ghsa-rxwh-225r-76q6
Vulnerability from github
Published
2024-07-29 18:30
Modified
2024-07-30 21:31
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

ionic: use dev_consume_skb_any outside of napi

If we're not in a NAPI softirq context, we need to be careful about how we call napi_consume_skb(), specifically we need to call it with budget==0 to signal to it that we're not in a safe context.

This was found while running some configuration stress testing of traffic and a change queue config loop running, and this curious note popped out:

[ 4371.402645] BUG: using smp_processor_id() in preemptible [00000000] code: ethtool/20545 [ 4371.402897] caller is napi_skb_cache_put+0x16/0x80 [ 4371.403120] CPU: 25 PID: 20545 Comm: ethtool Kdump: loaded Tainted: G OE 6.10.0-rc3-netnext+ #8 [ 4371.403302] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 01/23/2021 [ 4371.403460] Call Trace: [ 4371.403613] [ 4371.403758] dump_stack_lvl+0x4f/0x70 [ 4371.403904] check_preemption_disabled+0xc1/0xe0 [ 4371.404051] napi_skb_cache_put+0x16/0x80 [ 4371.404199] ionic_tx_clean+0x18a/0x240 [ionic] [ 4371.404354] ionic_tx_cq_service+0xc4/0x200 [ionic] [ 4371.404505] ionic_tx_flush+0x15/0x70 [ionic] [ 4371.404653] ? ionic_lif_qcq_deinit.isra.23+0x5b/0x70 [ionic] [ 4371.404805] ionic_txrx_deinit+0x71/0x190 [ionic] [ 4371.404956] ionic_reconfigure_queues+0x5f5/0xff0 [ionic] [ 4371.405111] ionic_set_ringparam+0x2e8/0x3e0 [ionic] [ 4371.405265] ethnl_set_rings+0x1f1/0x300 [ 4371.405418] ethnl_default_set_doit+0xbb/0x160 [ 4371.405571] genl_family_rcv_msg_doit+0xff/0x130 [...]

I found that ionic_tx_clean() calls napi_consume_skb() which calls napi_skb_cache_put(), but before that last call is the note / Zero budget indicate non-NAPI context called us, like netpoll / and DEBUG_NET_WARN_ON_ONCE(!in_softirq());

Those are pretty big hints that we're doing it wrong. We can pass a context hint down through the calls to let ionic_tx_clean() know what we're doing so it can call napi_consume_skb() correctly.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-42071"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-834"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-29T16:15:06Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: use dev_consume_skb_any outside of napi\n\nIf we\u0027re not in a NAPI softirq context, we need to be careful\nabout how we call napi_consume_skb(), specifically we need to\ncall it with budget==0 to signal to it that we\u0027re not in a\nsafe context.\n\nThis was found while running some configuration stress testing\nof traffic and a change queue config loop running, and this\ncurious note popped out:\n\n[ 4371.402645] BUG: using smp_processor_id() in preemptible [00000000] code: ethtool/20545\n[ 4371.402897] caller is napi_skb_cache_put+0x16/0x80\n[ 4371.403120] CPU: 25 PID: 20545 Comm: ethtool Kdump: loaded Tainted: G           OE      6.10.0-rc3-netnext+ #8\n[ 4371.403302] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 01/23/2021\n[ 4371.403460] Call Trace:\n[ 4371.403613]  \u003cTASK\u003e\n[ 4371.403758]  dump_stack_lvl+0x4f/0x70\n[ 4371.403904]  check_preemption_disabled+0xc1/0xe0\n[ 4371.404051]  napi_skb_cache_put+0x16/0x80\n[ 4371.404199]  ionic_tx_clean+0x18a/0x240 [ionic]\n[ 4371.404354]  ionic_tx_cq_service+0xc4/0x200 [ionic]\n[ 4371.404505]  ionic_tx_flush+0x15/0x70 [ionic]\n[ 4371.404653]  ? ionic_lif_qcq_deinit.isra.23+0x5b/0x70 [ionic]\n[ 4371.404805]  ionic_txrx_deinit+0x71/0x190 [ionic]\n[ 4371.404956]  ionic_reconfigure_queues+0x5f5/0xff0 [ionic]\n[ 4371.405111]  ionic_set_ringparam+0x2e8/0x3e0 [ionic]\n[ 4371.405265]  ethnl_set_rings+0x1f1/0x300\n[ 4371.405418]  ethnl_default_set_doit+0xbb/0x160\n[ 4371.405571]  genl_family_rcv_msg_doit+0xff/0x130\n\t[...]\n\nI found that ionic_tx_clean() calls napi_consume_skb() which calls\nnapi_skb_cache_put(), but before that last call is the note\n    /* Zero budget indicate non-NAPI context called us, like netpoll */\nand\n    DEBUG_NET_WARN_ON_ONCE(!in_softirq());\n\nThose are pretty big hints that we\u0027re doing it wrong.  We can pass a\ncontext hint down through the calls to let ionic_tx_clean() know what\nwe\u0027re doing so it can call napi_consume_skb() correctly.",
  "id": "GHSA-rxwh-225r-76q6",
  "modified": "2024-07-30T21:31:26Z",
  "published": "2024-07-29T18:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42071"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/84b767f9e34fdb143c09e66a2a20722fc2921821"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ef7646ed49fff962e97b276f4ab91327a67eeb5a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.