qiurui
/
Centos-kernel-stream-9
mirror of https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Centos-kernel-stream-9/net/core
History
Augusto Caringi 463c9bde75 Merge: CVE-2025-21806: net: let net.core.dev_weight always be non-zero 
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6495

JIRA: https://issues.redhat.com/browse/RHEL-81686
CVE: CVE-2025-21806

```
commit d1f9f79fa2af8e3b45cffdeef66e05833480148a
Author: Liu Jian <liujian56@huawei.com>
Date:   Thu Jan 16 22:30:53 2025 +0800

    net: let net.core.dev_weight always be non-zero

    The following problem was encountered during stability test:

    (NULL net_device): NAPI poll function process_backlog+0x0/0x530 \
            returned 1, exceeding its budget of 0.
    ------------[ cut here ]------------
    list_add double add: new=ffff88905f746f48, prev=ffff88905f746f48, \
            next=ffff88905f746e40.
    WARNING: CPU: 18 PID: 5462 at lib/list_debug.c:35 \
            __list_add_valid_or_report+0xf3/0x130
    CPU: 18 UID: 0 PID: 5462 Comm: ping Kdump: loaded Not tainted 6.13.0-rc7+
    RIP: 0010:__list_add_valid_or_report+0xf3/0x130
    Call Trace:
    ? __warn+0xcd/0x250
    ? __list_add_valid_or_report+0xf3/0x130
    enqueue_to_backlog+0x923/0x1070
    netif_rx_internal+0x92/0x2b0
    __netif_rx+0x15/0x170
    loopback_xmit+0x2ef/0x450
    dev_hard_start_xmit+0x103/0x490
    __dev_queue_xmit+0xeac/0x1950
    ip_finish_output2+0x6cc/0x1620
    ip_output+0x161/0x270
    ip_push_pending_frames+0x155/0x1a0
    raw_sendmsg+0xe13/0x1550
    __sys_sendto+0x3bf/0x4e0
    __x64_sys_sendto+0xdc/0x1b0
    do_syscall_64+0x5b/0x170
    entry_SYSCALL_64_after_hwframe+0x76/0x7e

    The reproduction command is as follows:
      sysctl -w net.core.dev_weight=0
      ping 127.0.0.1

    This is because when the napi's weight is set to 0, process_backlog() may
    return 0 and clear the NAPI_STATE_SCHED bit of napi->state, causing this
    napi to be re-polled in net_rx_action() until __do_softirq() times out.
    Since the NAPI_STATE_SCHED bit has been cleared, napi_schedule_rps() can
    be retriggered in enqueue_to_backlog(), causing this issue.

    Making the napi's weight always non-zero solves this problem.

    Triggering this issue requires system-wide admin (setting is
    not namespaced).

    Fixes: e387660545 ("[NET]: Fix sysctl net.core.dev_weight")
    Fixes: 3d48b53fb2 ("net: dev_weight: TX/RX orthogonality")
    Signed-off-by: Liu Jian <liujian56@huawei.com>
    Link: https://patch.msgid.link/20250116143053.4146855-1-liujian56@huawei.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>```

Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>

---

<small>Created 2025-02-28 05:35 UTC by backporter - [KWF FAQ](https://red.ht/kernel_workflow_doc) - [Slack #team-kernel-workflow](https://redhat-internal.slack.com/archives/C04LRUPMJQ5) - [Source](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/utils/backporter.py) - [Documentation](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.backporter.md) - [Report an issue](https://gitlab.com/cki-project/kernel-workflow/-/issues/new?issue%5Btitle%5D=backporter%20webhook%20issue)</small>

Approved-by: Antoine Tenart <atenart@redhat.com>
Approved-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>

Merged-by: Augusto Caringi <acaringi@redhat.com>
 		2025-04-24 12:23:26 -03:00
..
Makefile
bpf_sk_storage.c bpf: Remove unnecessary BTF lookups in bpf_sk_storage_tracing_allowed 2025-03-06 16:33:54 +00:00
datagram.c
dev.c Merge: dev: Acquire netdev_rename_lock before restoring dev->name in dev_change_name(). 2025-02-13 02:24:34 -05:00
dev.h net: free altname using an RCU callback 2024-10-24 16:14:43 +02:00
dev_addr_lists.c
dev_addr_lists_test.c
dev_ioctl.c Merge: CNB96: netdev_features: start cleaning netdev_features_t up 2024-10-20 09:09:03 +00:00
drop_monitor.c net: move from strlcpy with unused retval to strscpy 2024-10-24 15:55:36 +02:00
dst.c net: do not delay dst_entries_add() in dst_release() 2024-11-15 10:40:32 +01:00
dst_cache.c
failover.c
fib_notifier.c
fib_rules.c
filter.c rhel-only: Fix up kfunc definitions in filter.c 2025-01-28 12:51:55 +01:00
flow_dissector.c flow_dissector: set encapsulation control flags for non-IP 2024-10-21 16:23:54 +02:00
flow_offload.c
gen_estimator.c
gen_stats.c
gro.c
gro_cells.c
gso.c
hwbm.c
link_watch.c net: linkwatch: use system_unbound_wq 2024-11-15 09:21:36 +01:00
lwt_bpf.c
lwtunnel.c
neighbour.c
net-procfs.c
net-sysfs.c net: napi: Prevent overflow of napi_defer_hard_irqs 2024-11-05 10:51:34 +01:00
net-sysfs.h
net-traces.c
net_namespace.c net: initialize net->notrefcnt_tracker earlier 2025-01-31 06:45:49 -05:00
netclassid_cgroup.c
netdev-genl-gen.c netdev: support dumping a single netdev in qstats 2024-12-10 10:37:53 +01:00
netdev-genl-gen.h
netdev-genl.c netdev-genl: Hold rcu_read_lock in napi_get 2024-12-10 10:37:56 +01:00
netevent.c
netpoll.c net: move from strlcpy with unused retval to strscpy 2024-10-24 15:55:36 +02:00
netprio_cgroup.c
of_net.c
page_pool.c Merge: CNB96: page_pool: update to v6.12 2024-11-27 11:19:28 +00:00
page_pool_priv.h
page_pool_user.c netdev: let netlink core handle -EMSGSIZE errors 2024-11-20 10:13:44 +01:00
pktgen.c pktgen: use cpus_read_lock() in pg_net_init() 2024-11-15 09:21:37 +01:00
ptp_classifier.c
request_sock.c
rtnetlink.c net: fix crash when config small gso_max_size/gso_ipv4_max_size 2024-12-10 10:37:56 +01:00
scm.c
secure_seq.c
selftests.c
skbuff.c Merge: io_uring: Update to upstream v6.10 + fixes 2025-01-13 18:58:47 +00:00
skmsg.c
sock.c net: add a refcount tracker for kernel sockets 2025-01-31 06:45:48 -05:00
sock_destructor.h
sock_diag.c
sock_map.c bpf, sockmap: Fix race between element replace and close() 2025-01-09 17:43:24 +01:00
sock_reuseport.c
stream.c
sysctl_net_core.c net: let net.core.dev_weight always be non-zero 2025-02-28 05:35:40 +00:00
timestamping.c net: Change the API of PHY default timestamp to MAC 2024-10-01 12:19:15 +02:00
tso.c
utils.c
xdp.c net: skbuff: drop the word head from skb cache 2024-11-28 16:03:44 -05:00