robot 
 
PR sync from: Zhengchao Shao <shaozhengchao@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/ESDULVOJNU355N55Z3W4L4RZFE7TO7JX/ 
Fix CVE-2024-27010.

Eric Dumazet (1):
  net/sched: Fix mirred deadlock on device recursion

Zhengchao Shao (1):
  net/sched: fix kabi change in struct Qdisc


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/I9L5IO 
 
Link:https://gitee.com/openeuler/kernel/pulls/8036

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Reviewed-by: default avatarZhang Peng <zhangpeng362@huawei.com>
Signed-off-by: default avatarZhang Peng <zhangpeng362@huawei.com>
parents 5a6a4ae9 b7b0c386

include/net/sch_generic.h

+1 −1
Original line number Diff line number Diff line
@@ -128,7 +128,7 @@ struct Qdisc { 
	struct rcu_head		rcu;

	netdevice_tracker	dev_tracker;



	KABI_RESERVE(1)

	KABI_USE(1, int owner)

	KABI_RESERVE(2)



	/* private data */

net/core/dev.c

+6 −0
Original line number Diff line number Diff line
@@ -3818,6 +3818,10 @@ static inline int __dev_xmit_skb(struct sk_buff *skb, struct Qdisc *q, 
		return rc;

	}



	if (unlikely(READ_ONCE(q->owner) == smp_processor_id())) {

		kfree_skb_reason(skb, SKB_DROP_REASON_TC_EGRESS);

		return NET_XMIT_DROP;

	}

	/*

	 * Heuristic to force contended enqueues to serialize on a

	 * separate lock before trying to get qdisc main lock.
@@ -3857,7 +3861,9 @@ static inline int __dev_xmit_skb(struct sk_buff *skb, struct Qdisc *q, 
		qdisc_run_end(q);

		rc = NET_XMIT_SUCCESS;

	} else {

		WRITE_ONCE(q->owner, smp_processor_id());

		rc = dev_qdisc_enqueue(skb, q, &to_free, txq);

		WRITE_ONCE(q->owner, -1);

		if (qdisc_run_begin(q)) {

			if (unlikely(contended)) {

				spin_unlock(&q->busylock);

net/sched/sch_generic.c

+1 −0
Original line number Diff line number Diff line
@@ -971,6 +971,7 @@ struct Qdisc *qdisc_alloc(struct netdev_queue *dev_queue, 
	sch->enqueue = ops->enqueue;

	sch->dequeue = ops->dequeue;

	sch->dev_queue = dev_queue;

	sch->owner = -1;

	netdev_hold(dev, &sch->dev_tracker, GFP_KERNEL);

	refcount_set(&sch->refcnt, 1);