Unverified Commit eaf5cff8 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!10343 fix CVE-2024-27010 

Merge Pull Request from: @ci-robot 
 
PR sync from: Zhengchao Shao <shaozhengchao@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/UQNRJA4W6B3YIUNLYG7OUBGLFMMUWO6Z/ 
Fix CVE-2024-27010

Eric Dumazet (1):
  net/sched: Fix mirred deadlock on device recursion

Johannes Berg (1):
  net/sched: initialize noop_qdisc owner

Zhengchao Shao (1):
  net/sched: fix kabi change in struct Qdisc


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/I9L5IO
https://gitee.com/openeuler/kernel/issues/I9L5IO 
 
Link:https://gitee.com/openeuler/kernel/pulls/10343

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
parents 1728b0bd f55c3265

include/net/sch_generic.h

+1 −1
Original line number Diff line number Diff line
@@ -115,7 +115,7 @@ struct Qdisc { 
	bool			empty;

	struct rcu_head		rcu;



	KABI_RESERVE(1)

	KABI_USE(1, int owner)

	KABI_RESERVE(2)



	/* private data */

net/core/dev.c

+6 −0
Original line number Diff line number Diff line
@@ -3785,6 +3785,10 @@ static inline int __dev_xmit_skb(struct sk_buff *skb, struct Qdisc *q, 
		return rc;

	}



	if (unlikely(READ_ONCE(q->owner) == smp_processor_id())) {

		kfree_skb(skb);

		return NET_XMIT_DROP;

	}

	/*

	 * Heuristic to force contended enqueues to serialize on a

	 * separate lock before trying to get qdisc main lock.
@@ -3820,7 +3824,9 @@ static inline int __dev_xmit_skb(struct sk_buff *skb, struct Qdisc *q, 
		qdisc_run_end(q);

		rc = NET_XMIT_SUCCESS;

	} else {

		WRITE_ONCE(q->owner, smp_processor_id());

		rc = q->enqueue(skb, q, &to_free) & NET_XMIT_MASK;

		WRITE_ONCE(q->owner, -1);

		if (qdisc_run_begin(q)) {

			if (unlikely(contended)) {

				spin_unlock(&q->busylock);

net/sched/sch_generic.c

+2 −0
Original line number Diff line number Diff line
@@ -592,6 +592,7 @@ struct Qdisc noop_qdisc = { 
		.qlen = 0,

		.lock = __SPIN_LOCK_UNLOCKED(noop_qdisc.skb_bad_txq.lock),

	},

	.owner = -1,

};

EXPORT_SYMBOL(noop_qdisc);
@@ -899,6 +900,7 @@ struct Qdisc *qdisc_alloc(struct netdev_queue *dev_queue, 
	sch->dequeue = ops->dequeue;

	sch->dev_queue = dev_queue;

	sch->empty = true;

	sch->owner = -1;

	dev_hold(dev);

	refcount_set(&sch->refcnt, 1);