CVE-2022-50000

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: flowtable: fix stuck flows on cleanup due to pending work<br /> <br /> To clear the flow table on flow table free, the following sequence<br /> normally happens in order:<br /> <br /> 1) gc_step work is stopped to disable any further stats/del requests.<br /> 2) All flow table entries are set to teardown state.<br /> 3) Run gc_step which will queue HW del work for each flow table entry.<br /> 4) Waiting for the above del work to finish (flush).<br /> 5) Run gc_step again, deleting all entries from the flow table.<br /> 6) Flow table is freed.<br /> <br /> But if a flow table entry already has pending HW stats or HW add work<br /> step 3 will not queue HW del work (it will be skipped), step 4 will wait<br /> for the pending add/stats to finish, and step 5 will queue HW del work<br /> which might execute after freeing of the flow table.<br /> <br /> To fix the above, this patch flushes the pending work, then it sets the<br /> teardown flag to all flows in the flowtable and it forces a garbage<br /> collector run to queue work to remove the flows from hardware, then it<br /> flushes this new pending work and (finally) it forces another garbage<br /> collector run to remove the entry from the software flowtable.<br /> <br /> Stack trace:<br /> [47773.882335] BUG: KASAN: use-after-free in down_read+0x99/0x460<br /> [47773.883634] Write of size 8 at addr ffff888103b45aa8 by task kworker/u20:6/543704<br /> [47773.885634] CPU: 3 PID: 543704 Comm: kworker/u20:6 Not tainted 5.12.0-rc7+ #2<br /> [47773.886745] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)<br /> [47773.888438] Workqueue: nf_ft_offload_del flow_offload_work_handler [nf_flow_table]<br /> [47773.889727] Call Trace:<br /> [47773.890214] dump_stack+0xbb/0x107<br /> [47773.890818] print_address_description.constprop.0+0x18/0x140<br /> [47773.892990] kasan_report.cold+0x7c/0xd8<br /> [47773.894459] kasan_check_range+0x145/0x1a0<br /> [47773.895174] down_read+0x99/0x460<br /> [47773.899706] nf_flow_offload_tuple+0x24f/0x3c0 [nf_flow_table]<br /> [47773.907137] flow_offload_work_handler+0x72d/0xbe0 [nf_flow_table]<br /> [47773.913372] process_one_work+0x8ac/0x14e0<br /> [47773.921325]<br /> [47773.921325] Allocated by task 592159:<br /> [47773.922031] kasan_save_stack+0x1b/0x40<br /> [47773.922730] __kasan_kmalloc+0x7a/0x90<br /> [47773.923411] tcf_ct_flow_table_get+0x3cb/0x1230 [act_ct]<br /> [47773.924363] tcf_ct_init+0x71c/0x1156 [act_ct]<br /> [47773.925207] tcf_action_init_1+0x45b/0x700<br /> [47773.925987] tcf_action_init+0x453/0x6b0<br /> [47773.926692] tcf_exts_validate+0x3d0/0x600<br /> [47773.927419] fl_change+0x757/0x4a51 [cls_flower]<br /> [47773.928227] tc_new_tfilter+0x89a/0x2070<br /> [47773.936652]<br /> [47773.936652] Freed by task 543704:<br /> [47773.937303] kasan_save_stack+0x1b/0x40<br /> [47773.938039] kasan_set_track+0x1c/0x30<br /> [47773.938731] kasan_set_free_info+0x20/0x30<br /> [47773.939467] __kasan_slab_free+0xe7/0x120<br /> [47773.940194] slab_free_freelist_hook+0x86/0x190<br /> [47773.941038] kfree+0xce/0x3a0<br /> [47773.941644] tcf_ct_flow_table_cleanup_work<br /> <br /> Original patch description and stack trace by Paul Blakey.