CVE-2024-27010

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/sched: Fix mirred deadlock on device recursion<br /> <br /> When the mirred action is used on a classful egress qdisc and a packet is<br /> mirrored or redirected to self we hit a qdisc lock deadlock.<br /> See trace below.<br /> <br /> [..... other info removed for brevity....]<br /> [ 82.890906]<br /> [ 82.890906] ============================================<br /> [ 82.890906] WARNING: possible recursive locking detected<br /> [ 82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Tainted: G W<br /> [ 82.890906] --------------------------------------------<br /> [ 82.890906] ping/418 is trying to acquire lock:<br /> [ 82.890906] ffff888006994110 (&amp;sch-&gt;q.lock){+.-.}-{3:3}, at:<br /> __dev_queue_xmit+0x1778/0x3550<br /> [ 82.890906]<br /> [ 82.890906] but task is already holding lock:<br /> [ 82.890906] ffff888006994110 (&amp;sch-&gt;q.lock){+.-.}-{3:3}, at:<br /> __dev_queue_xmit+0x1778/0x3550<br /> [ 82.890906]<br /> [ 82.890906] other info that might help us debug this:<br /> [ 82.890906] Possible unsafe locking scenario:<br /> [ 82.890906]<br /> [ 82.890906] CPU0<br /> [ 82.890906] ----<br /> [ 82.890906] lock(&amp;sch-&gt;q.lock);<br /> [ 82.890906] lock(&amp;sch-&gt;q.lock);<br /> [ 82.890906]<br /> [ 82.890906] *** DEADLOCK ***<br /> [ 82.890906]<br /> [..... other info removed for brevity....]<br /> <br /> Example setup (eth0-&gt;eth0) to recreate<br /> tc qdisc add dev eth0 root handle 1: htb default 30<br /> tc filter add dev eth0 handle 1: protocol ip prio 2 matchall \<br /> action mirred egress redirect dev eth0<br /> <br /> Another example(eth0-&gt;eth1-&gt;eth0) to recreate<br /> tc qdisc add dev eth0 root handle 1: htb default 30<br /> tc filter add dev eth0 handle 1: protocol ip prio 2 matchall \<br /> action mirred egress redirect dev eth1<br /> <br /> tc qdisc add dev eth1 root handle 1: htb default 30<br /> tc filter add dev eth1 handle 1: protocol ip prio 2 matchall \<br /> action mirred egress redirect dev eth0<br /> <br /> We fix this by adding an owner field (CPU id) to struct Qdisc set after<br /> root qdisc is entered. When the softirq enters it a second time, if the<br /> qdisc owner is the same CPU, the packet is dropped to break the loop.