| Message ID | 20240501220907.23629-1-bethany.jamison@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2024-26803 | expand |
On 01-05-24 17:09:06, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: > > net: veth: clear GRO when clearing XDP even when down > > veth sets NETIF_F_GRO automatically when XDP is enabled, > because both features use the same NAPI machinery. > > The logic to clear NETIF_F_GRO sits in veth_disable_xdp() which > is called both on ndo_stop and when XDP is turned off. > To avoid the flag from being cleared when the device is brought > down, the clearing is skipped when IFF_UP is not set. > Bringing the device down should indeed not modify its features. > > Unfortunately, this means that clearing is also skipped when > XDP is disabled _while_ the device is down. And there's nothing > on the open path to bring the device features back into sync. > IOW if user enables XDP, disables it and then brings the device > up we'll end up with a stray GRO flag set but no NAPI instances. > > We don't depend on the GRO flag on the datapath, so the datapath > won't crash. We will crash (or hang), however, next time features > are sync'ed (either by user via ethtool or peer changing its config). > The GRO flag will go away, and veth will try to disable the NAPIs. > But the open path never created them since XDP was off, the GRO flag > was a stray. If NAPI was initialized before we'll hang in napi_disable(). > If it never was we'll crash trying to stop uninitialized hrtimer. > > Move the GRO flag updates to the XDP enable / disable paths, > instead of mixing them with the ndo_open / ndo_close paths. > > [Fix] > > Mantic: Clean cherry-pick from linux-6.6.y > Jammy: pending > Focal: not-affected > Bionic: not-affected > Xenial: not-affected > Trusty: not-affected > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use the veth (virtual ethernet) driver, an > issue with this fix would be visable to the user via a system crash. > > Jakub Kicinski (1): > net: veth: clear GRO when clearing XDP even when down Acked-by: Cengiz Can <cengiz.can@canonical.com> > > drivers/net/veth.c | 35 +++++++++++++++++------------------ > 1 file changed, 17 insertions(+), 18 deletions(-) > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 02.05.24 00:09, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: > > net: veth: clear GRO when clearing XDP even when down > > veth sets NETIF_F_GRO automatically when XDP is enabled, > because both features use the same NAPI machinery. > > The logic to clear NETIF_F_GRO sits in veth_disable_xdp() which > is called both on ndo_stop and when XDP is turned off. > To avoid the flag from being cleared when the device is brought > down, the clearing is skipped when IFF_UP is not set. > Bringing the device down should indeed not modify its features. > > Unfortunately, this means that clearing is also skipped when > XDP is disabled _while_ the device is down. And there's nothing > on the open path to bring the device features back into sync. > IOW if user enables XDP, disables it and then brings the device > up we'll end up with a stray GRO flag set but no NAPI instances. > > We don't depend on the GRO flag on the datapath, so the datapath > won't crash. We will crash (or hang), however, next time features > are sync'ed (either by user via ethtool or peer changing its config). > The GRO flag will go away, and veth will try to disable the NAPIs. > But the open path never created them since XDP was off, the GRO flag > was a stray. If NAPI was initialized before we'll hang in napi_disable(). > If it never was we'll crash trying to stop uninitialized hrtimer. > > Move the GRO flag updates to the XDP enable / disable paths, > instead of mixing them with the ndo_open / ndo_close paths. > > [Fix] > > Mantic: Clean cherry-pick from linux-6.6.y > Jammy: pending > Focal: not-affected > Bionic: not-affected > Xenial: not-affected > Trusty: not-affected > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use the veth (virtual ethernet) driver, an > issue with this fix would be visable to the user via a system crash. > > Jakub Kicinski (1): > net: veth: clear GRO when clearing XDP even when down > > drivers/net/veth.c | 35 +++++++++++++++++------------------ > 1 file changed, 17 insertions(+), 18 deletions(-) > Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 02/05/2024 00:09, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: > > net: veth: clear GRO when clearing XDP even when down > > veth sets NETIF_F_GRO automatically when XDP is enabled, > because both features use the same NAPI machinery. > > The logic to clear NETIF_F_GRO sits in veth_disable_xdp() which > is called both on ndo_stop and when XDP is turned off. > To avoid the flag from being cleared when the device is brought > down, the clearing is skipped when IFF_UP is not set. > Bringing the device down should indeed not modify its features. > > Unfortunately, this means that clearing is also skipped when > XDP is disabled _while_ the device is down. And there's nothing > on the open path to bring the device features back into sync. > IOW if user enables XDP, disables it and then brings the device > up we'll end up with a stray GRO flag set but no NAPI instances. > > We don't depend on the GRO flag on the datapath, so the datapath > won't crash. We will crash (or hang), however, next time features > are sync'ed (either by user via ethtool or peer changing its config). > The GRO flag will go away, and veth will try to disable the NAPIs. > But the open path never created them since XDP was off, the GRO flag > was a stray. If NAPI was initialized before we'll hang in napi_disable(). > If it never was we'll crash trying to stop uninitialized hrtimer. > > Move the GRO flag updates to the XDP enable / disable paths, > instead of mixing them with the ndo_open / ndo_close paths. > > [Fix] > > Mantic: Clean cherry-pick from linux-6.6.y > Jammy: pending > Focal: not-affected > Bionic: not-affected > Xenial: not-affected > Trusty: not-affected > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use the veth (virtual ethernet) driver, an > issue with this fix would be visable to the user via a system crash. > > Jakub Kicinski (1): > net: veth: clear GRO when clearing XDP even when down > > drivers/net/veth.c | 35 +++++++++++++++++------------------ > 1 file changed, 17 insertions(+), 18 deletions(-) > Applied to mantic:linux master-next branch. Thanks!