Commit 839b80e5 authored Aug 02, 2024 by Eric Dumazet Committed by Zhengchao Shao Aug 02, 2024

ila: block BH in ila_output()

stable inclusion
from stable-v5.10.223
commit a0cafb7b0b94d18e4813ee4b712a056f280e7b5a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEMQ
CVE: CVE-2024-41081

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a0cafb7b0b94d18e4813ee4b712a056f280e7b5a



---------------------------

[ Upstream commit cf28ff8e4c02e1ffa850755288ac954b6ff0db8c ]

As explained in commit 13788174 ("tipc: block BH
before using dst_cache"), net/core/dst_cache.c
helpers need to be called with BH disabled.

ila_output() is called from lwtunnel_output()
possibly from process context, and under rcu_read_lock().

We might be interrupted by a softirq, re-enter ila_output()
and corrupt dst_cache data structures.

Fix the race by using local_bh_disable().

Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Link: https://lore.kernel.org/r/20240531132636.2637995-5-edumazet@google.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>

parent 4a618915

net/ipv6/ila/ila_lwt.c

+6 −1

Original line number	Diff line number	Diff line
		@@ -58,7 +58,9 @@ static int ila_output(struct net net, struct sock sk, struct sk_buff *skb)
		return orig_dst->lwtstate->orig_output(net, sk, skb);
		}

		local_bh_disable();
		dst = dst_cache_get(&ilwt->dst_cache);
		local_bh_enable();
		if (unlikely(!dst)) {
		struct ipv6hdr *ip6h = ipv6_hdr(skb);
		struct flowi6 fl6;
		@@ -86,8 +88,11 @@ static int ila_output(struct net net, struct sock sk, struct sk_buff *skb)
		goto drop;
		}

		if (ilwt->connected)
		if (ilwt->connected) {
		local_bh_disable();
		dst_cache_set_ip6(&ilwt->dst_cache, dst, &fl6.saddr);
		local_bh_enable();
		}
		}

		skb_dst_set(skb, dst);