)]}'
{
  "commit": "a005fa5d7502eefec7ee6e1c01adadc06de2f9ad",
  "tree": "674521b5f5a031a989be43b46790d1500ddf727d",
  "parents": [
    "db875221ab08d213a83bf30196ae8b64d55a3403"
  ],
  "author": {
    "name": "Kito Xu (veritas501)",
    "email": "hxzene@gmail.com",
    "time": "Mon May 25 08:25:53 2026 -0400"
  },
  "committer": {
    "name": "Paolo Abeni",
    "email": "pabeni@redhat.com",
    "time": "Thu May 28 12:26:36 2026 +0200"
  },
  "message": "net/sched: act_mirred: Fix blockcast recursion bypass leading to stack overflow\n\ntcf_mirred_act() checks sched_mirred_nest against MIRRED_NEST_LIMIT (4)\nto prevent deep recursion.  However, when the action uses blockcast\n(tcfm_blockid !\u003d 0), the function returns at the tcf_blockcast() call\nBEFORE reaching the counter increment.  As a result, the recursion\ncounter never advances and the limit check is entirely bypassed.\n\nWhen two devices share a TC egress block with a mirred blockcast rule,\na packet egressing on device A is mirrored to device B via blockcast;\ndevice B\u0027s egress TC re-enters tcf_mirred_act() via blockcast and\nmirrors back to A, creating an unbounded recursion loop:\n\n  tcf_mirred_act -\u003e tcf_blockcast -\u003e tcf_mirred_to_dev -\u003e dev_queue_xmit\n  -\u003e sch_handle_egress -\u003e tcf_classify -\u003e tcf_mirred_act -\u003e (repeat)\n\nThis recursion continues until the kernel stack overflows.\n\nThe bug is reachable from an unprivileged user via\nunshare(CLONE_NEWUSER | CLONE_NEWNET): user namespaces grant\nCAP_NET_ADMIN in the new network namespace, which is sufficient to\ncreate dummy devices, attach clsact qdiscs with shared blocks, and\ninstall mirred blockcast filters.\n\n BUG: TASK stack guard page was hit at ffffc90000b7fff8\n Oops: stack guard page: 0000 [#1] SMP KASAN NOPTI\n CPU: 2 UID: 1000 PID: 169 Comm: poc Not tainted 7.0.0-rc7-next-20260410\n RIP: 0010:xas_find+0x17/0x480\n Call Trace:\n  xa_find+0x17b/0x1d0\n  tcf_mirred_act+0x640/0x1060\n  tcf_action_exec+0x400/0x530\n  basic_classify+0x128/0x1d0\n  tcf_classify+0xd83/0x1150\n  tc_run+0x328/0x620\n  __dev_queue_xmit+0x797/0x3100\n  tcf_mirred_to_dev+0x7b1/0xf70\n  tcf_mirred_act+0x68a/0x1060\n  [repeating ~30+ times until stack overflow]\n Kernel panic - not syncing: Fatal exception in interrupt\n\nFix this by incrementing sched_mirred_nest before calling\ntcf_blockcast() and decrementing it on return, mirroring the\nnon-blockcast path.  This ensures subsequent recursive entries see the\nupdated counter and are correctly limited by MIRRED_NEST_LIMIT.\n\nFixes: fe946a751d9b (\"net/sched: act_mirred: add loop detection\")\nSigned-off-by: Kito Xu (veritas501) \u003chxzene@gmail.com\u003e\nLink: https://patch.msgid.link/20260525122556.973584-7-jhs@mojatatu.com\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "dd5e7ea7ef2652c430c223717e93845dd246b204",
      "old_mode": 33188,
      "old_path": "net/sched/act_mirred.c",
      "new_id": "dbe4a4ff3e08b870aa353e4100fbc22a019ba9f5",
      "new_mode": 33188,
      "new_path": "net/sched/act_mirred.c"
    }
  ]
}