cve/published/2024/CVE-2024-38557.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-38557: net/mlx5: Reload only IB representors upon lag disable/enable

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net/mlx5: Reload only IB representors upon lag disable/enable

 On lag disable, the bond IB device along with all of its
 representors are destroyed, and then the slaves' representors get reloaded.

 In case the slave IB representor load fails, the eswitch error flow
 unloads all representors, including ethernet representors, where the
 netdevs get detached and removed from lag bond. Such flow is inaccurate
 as the lag driver is not responsible for loading/unloading ethernet
 representors. Furthermore, the flow described above begins by holding
 lag lock to prevent bond changes during disable flow. However, when
 reaching the ethernet representors detachment from lag, the lag lock is
 required again, triggering the following deadlock:

 Call trace:
 __switch_to+0xf4/0x148
 __schedule+0x2c8/0x7d0
 schedule+0x50/0xe0
 schedule_preempt_disabled+0x18/0x28
 __mutex_lock.isra.13+0x2b8/0x570
 __mutex_lock_slowpath+0x1c/0x28
 mutex_lock+0x4c/0x68
 mlx5_lag_remove_netdev+0x3c/0x1a0 [mlx5_core]
 mlx5e_uplink_rep_disable+0x70/0xa0 [mlx5_core]
 mlx5e_detach_netdev+0x6c/0xb0 [mlx5_core]
 mlx5e_netdev_change_profile+0x44/0x138 [mlx5_core]
 mlx5e_netdev_attach_nic_profile+0x28/0x38 [mlx5_core]
 mlx5e_vport_rep_unload+0x184/0x1b8 [mlx5_core]
 mlx5_esw_offloads_rep_load+0xd8/0xe0 [mlx5_core]
 mlx5_eswitch_reload_reps+0x74/0xd0 [mlx5_core]
 mlx5_disable_lag+0x130/0x138 [mlx5_core]
 mlx5_lag_disable_change+0x6c/0x70 [mlx5_core] // hold ldev->lock
 mlx5_devlink_eswitch_mode_set+0xc0/0x410 [mlx5_core]
 devlink_nl_cmd_eswitch_set_doit+0xdc/0x180
 genl_family_rcv_msg_doit.isra.17+0xe8/0x138
 genl_rcv_msg+0xe4/0x220
 netlink_rcv_skb+0x44/0x108
 genl_rcv+0x40/0x58
 netlink_unicast+0x198/0x268
 netlink_sendmsg+0x1d4/0x418
 sock_sendmsg+0x54/0x60
 __sys_sendto+0xf4/0x120
 __arm64_sys_sendto+0x30/0x40
 el0_svc_common+0x8c/0x120
 do_el0_svc+0x30/0xa0
 el0_svc+0x20/0x30
 el0_sync_handler+0x90/0xb8
 el0_sync+0x160/0x180

 Thus, upon lag enable/disable, load and unload only the IB representors
 of the slaves preventing the deadlock mentioned above.

 While at it, refactor the mlx5_esw_offloads_rep_load() function to have
 a static helper method for its internal logic, in symmetry with the
 representor unload design.

 The Linux kernel CVE team has assigned CVE-2024-38557 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15 with commit 598fe77df855feeeca9dfda2ffe622ac7724e5c3 and fixed in 6.6.33 with commit e93fc8d959e56092e2eca1e5511c2d2f0ad6807a
 	Issue introduced in 5.15 with commit 598fe77df855feeeca9dfda2ffe622ac7724e5c3 and fixed in 6.8.12 with commit f03c714a0fdd1f93101a929d0e727c28a66383fc
 	Issue introduced in 5.15 with commit 598fe77df855feeeca9dfda2ffe622ac7724e5c3 and fixed in 6.9.3 with commit 0f320f28f54b1b269a755be2e3fb3695e0b80b07
 	Issue introduced in 5.15 with commit 598fe77df855feeeca9dfda2ffe622ac7724e5c3 and fixed in 6.10 with commit 0f06228d4a2dcc1fca5b3ddb0eefa09c05b102c4

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-38557
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
 	drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
 	drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c
 	drivers/net/ethernet/mellanox/mlx5/core/lag/mpesw.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e93fc8d959e56092e2eca1e5511c2d2f0ad6807a
 	https://git.kernel.org/stable/c/f03c714a0fdd1f93101a929d0e727c28a66383fc
 	https://git.kernel.org/stable/c/0f320f28f54b1b269a755be2e3fb3695e0b80b07
 	https://git.kernel.org/stable/c/0f06228d4a2dcc1fca5b3ddb0eefa09c05b102c4
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-38557: net/mlx5: Reload only IB representors upon lag disable/enable

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net/mlx5: Reload only IB representors upon lag disable/enable

	On lag disable, the bond IB device along with all of its
	representors are destroyed, and then the slaves' representors get reloaded.

	In case the slave IB representor load fails, the eswitch error flow
	unloads all representors, including ethernet representors, where the
	netdevs get detached and removed from lag bond. Such flow is inaccurate
	as the lag driver is not responsible for loading/unloading ethernet
	representors. Furthermore, the flow described above begins by holding
	lag lock to prevent bond changes during disable flow. However, when
	reaching the ethernet representors detachment from lag, the lag lock is
	required again, triggering the following deadlock:

	Call trace:
	__switch_to+0xf4/0x148
	__schedule+0x2c8/0x7d0
	schedule+0x50/0xe0
	schedule_preempt_disabled+0x18/0x28
	__mutex_lock.isra.13+0x2b8/0x570
	__mutex_lock_slowpath+0x1c/0x28
	mutex_lock+0x4c/0x68
	mlx5_lag_remove_netdev+0x3c/0x1a0 [mlx5_core]
	mlx5e_uplink_rep_disable+0x70/0xa0 [mlx5_core]
	mlx5e_detach_netdev+0x6c/0xb0 [mlx5_core]
	mlx5e_netdev_change_profile+0x44/0x138 [mlx5_core]
	mlx5e_netdev_attach_nic_profile+0x28/0x38 [mlx5_core]
	mlx5e_vport_rep_unload+0x184/0x1b8 [mlx5_core]
	mlx5_esw_offloads_rep_load+0xd8/0xe0 [mlx5_core]
	mlx5_eswitch_reload_reps+0x74/0xd0 [mlx5_core]
	mlx5_disable_lag+0x130/0x138 [mlx5_core]
	mlx5_lag_disable_change+0x6c/0x70 [mlx5_core] // hold ldev->lock
	mlx5_devlink_eswitch_mode_set+0xc0/0x410 [mlx5_core]
	devlink_nl_cmd_eswitch_set_doit+0xdc/0x180
	genl_family_rcv_msg_doit.isra.17+0xe8/0x138
	genl_rcv_msg+0xe4/0x220
	netlink_rcv_skb+0x44/0x108
	genl_rcv+0x40/0x58
	netlink_unicast+0x198/0x268
	netlink_sendmsg+0x1d4/0x418
	sock_sendmsg+0x54/0x60
	__sys_sendto+0xf4/0x120
	__arm64_sys_sendto+0x30/0x40
	el0_svc_common+0x8c/0x120
	do_el0_svc+0x30/0xa0
	el0_svc+0x20/0x30
	el0_sync_handler+0x90/0xb8
	el0_sync+0x160/0x180

	Thus, upon lag enable/disable, load and unload only the IB representors
	of the slaves preventing the deadlock mentioned above.

	While at it, refactor the mlx5_esw_offloads_rep_load() function to have
	a static helper method for its internal logic, in symmetry with the
	representor unload design.

	The Linux kernel CVE team has assigned CVE-2024-38557 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15 with commit 598fe77df855feeeca9dfda2ffe622ac7724e5c3 and fixed in 6.6.33 with commit e93fc8d959e56092e2eca1e5511c2d2f0ad6807a
	Issue introduced in 5.15 with commit 598fe77df855feeeca9dfda2ffe622ac7724e5c3 and fixed in 6.8.12 with commit f03c714a0fdd1f93101a929d0e727c28a66383fc
	Issue introduced in 5.15 with commit 598fe77df855feeeca9dfda2ffe622ac7724e5c3 and fixed in 6.9.3 with commit 0f320f28f54b1b269a755be2e3fb3695e0b80b07
	Issue introduced in 5.15 with commit 598fe77df855feeeca9dfda2ffe622ac7724e5c3 and fixed in 6.10 with commit 0f06228d4a2dcc1fca5b3ddb0eefa09c05b102c4

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-38557
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
	drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
	drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c
	drivers/net/ethernet/mellanox/mlx5/core/lag/mpesw.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e93fc8d959e56092e2eca1e5511c2d2f0ad6807a
	https://git.kernel.org/stable/c/f03c714a0fdd1f93101a929d0e727c28a66383fc
	https://git.kernel.org/stable/c/0f320f28f54b1b269a755be2e3fb3695e0b80b07
	https://git.kernel.org/stable/c/0f06228d4a2dcc1fca5b3ddb0eefa09c05b102c4