cve/published/2024/CVE-2024-49980.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-49980: vrf: revert "vrf: Remove unnecessary RCU-bh critical section"

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 vrf: revert "vrf: Remove unnecessary RCU-bh critical section"

 This reverts commit 504fc6f4f7f681d2a03aa5f68aad549d90eab853.

 dev_queue_xmit_nit is expected to be called with BH disabled.
 __dev_queue_xmit has the following:

         /* Disable soft irqs for various locks below. Also
          * stops preemption for RCU.
          */
         rcu_read_lock_bh();

 VRF must follow this invariant. The referenced commit removed this
 protection. Which triggered a lockdep warning:

 	================================
 	WARNING: inconsistent lock state
 	6.11.0 #1 Tainted: G        W
 	--------------------------------
 	inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.
 	btserver/134819 [HC0[0]:SC0[0]:HE1:SE1] takes:
 	ffff8882da30c118 (rlock-AF_PACKET){+.?.}-{2:2}, at: tpacket_rcv+0x863/0x3b30
 	{IN-SOFTIRQ-W} state was registered at:
 	  lock_acquire+0x19a/0x4f0
 	  _raw_spin_lock+0x27/0x40
 	  packet_rcv+0xa33/0x1320
 	  __netif_receive_skb_core.constprop.0+0xcb0/0x3a90
 	  __netif_receive_skb_list_core+0x2c9/0x890
 	  netif_receive_skb_list_internal+0x610/0xcc0
           [...]

 	other info that might help us debug this:
 	 Possible unsafe locking scenario:

 	       CPU0
 	       ----
 	  lock(rlock-AF_PACKET);
 	  <Interrupt>
 	    lock(rlock-AF_PACKET);

 	 *** DEADLOCK ***

 	Call Trace:
 	 <TASK>
 	 dump_stack_lvl+0x73/0xa0
 	 mark_lock+0x102e/0x16b0
 	 __lock_acquire+0x9ae/0x6170
 	 lock_acquire+0x19a/0x4f0
 	 _raw_spin_lock+0x27/0x40
 	 tpacket_rcv+0x863/0x3b30
 	 dev_queue_xmit_nit+0x709/0xa40
 	 vrf_finish_direct+0x26e/0x340 [vrf]
 	 vrf_l3_out+0x5f4/0xe80 [vrf]
 	 __ip_local_out+0x51e/0x7a0
           [...]

 The Linux kernel CVE team has assigned CVE-2024-49980 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.6 with commit 504fc6f4f7f681d2a03aa5f68aad549d90eab853 and fixed in 6.6.55 with commit 718a752bd746b3f4dd62516bb437baf73d548415
 	Issue introduced in 6.6 with commit 504fc6f4f7f681d2a03aa5f68aad549d90eab853 and fixed in 6.10.14 with commit 8c9381b3138246d46536db93ed696832abd70204
 	Issue introduced in 6.6 with commit 504fc6f4f7f681d2a03aa5f68aad549d90eab853 and fixed in 6.11.3 with commit e61f8c4d179b2ffc0d3b7f821c3734be738643d0
 	Issue introduced in 6.6 with commit 504fc6f4f7f681d2a03aa5f68aad549d90eab853 and fixed in 6.12 with commit b04c4d9eb4f25b950b33218e33b04c94e7445e51

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-49980
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/vrf.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/718a752bd746b3f4dd62516bb437baf73d548415
 	https://git.kernel.org/stable/c/8c9381b3138246d46536db93ed696832abd70204
 	https://git.kernel.org/stable/c/e61f8c4d179b2ffc0d3b7f821c3734be738643d0
 	https://git.kernel.org/stable/c/b04c4d9eb4f25b950b33218e33b04c94e7445e51
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-49980: vrf: revert "vrf: Remove unnecessary RCU-bh critical section"

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	vrf: revert "vrf: Remove unnecessary RCU-bh critical section"

	This reverts commit 504fc6f4f7f681d2a03aa5f68aad549d90eab853.

	dev_queue_xmit_nit is expected to be called with BH disabled.
	__dev_queue_xmit has the following:

	/* Disable soft irqs for various locks below. Also
	* stops preemption for RCU.
	*/
	rcu_read_lock_bh();

	VRF must follow this invariant. The referenced commit removed this
	protection. Which triggered a lockdep warning:

	================================
	WARNING: inconsistent lock state
	6.11.0 #1 Tainted: G W
	--------------------------------
	inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.
	btserver/134819 [HC0[0]:SC0[0]:HE1:SE1] takes:
	ffff8882da30c118 (rlock-AF_PACKET){+.?.}-{2:2}, at: tpacket_rcv+0x863/0x3b30
	{IN-SOFTIRQ-W} state was registered at:
	lock_acquire+0x19a/0x4f0
	_raw_spin_lock+0x27/0x40
	packet_rcv+0xa33/0x1320
	__netif_receive_skb_core.constprop.0+0xcb0/0x3a90
	__netif_receive_skb_list_core+0x2c9/0x890
	netif_receive_skb_list_internal+0x610/0xcc0
	[...]

	other info that might help us debug this:
	Possible unsafe locking scenario:

	CPU0
	----
	lock(rlock-AF_PACKET);
	<Interrupt>
	lock(rlock-AF_PACKET);

	* DEADLOCK *

	Call Trace:
	<TASK>
	dump_stack_lvl+0x73/0xa0
	mark_lock+0x102e/0x16b0
	__lock_acquire+0x9ae/0x6170
	lock_acquire+0x19a/0x4f0
	_raw_spin_lock+0x27/0x40
	tpacket_rcv+0x863/0x3b30
	dev_queue_xmit_nit+0x709/0xa40
	vrf_finish_direct+0x26e/0x340 [vrf]
	vrf_l3_out+0x5f4/0xe80 [vrf]
	__ip_local_out+0x51e/0x7a0
	[...]

	The Linux kernel CVE team has assigned CVE-2024-49980 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.6 with commit 504fc6f4f7f681d2a03aa5f68aad549d90eab853 and fixed in 6.6.55 with commit 718a752bd746b3f4dd62516bb437baf73d548415
	Issue introduced in 6.6 with commit 504fc6f4f7f681d2a03aa5f68aad549d90eab853 and fixed in 6.10.14 with commit 8c9381b3138246d46536db93ed696832abd70204
	Issue introduced in 6.6 with commit 504fc6f4f7f681d2a03aa5f68aad549d90eab853 and fixed in 6.11.3 with commit e61f8c4d179b2ffc0d3b7f821c3734be738643d0
	Issue introduced in 6.6 with commit 504fc6f4f7f681d2a03aa5f68aad549d90eab853 and fixed in 6.12 with commit b04c4d9eb4f25b950b33218e33b04c94e7445e51

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-49980
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/vrf.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/718a752bd746b3f4dd62516bb437baf73d548415
	https://git.kernel.org/stable/c/8c9381b3138246d46536db93ed696832abd70204
	https://git.kernel.org/stable/c/e61f8c4d179b2ffc0d3b7f821c3734be738643d0
	https://git.kernel.org/stable/c/b04c4d9eb4f25b950b33218e33b04c94e7445e51