CVE-2021-47592

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: stmmac: fix tc flower deletion for VLAN priority Rx steering<br /> <br /> To replicate the issue:-<br /> <br /> 1) Add 1 flower filter for VLAN Priority based frame steering:-<br /> $ IFDEVNAME=eth0<br /> $ tc qdisc add dev $IFDEVNAME ingress<br /> $ tc qdisc add dev $IFDEVNAME root mqprio num_tc 8 \<br /> map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 \<br /> queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0<br /> $ tc filter add dev $IFDEVNAME parent ffff: protocol 802.1Q \<br /> flower vlan_prio 0 hw_tc 0<br /> <br /> 2) Get the &amp;#39;pref&amp;#39; id<br /> $ tc filter show dev $IFDEVNAME ingress<br /> <br /> 3) Delete a specific tc flower record (say pref 49151)<br /> $ tc filter del dev $IFDEVNAME parent ffff: pref 49151<br /> <br /> From dmesg, we will observe kernel NULL pointer ooops<br /> <br /> [ 197.170464] BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> [ 197.171367] #PF: supervisor read access in kernel mode<br /> [ 197.171367] #PF: error_code(0x0000) - not-present page<br /> [ 197.171367] PGD 0 P4D 0<br /> [ 197.171367] Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> <br /> <br /> <br /> [ 197.171367] RIP: 0010:tc_setup_cls+0x20b/0x4a0 [stmmac]<br /> <br /> <br /> <br /> [ 197.171367] Call Trace:<br /> [ 197.171367] <br /> [ 197.171367] ? __stmmac_disable_all_queues+0xa8/0xe0 [stmmac]<br /> [ 197.171367] stmmac_setup_tc_block_cb+0x70/0x110 [stmmac]<br /> [ 197.171367] tc_setup_cb_destroy+0xb3/0x180<br /> [ 197.171367] fl_hw_destroy_filter+0x94/0xc0 [cls_flower]<br /> <br /> The above issue is due to previous incorrect implementation of<br /> tc_del_vlan_flow(), shown below, that uses flow_cls_offload_flow_rule()<br /> to get struct flow_rule *rule which is no longer valid for tc filter<br /> delete operation.<br /> <br /> struct flow_rule *rule = flow_cls_offload_flow_rule(cls);<br /> struct flow_dissector *dissector = rule-&gt;match.dissector;<br /> <br /> So, to ensure tc_del_vlan_flow() deletes the right VLAN cls record for<br /> earlier configured RX queue (configured by hw_tc) in tc_add_vlan_flow(),<br /> this patch introduces stmmac_rfs_entry as driver-side flow_cls_offload<br /> record for &amp;#39;RX frame steering&amp;#39; tc flower, currently used for VLAN<br /> priority. The implementation has taken consideration for future extension<br /> to include other type RX frame steering such as EtherType based.<br /> <br /> v2:<br /> - Clean up overly extensive backtrace and rewrite git message to better<br /> explain the kernel NULL pointer issue.