Commit b33e0eff authored by Davide Caratti's avatar Davide Caratti Committed by Jialin Zhang
Browse files

net/sched: act_mirred: better wording on protection against excessive stack growth 

mainline inclusion
from mainline-v6.3-rc1
commit 78dcdffe
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I64END
CVE: CVE-2022-4269

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.2-rc7&id=78dcdffe0418ac8f3f057f26fe71ccf4d8ed851f



--------------------------------

with commit e2ca070f ("net: sched: protect against stack overflow in
TC act_mirred"), act_mirred protected itself against excessive stack growth
using per_cpu counter of nested calls to tcf_mirred_act(), and capping it
to MIRRED_RECURSION_LIMIT. However, such protection does not detect
recursion/loops in case the packet is enqueued to the backlog (for example,
when the mirred target device has RPS or skb timestamping enabled). Change
the wording from "recursion" to "nesting" to make it more clear to readers.

CC: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
Reviewed-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
Signed-off-by: default avatarZiyang Xuan <william.xuanziyang@huawei.com>
Reviewed-by: default avatarLiu Jian <liujian56@huawei.com>
Reviewed-by: default avatarWang Weiyang <wangweiyang2@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parent 7cdf0a60

net/sched/act_mirred.c

+8 −8
Original line number Diff line number Diff line
@@ -28,8 +28,8 @@ 
static LIST_HEAD(mirred_list);

static DEFINE_SPINLOCK(mirred_list_lock);



#define MIRRED_RECURSION_LIMIT    4

static DEFINE_PER_CPU(unsigned int, mirred_rec_level);

#define MIRRED_NEST_LIMIT    4

static DEFINE_PER_CPU(unsigned int, mirred_nest_level);



static bool tcf_mirred_is_act_redirect(int action)

{
@@ -225,7 +225,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, 
	struct sk_buff *skb2 = skb;

	bool m_mac_header_xmit;

	struct net_device *dev;

	unsigned int rec_level;

	unsigned int nest_level;

	int retval, err = 0;

	bool use_reinsert;

	bool want_ingress;
@@ -236,11 +236,11 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, 
	int mac_len;

	bool at_nh;



	rec_level = __this_cpu_inc_return(mirred_rec_level);

	if (unlikely(rec_level > MIRRED_RECURSION_LIMIT)) {

	nest_level = __this_cpu_inc_return(mirred_nest_level);

	if (unlikely(nest_level > MIRRED_NEST_LIMIT)) {

		net_warn_ratelimited("Packet exceeded mirred recursion limit on dev %s\n",

				     netdev_name(skb->dev));

		__this_cpu_dec(mirred_rec_level);

		__this_cpu_dec(mirred_nest_level);

		return TC_ACT_SHOT;

	}
@@ -310,7 +310,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, 
			err = tcf_mirred_forward(res->ingress, skb);

			if (err)

				tcf_action_inc_overlimit_qstats(&m->common);

			__this_cpu_dec(mirred_rec_level);

			__this_cpu_dec(mirred_nest_level);

			return TC_ACT_CONSUMED;

		}

	}
@@ -322,7 +322,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, 
		if (tcf_mirred_is_act_redirect(m_eaction))

			retval = TC_ACT_SHOT;

	}

	__this_cpu_dec(mirred_rec_level);

	__this_cpu_dec(mirred_nest_level);



	return retval;

}