CVE-2024-26669

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: flower: Fix chain template offload<br /> <br /> When a qdisc is deleted from a net device the stack instructs the<br /> underlying driver to remove its flow offload callback from the<br /> associated filter block using the &amp;#39;FLOW_BLOCK_UNBIND&amp;#39; command. The stack<br /> then continues to replay the removal of the filters in the block for<br /> this driver by iterating over the chains in the block and invoking the<br /> &amp;#39;reoffload&amp;#39; operation of the classifier being used. In turn, the<br /> classifier in its &amp;#39;reoffload&amp;#39; operation prepares and emits a<br /> &amp;#39;FLOW_CLS_DESTROY&amp;#39; command for each filter.<br /> <br /> However, the stack does not do the same for chain templates and the<br /> underlying driver never receives a &amp;#39;FLOW_CLS_TMPLT_DESTROY&amp;#39; command when<br /> a qdisc is deleted. This results in a memory leak [1] which can be<br /> reproduced using [2].<br /> <br /> Fix by introducing a &amp;#39;tmplt_reoffload&amp;#39; operation and have the stack<br /> invoke it with the appropriate arguments as part of the replay.<br /> Implement the operation in the sole classifier that supports chain<br /> templates (flower) by emitting the &amp;#39;FLOW_CLS_TMPLT_{CREATE,DESTROY}&amp;#39;<br /> command based on whether a flow offload callback is being bound to a<br /> filter block or being unbound from one.<br /> <br /> As far as I can tell, the issue happens since cited commit which<br /> reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains()<br /> in __tcf_block_put(). The order cannot be reversed as the filter block<br /> is expected to be freed after flushing all the chains.<br /> <br /> [1]<br /> unreferenced object 0xffff888107e28800 (size 2048):<br /> comm "tc", pid 1079, jiffies 4294958525 (age 3074.287s)<br /> hex dump (first 32 bytes):<br /> b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[......<br /> 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................<br /> backtrace:<br /> [] __kmem_cache_alloc_node+0x1e8/0x320<br /> [] __kmalloc+0x4e/0x90<br /> [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0<br /> [] mlxsw_sp_flower_tmplt_create+0x145/0x180<br /> [] mlxsw_sp_flow_block_cb+0x1ea/0x280<br /> [] tc_setup_cb_call+0x183/0x340<br /> [] fl_tmplt_create+0x3da/0x4c0<br /> [] tc_ctl_chain+0xa15/0x1170<br /> [] rtnetlink_rcv_msg+0x3cc/0xed0<br /> [] netlink_rcv_skb+0x170/0x440<br /> [] netlink_unicast+0x540/0x820<br /> [] netlink_sendmsg+0x8d8/0xda0<br /> [] ____sys_sendmsg+0x30f/0xa80<br /> [] ___sys_sendmsg+0x13a/0x1e0<br /> [] __sys_sendmsg+0x11c/0x1f0<br /> [] do_syscall_64+0x40/0xe0<br /> unreferenced object 0xffff88816d2c0400 (size 1024):<br /> comm "tc", pid 1079, jiffies 4294958525 (age 3074.287s)<br /> hex dump (first 32 bytes):<br /> 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8.....<br /> 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m....<br /> backtrace:<br /> [] __kmem_cache_alloc_node+0x1e8/0x320<br /> [] __kmalloc_node+0x51/0x90<br /> [] kvmalloc_node+0xa6/0x1f0<br /> [] bucket_table_alloc.isra.0+0x83/0x460<br /> [] rhashtable_init+0x43b/0x7c0<br /> [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0<br /> [] mlxsw_sp_flower_tmplt_create+0x145/0x180<br /> [] mlxsw_sp_flow_block_cb+0x1ea/0x280<br /> [] tc_setup_cb_call+0x183/0x340<br /> [] fl_tmplt_create+0x3da/0x4c0<br /> [] tc_ctl_chain+0xa15/0x1170<br /> [] rtnetlink_rcv_msg+0x3cc/0xed0<br /> [] netlink_rcv_skb+0x170/0x440<br /> [] netlink_unicast+0x540/0x820<br /> [] netlink_sendmsg+0x8d8/0xda0<br /> [] ____sys_sendmsg+0x30f/0xa80<br /> <br /> [2]<br /> # tc qdisc add dev swp1 clsact<br /> # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32<br /> # tc qdisc del dev<br /> ---truncated---