Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:net: switchdev: Convert blocking notification chain to a raw oneA blocking notification chain uses a read-write semaphore to protect theintegrity of the chain. The semaphore is acquired for writing whenadding / removing notifiers to / from the chain and acquired for readingwhen traversing the chain and informing notifiers about an event.In case of the blocking switchdev notification chain, recursivenotifications are possible which leads to the semaphore being acquiredtwice for reading and to lockdep warnings being generated [1].Specifically, this can happen when the bridge driver processes aSWITCHDEV_BRPORT_UNOFFLOADED event which causes it to emit notificationsabout deferred events when calling switchdev_deferred_process().Fix this by converting the notification chain to a raw notificationchain in a similar fashion to the netdev notification chain. Protectthe chain using the RTNL mutex by acquiring it when modifying the chain.Events are always informed under the RTNL mutex, but add an assertion incall_switchdev_blocking_notifiers() to make sure this is not violated inthe future.Maintain the "blocking" prefix as events are always emitted from processcontext and listeners are allowed to block.[1]:WARNING: possible recursive locking detected6.14.0-rc4-custom-g079270089484 #1 Not tainted--------------------------------------------ip/52731 is trying to acquire lock:ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0but task is already holding lock:ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0other info that might help us debug this:Possible unsafe locking scenario:CPU0----lock((switchdev_blocking_notif_chain).rwsem);lock((switchdev_blocking_notif_chain).rwsem);*** DEADLOCK ***May be due to missing lock nesting notation3 locks held by ip/52731: #0: ffffffff84f795b0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x727/0x1dc0 #1: ffffffff8731f628 (&net->rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x790/0x1dc0 #2: ffffffff850918d8 ((switchdev_blocking_notif_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0stack backtrace:...? __pfx_down_read+0x10/0x10? __pfx_mark_lock+0x10/0x10? __pfx_switchdev_port_attr_set_deferred+0x10/0x10blocking_notifier_call_chain+0x58/0xa0switchdev_port_attr_notify.constprop.0+0xb3/0x1b0? __pfx_switchdev_port_attr_notify.constprop.0+0x10/0x10? mark_held_locks+0x94/0xe0? switchdev_deferred_process+0x11a/0x340switchdev_port_attr_set_deferred+0x27/0xd0switchdev_deferred_process+0x164/0x340br_switchdev_port_unoffload+0xc8/0x100 [bridge]br_switchdev_blocking_event+0x29f/0x580 [bridge]notifier_call_chain+0xa2/0x440blocking_notifier_call_chain+0x6e/0xa0switchdev_bridge_port_unoffload+0xde/0x1a0...
No PoCs from references.
- https://github.com/w4zu/Debian_security