[RFC PATCH 6.1.y] net/sched: act_mirred: don't override retval if we already lost the skb
From: Jakub Kicinski kuba@kernel.org
[ Upstream commit 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 ]
If we're redirecting the skb, and haven't called tcf_mirred_forward(), yet, we need to tell the core to drop the skb by setting the retcode to SHOT. If we have called tcf_mirred_forward(), however, the skb is out of our hands and returning SHOT will lead to UaF.
Move the retval override to the error path which actually need it.
Reviewed-by: Michal Swiatkowski michal.swiatkowski@linux.intel.com Fixes: e5cf1baf92cb ("act_mirred: use TC_ACT_REINSERT when possible") Signed-off-by: Jakub Kicinski kuba@kernel.org Acked-by: Jamal Hadi Salim jhs@mojatatu.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Jianqi Ren jianqi.ren.cn@windriver.com Signed-off-by: He Zhe zhe.he@windriver.com --- Verified the build test --- net/sched/act_mirred.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c index 36395e5db3b4..24c70ba6eebc 100644 --- a/net/sched/act_mirred.c +++ b/net/sched/act_mirred.c @@ -259,13 +259,13 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, dev = rcu_dereference_bh(m->tcfm_dev); if (unlikely(!dev)) { pr_notice_once("tc mirred: target device is gone\n"); - goto out; + goto err_cant_do; }
if (unlikely(!(dev->flags & IFF_UP)) || !netif_carrier_ok(dev)) { net_notice_ratelimited("tc mirred to Houston: device %s is down\n", dev->name); - goto out; + goto err_cant_do; }
/* we could easily avoid the clone only if called by ingress and clsact; @@ -279,7 +279,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, if (!use_reinsert) { skb2 = skb_clone(skb, GFP_ATOMIC); if (!skb2) - goto out; + goto err_cant_do; }
want_ingress = tcf_mirred_act_wants_ingress(m_eaction); @@ -321,12 +321,16 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, }
err = tcf_mirred_forward(want_ingress, skb2); - if (err) { -out: + if (err) tcf_action_inc_overlimit_qstats(&m->common); - if (tcf_mirred_is_act_redirect(m_eaction)) - retval = TC_ACT_SHOT; - } + __this_cpu_dec(mirred_nest_level); + + return retval; + +err_cant_do: + if (tcf_mirred_is_act_redirect(m_eaction)) + retval = TC_ACT_SHOT; + tcf_action_inc_overlimit_qstats(&m->common); __this_cpu_dec(mirred_nest_level);
return retval;
On Wed, Mar 19, 2025 at 09:22:25AM +0800, jianqi.ren.cn@windriver.com wrote:
From: Jakub Kicinski kuba@kernel.org
[ Upstream commit 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 ]
If we're redirecting the skb, and haven't called tcf_mirred_forward(), yet, we need to tell the core to drop the skb by setting the retcode to SHOT. If we have called tcf_mirred_forward(), however, the skb is out of our hands and returning SHOT will lead to UaF.
Move the retval override to the error path which actually need it.
Reviewed-by: Michal Swiatkowski michal.swiatkowski@linux.intel.com Fixes: e5cf1baf92cb ("act_mirred: use TC_ACT_REINSERT when possible") Signed-off-by: Jakub Kicinski kuba@kernel.org Acked-by: Jamal Hadi Salim jhs@mojatatu.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Jianqi Ren jianqi.ren.cn@windriver.com Signed-off-by: He Zhe zhe.he@windriver.com
Verified the build test
Sorry if it is obvious, but I'm confused by the intention of posting an RFC for stable. Are you asking for buy-in regarding backporting this patch to 6.1.y because for some reason it hasn't already propagated there?
The context of this patch is changed compared with the original fix. Adding RFC means that I want to let the author or other experts to make a possible review to make sure the logic is right.
-----Original Message----- From: Simon Horman horms@kernel.org Sent: Saturday, March 22, 2025 02:01 To: Ren, Jianqi (Jacky) (CN) Jianqi.Ren.CN@windriver.com Cc: stable@vger.kernel.org; patches@lists.linux.dev; gregkh@linuxfoundation.org; linux-kernel@vger.kernel.org; jhs@mojatatu.com; xiyou.wangcong@gmail.com; jiri@resnulli.us; davem@davemloft.net; edumazet@google.com; kuba@kernel.org; pabeni@redhat.com; netdev@vger.kernel.org; michal.swiatkowski@linux.intel.com Subject: Re: [RFC PATCH 6.1.y] net/sched: act_mirred: don't override retval if we already lost the skb
CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe.
On Wed, Mar 19, 2025 at 09:22:25AM +0800, jianqi.ren.cn@windriver.com wrote:
From: Jakub Kicinski kuba@kernel.org
[ Upstream commit 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 ]
If we're redirecting the skb, and haven't called tcf_mirred_forward(), yet, we need to tell the core to drop the skb by setting the retcode to SHOT. If we have called tcf_mirred_forward(), however, the skb is out of our hands and returning SHOT will lead to UaF.
Move the retval override to the error path which actually need it.
Reviewed-by: Michal Swiatkowski michal.swiatkowski@linux.intel.com Fixes: e5cf1baf92cb ("act_mirred: use TC_ACT_REINSERT when possible") Signed-off-by: Jakub Kicinski kuba@kernel.org Acked-by: Jamal Hadi Salim jhs@mojatatu.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Jianqi Ren jianqi.ren.cn@windriver.com Signed-off-by: He Zhe zhe.he@windriver.com
Verified the build test
Sorry if it is obvious, but I'm confused by the intention of posting an RFC for stable. Are you asking for buy-in regarding backporting this patch to 6.1.y because for some reason it hasn't already propagated there?
linux-stable-mirror@lists.linaro.org
-
jianqi.ren.cn@windriver.com -
Ren, Jianqi (Jacky) (CN)
-
Simon Horman