Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Remove drr class from the active list if it changes to strict Whenever a user issues an ets qdisc change command, transforming a drr class into a strict one, the ets code isn't checking whether that class was in the active list and removing it. This means that, if a user changes a strict class (which was in the active list) back to a drr one, that class will be added twice to the active list [1]. Doing so with the following commands: tc qdisc add dev lo root handle 1: ets bands 2 strict 1 tc qdisc add dev lo parent 1:2 handle 20: \ tbf rate 8bit burst 100b latency 1s tc filter add dev lo parent 1: basic classid 1:2 ping -c1 -W0.01 -s 56 127.0.0.1 tc qdisc change dev lo root handle 1: ets bands 2 strict 2 tc qdisc change dev lo root handle 1: ets bands 2 strict 1 ping -c1 -W0.01 -s 56 127.0.0.1 Will trigger the following splat with list debug turned on: [ 59.279014][ T365] ------------[ cut here ]------------ [ 59.279452][ T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0. [ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220 [ 59.280860][ T365] Modules linked in: [ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary) [ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 59.282391][ T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220 [ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 <0f> 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44 ... [ 59.288812][ T365] Call Trace: [ 59.289056][ T365] <TASK> [ 59.289224][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.289546][ T365] ets_qdisc_change+0xd2b/0x1e80 [ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0 [ 59.290223][ T365] ? __pfx_ets_qdisc_change+0x10/0x10 [ 59.290546][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.290898][ T365] ? __mutex_trylock_common+0xda/0x240 [ 59.291228][ T365] ? __pfx___mutex_trylock_common+0x10/0x10 [ 59.291655][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.291993][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.292313][ T365] ? trace_contention_end+0xc8/0x110 [ 59.292656][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.293022][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.293351][ T365] tc_modify_qdisc+0x63a/0x1cf0 Fix this by always checking and removing an ets class from the active list when changing it to strict. [1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663
Product status
f517335a61ff8037b18ba1b0a002c1f82926a934 (git) before 58fdce6bc005e964f1dbc3ca716f5fe0f68839a2
cd9b50adc6bb9ad3f7d244590a389522215865c4 (git) before 02783a37cb1c0a2bd9fcba4ff1b81e6e209c7d87
cd9b50adc6bb9ad3f7d244590a389522215865c4 (git) before 8067db5c95aab9461d23117679338cd8869831fa
cd9b50adc6bb9ad3f7d244590a389522215865c4 (git) before 2f125ebe47d6369e562f3cbd9b6227cff51eaf34
cd9b50adc6bb9ad3f7d244590a389522215865c4 (git) before cca2ed931b734fe48139bc6f020e47367346630f
cd9b50adc6bb9ad3f7d244590a389522215865c4 (git) before 43d9a530c8c094d137159784e7c951c65f11ec6c
cd9b50adc6bb9ad3f7d244590a389522215865c4 (git) before b1e125ae425aba9b45252e933ca8df52a843ec70
d05330672afe2e142ba97e63bd7c1faef76781bb (git)
5.14
Any version before 5.14
5.10.248 (semver)
5.15.198 (semver)
6.1.160 (semver)
6.6.120 (semver)
6.12.64 (semver)
6.18.3 (semver)
6.19 (original_commit_for_fix)
References
git.kernel.org/...c/58fdce6bc005e964f1dbc3ca716f5fe0f68839a2
git.kernel.org/...c/02783a37cb1c0a2bd9fcba4ff1b81e6e209c7d87
git.kernel.org/...c/8067db5c95aab9461d23117679338cd8869831fa
git.kernel.org/...c/2f125ebe47d6369e562f3cbd9b6227cff51eaf34
git.kernel.org/...c/cca2ed931b734fe48139bc6f020e47367346630f
git.kernel.org/...c/43d9a530c8c094d137159784e7c951c65f11ec6c
git.kernel.org/...c/b1e125ae425aba9b45252e933ca8df52a843ec70