Message ID | 20230509235043.69974-1-yuxuan.luo@canonical.com |
---|---|
Headers | show |
Series | CVE-2022-4269 | expand |
On 5/9/23 5:50 PM, Yuxuan Luo wrote: > [Impact] > A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using > a specific networking configuration (redirecting egress packets to ingress > using TC action "mirred") a local unprivileged user could trigger a CPU > soft lockup (ABBA deadlock) when the transport protocol in use (TCP or > SCTP) does a retransmission, resulting in a denial of service condition. > > [Backport] > For Kinetic and Jammy, the fix commit is a clean cherry pick, but build error > occurs at `mirred_nest_level` not found. In order to fix this problem, backport > 78dcdffe0418 (“net/sched: act_mirred: better wording on protection against > excessive stack growth”), this commit renamed some variables, which solves > the error of the fix commit. > > For Focal, in addition to the commits above, three commits have to be backported > to solve a conflict, 1d14b30b5a5e, fa6d639930ee, and ef816f3c49c1. Then, > backport the part that affects `act_mirred.c` in the 26b537a88ca5 commit to > introduce the required `tcf_action_inc_overlimit_qstats()` function. > > [Test] > Compile and smoke tested. > > [Potential Regression] > Expecting really low potential regression for Kinetic and Jammy as the two > commits only refactor and add some checks. > For Focal, the additional four commits mainly aim at refactoring and introduce > a function that only has one caller, so the regression potential should not be > higher by a significant amount. > > Davide Caratti (1): > act_mirred: use the backlog for nested calls to mirred ingress > > net/sched/act_mirred.c | 7 +++ > .../selftests/net/forwarding/tc_actions.sh | 49 ++++++++++++++++++- > 2 files changed, 55 insertions(+), 1 deletion(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 23-05-09 19:50:38, Yuxuan Luo wrote: > [Impact] > A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using > a specific networking configuration (redirecting egress packets to ingress > using TC action "mirred") a local unprivileged user could trigger a CPU > soft lockup (ABBA deadlock) when the transport protocol in use (TCP or > SCTP) does a retransmission, resulting in a denial of service condition. > > [Backport] > For Kinetic and Jammy, the fix commit is a clean cherry pick, but build error > occurs at `mirred_nest_level` not found. In order to fix this problem, backport > 78dcdffe0418 (“net/sched: act_mirred: better wording on protection against > excessive stack growth”), this commit renamed some variables, which solves > the error of the fix commit. > > For Focal, in addition to the commits above, three commits have to be backported > to solve a conflict, 1d14b30b5a5e, fa6d639930ee, and ef816f3c49c1. Then, > backport the part that affects `act_mirred.c` in the 26b537a88ca5 commit to > introduce the required `tcf_action_inc_overlimit_qstats()` function. > > [Test] > Compile and smoke tested. > > [Potential Regression] > Expecting really low potential regression for Kinetic and Jammy as the two > commits only refactor and add some checks. > For Focal, the additional four commits mainly aim at refactoring and introduce > a function that only has one caller, so the regression potential should not be > higher by a significant amount. > > Davide Caratti (1): > act_mirred: use the backlog for nested calls to mirred ingress Acked-by: Cengiz Can <cengiz.can@canonical.com> > > net/sched/act_mirred.c | 7 +++ > .../selftests/net/forwarding/tc_actions.sh | 49 ++++++++++++++++++- > 2 files changed, 55 insertions(+), 1 deletion(-) > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 10.05.23 01:50, Yuxuan Luo wrote: > [Impact] > A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using > a specific networking configuration (redirecting egress packets to ingress > using TC action "mirred") a local unprivileged user could trigger a CPU > soft lockup (ABBA deadlock) when the transport protocol in use (TCP or > SCTP) does a retransmission, resulting in a denial of service condition. > > [Backport] > For Kinetic and Jammy, the fix commit is a clean cherry pick, but build error > occurs at `mirred_nest_level` not found. In order to fix this problem, backport > 78dcdffe0418 (“net/sched: act_mirred: better wording on protection against > excessive stack growth”), this commit renamed some variables, which solves > the error of the fix commit. > > For Focal, in addition to the commits above, three commits have to be backported > to solve a conflict, 1d14b30b5a5e, fa6d639930ee, and ef816f3c49c1. Then, > backport the part that affects `act_mirred.c` in the 26b537a88ca5 commit to > introduce the required `tcf_action_inc_overlimit_qstats()` function. > > [Test] > Compile and smoke tested. > > [Potential Regression] > Expecting really low potential regression for Kinetic and Jammy as the two > commits only refactor and add some checks. > For Focal, the additional four commits mainly aim at refactoring and introduce > a function that only has one caller, so the regression potential should not be > higher by a significant amount. > > Davide Caratti (1): > act_mirred: use the backlog for nested calls to mirred ingress > > net/sched/act_mirred.c | 7 +++ > .../selftests/net/forwarding/tc_actions.sh | 49 ++++++++++++++++++- > 2 files changed, 55 insertions(+), 1 deletion(-) > Applied to kinetic:linux/master-next. But what is on the list does not apply cleanly to neither Jammy nor Focal. Jammy is minor in patch 1/2 and about Jammy not having defined the same tests... For Focal I get the impression that you mention the absence of tcf_mirred_forward() but have not adjusted accordingly. Please submit those again in a manner that applies cleanly. Thanks. -Stefan