CVE-2022-48719

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net, neigh: Do not trigger immediate probes on NUD_FAILED from neigh_managed_work<br /> <br /> syzkaller was able to trigger a deadlock for NTF_MANAGED entries [0]:<br /> <br /> kworker/0:16/14617 is trying to acquire lock:<br /> ffffffff8d4dd370 (&amp;tbl-&gt;lock){++-.}-{2:2}, at: ___neigh_create+0x9e1/0x2990 net/core/neighbour.c:652<br /> [...]<br /> but task is already holding lock:<br /> ffffffff8d4dd370 (&amp;tbl-&gt;lock){++-.}-{2:2}, at: neigh_managed_work+0x35/0x250 net/core/neighbour.c:1572<br /> <br /> The neighbor entry turned to NUD_FAILED state, where __neigh_event_send()<br /> triggered an immediate probe as per commit cd28ca0a3dd1 ("neigh: reduce<br /> arp latency") via neigh_probe() given table lock was held.<br /> <br /> One option to fix this situation is to defer the neigh_probe() back to<br /> the neigh_timer_handler() similarly as pre cd28ca0a3dd1. For the case<br /> of NTF_MANAGED, this deferral is acceptable given this only happens on<br /> actual failure state and regular / expected state is NUD_VALID with the<br /> entry already present.<br /> <br /> The fix adds a parameter to __neigh_event_send() in order to communicate<br /> whether immediate probe is allowed or disallowed. Existing call-sites<br /> of neigh_event_send() default as-is to immediate probe. However, the<br /> neigh_managed_work() disables it via use of neigh_event_send_probe().<br /> <br /> [0] <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106<br /> print_deadlock_bug kernel/locking/lockdep.c:2956 [inline]<br /> check_deadlock kernel/locking/lockdep.c:2999 [inline]<br /> validate_chain kernel/locking/lockdep.c:3788 [inline]<br /> __lock_acquire.cold+0x149/0x3ab kernel/locking/lockdep.c:5027<br /> lock_acquire kernel/locking/lockdep.c:5639 [inline]<br /> lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5604<br /> __raw_write_lock_bh include/linux/rwlock_api_smp.h:202 [inline]<br /> _raw_write_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:334<br /> ___neigh_create+0x9e1/0x2990 net/core/neighbour.c:652<br /> ip6_finish_output2+0x1070/0x14f0 net/ipv6/ip6_output.c:123<br /> __ip6_finish_output net/ipv6/ip6_output.c:191 [inline]<br /> __ip6_finish_output+0x61e/0xe90 net/ipv6/ip6_output.c:170<br /> ip6_finish_output+0x32/0x200 net/ipv6/ip6_output.c:201<br /> NF_HOOK_COND include/linux/netfilter.h:296 [inline]<br /> ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:224<br /> dst_output include/net/dst.h:451 [inline]<br /> NF_HOOK include/linux/netfilter.h:307 [inline]<br /> ndisc_send_skb+0xa99/0x17f0 net/ipv6/ndisc.c:508<br /> ndisc_send_ns+0x3a9/0x840 net/ipv6/ndisc.c:650<br /> ndisc_solicit+0x2cd/0x4f0 net/ipv6/ndisc.c:742<br /> neigh_probe+0xc2/0x110 net/core/neighbour.c:1040<br /> __neigh_event_send+0x37d/0x1570 net/core/neighbour.c:1201<br /> neigh_event_send include/net/neighbour.h:470 [inline]<br /> neigh_managed_work+0x162/0x250 net/core/neighbour.c:1574<br /> process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307<br /> worker_thread+0x657/0x1110 kernel/workqueue.c:2454<br /> kthread+0x2e9/0x3a0 kernel/kthread.c:377<br /> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295<br />