CVE-2024-26669: net/sched: flower: Fix chain template offload
In the Linux kernel, the following vulnerability has been resolved:
net/sched: flower: Fix chain template offload
The Linux kernel CVE team has assigned CVE-2024-26669 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024040237-CVE-2024-26669-ca3c@gregkh/T
Other sources
In the Linux kernel, the following vulnerability has been resolved:
net/sched: flower: Fix chain template offload
When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOWBLOCKUNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOWCLSDESTROY' command for each filter.
However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOWCLSTMPLTDESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2].
Fix by introducing a 'tmpltreoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOWCLSTMPLT{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one.
As far as I can tell, the issue happens since cited commit which reordered tcfblockoffloadunbind() before tcfblockflushallchains() in tcfblockput(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains.
[1] unreferenced object 0xffff888107e28800 (size 2048): comm "tc", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [] kmemcacheallocnode+0x1e8/0x320 [] kmalloc+0x4e/0x90 [] mlxswspaclrulesetget+0x34d/0x7a0 [] mlxswspflowertmpltcreate+0x145/0x180 [] mlxswspflowblockcb+0x1ea/0x280 [] tcsetupcbcall+0x183/0x340 [] fltmpltcreate+0x3da/0x4c0 [] tcctlchain+0xa15/0x1170 [] rtnetlinkrcvmsg+0x3cc/0xed0 [] netlinkrcvskb+0x170/0x440 [] netlinkunicast+0x540/0x820 [] netlinksendmsg+0x8d8/0xda0 [] syssendmsg+0x30f/0xa80 [] syssendmsg+0x13a/0x1e0 [] syssendmsg+0x11c/0x1f0 [] dosyscall64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm "tc", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [] kmemcacheallocnode+0x1e8/0x320 [] kmallocnode+0x51/0x90 [] kvmallocnode+0xa6/0x1f0 [] buckettablealloc.isra.0+0x83/0x460 [] rhashtableinit+0x43b/0x7c0 [] mlxswspaclrulesetget+0x428/0x7a0 [] mlxswspflowertmpltcreate+0x145/0x180 [] mlxswspflowblockcb+0x1ea/0x280 [] tcsetupcbcall+0x183/0x340 [] fltmpltcreate+0x3da/0x4c0 [] tcctlchain+0xa15/0x1170 [] rtnetlinkrcvmsg+0x3cc/0xed0 [] netlinkrcvskb+0x170/0x440 [] netlinkunicast+0x540/0x820 [] netlinksendmsg+0x8d8/0xda0 [] syssendmsg+0x30f/0xa80
[2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dstip 0.0.0.0/32 # tc qdisc del dev ---truncated---
— IBM
In the Linux kernel, the following vulnerability has been resolved:
net/sched: flower: Fix chain template offload
When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOWBLOCKUNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOWCLSDESTROY' command for each filter.
However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOWCLSTMPLTDESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2].
Fix by introducing a 'tmpltreoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOWCLSTMPLT{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one.
As far as I can tell, the issue happens since cited commit which reordered tcfblockoffloadunbind() before tcfblockflushallchains() in tcfblockput(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains.
[1] unreferenced object 0xffff888107e28800 (size 2048): comm "tc", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [<ffffffff81c06a68>] kmemcacheallocnode+0x1e8/0x320 [<ffffffff81ab374e>] kmalloc+0x4e/0x90 [<ffffffff832aec6d>] mlxswspaclrulesetget+0x34d/0x7a0 [<ffffffff832bc195>] mlxswspflowertmpltcreate+0x145/0x180 [<ffffffff832b2e1a>] mlxswspflowblockcb+0x1ea/0x280 [<ffffffff83a10613>] tcsetupcbcall+0x183/0x340 [<ffffffff83a9f85a>] fltmpltcreate+0x3da/0x4c0 [<ffffffff83a22435>] tcctlchain+0xa15/0x1170 [<ffffffff838a863c>] rtnetlinkrcvmsg+0x3cc/0xed0 [<ffffffff83ac87f0>] netlinkrcvskb+0x170/0x440 [<ffffffff83ac6270>] netlinkunicast+0x540/0x820 [<ffffffff83ac6e28>] netlinksendmsg+0x8d8/0xda0 [<ffffffff83793def>] syssendmsg+0x30f/0xa80 [<ffffffff8379d29a>] syssendmsg+0x13a/0x1e0 [<ffffffff8379d50c>] syssendmsg+0x11c/0x1f0 [<ffffffff843b9ce0>] dosyscall64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm "tc", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [<ffffffff81c06a68>] kmemcacheallocnode+0x1e8/0x320 [<ffffffff81ab36c1>] kmallocnode+0x51/0x90 [<ffffffff81a8ed96>] kvmallocnode+0xa6/0x1f0 [<ffffffff82827d03>] buckettablealloc.isra.0+0x83/0x460 [<ffffffff82828d2b>] rhashtableinit+0x43b/0x7c0 [<ffffffff832aed48>] mlxswspaclrulesetget+0x428/0x7a0 [<ffffffff832bc195>] mlxswspflowertmpltcreate+0x145/0x180 [<ffffffff832b2e1a>] mlxswspflowblockcb+0x1ea/0x280 [<ffffffff83a10613>] tcsetupcbcall+0x183/0x340 [<ffffffff83a9f85a>] fltmpltcreate+0x3da/0x4c0 [<ffffffff83a22435>] tcctlchain+0xa15/0x1170 [<ffffffff838a863c>] rtnetlinkrcvmsg+0x3cc/0xed0 [<ffffffff83ac87f0>] netlinkrcvskb+0x170/0x440 [<ffffffff83ac6270>] netlinkunicast+0x540/0x820 [<ffffffff83ac6e28>] netlinksendmsg+0x8d8/0xda0 [<ffffffff83793def>] syssendmsg+0x30f/0xa80
[2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dstip 0.0.0.0/32 # tc qdisc del dev ---truncated---
— NVD
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2024-26669?
CVE-2024-26669 has been classified as a medium severity vulnerability in the Linux kernel.
How do I fix CVE-2024-26669?
To mitigate CVE-2024-26669, update the Linux kernel to versions 6.6.15, 6.7.3, 6.8, or specific Debian kernel versions including 5.10.223-1, 5.10.226-1, and 6.1.123-1.
What components are affected by CVE-2024-26669?
CVE-2024-26669 affects the flower scheduling component of the Linux kernel.
Is CVE-2024-26669 specific to any Linux distribution?
CVE-2024-26669 is primarily associated with Red Hat and Debian Linux distributions.
What impact does CVE-2024-26669 have on system security?
CVE-2024-26669 might allow an attacker to exploit offloading functionalities in the kernel, potentially leading to security breaches.