In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: fix tc flower deletion for VLAN priority Rx steering
To replicate the issue:-
1) Add 1 flower filter for VLAN Priority based frame steering:- $ IFDEVNAME=eth0 $ tc qdisc add dev $IFDEVNAME ingress $ tc qdisc add dev $IFDEVNAME root mqprio numtc 8 \ map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 \ queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0 $ tc filter add dev $IFDEVNAME parent ffff: protocol 802.1Q \ flower vlanprio 0 hw_tc 0
2) Get the 'pref' id $ tc filter show dev $IFDEVNAME ingress
3) Delete a specific tc flower record (say pref 49151) $ tc filter del dev $IFDEVNAME parent ffff: pref 49151
From dmesg, we will observe kernel NULL pointer ooops
[ 197.170464] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 197.171367] #PF: supervisor read access in kernel mode [ 197.171367] #PF: error_code(0x0000) - not-present page [ 197.171367] PGD 0 P4D 0 [ 197.171367] Oops: 0000 [#1] PREEMPT SMP NOPTI
<snip>
[ 197.171367] RIP: 0010:tcsetupcls+0x20b/0x4a0 [stmmac]
<snip>
[ 197.171367] Call Trace: [ 197.171367] <TASK> [ 197.171367] ? _stmmacdisableallqueues+0xa8/0xe0 [stmmac] [ 197.171367] stmmacsetuptcblockcb+0x70/0x110 [stmmac] [ 197.171367] tcsetupcbdestroy+0xb3/0x180 [ 197.171367] flhwdestroyfilter+0x94/0xc0 [cls_flower]
The above issue is due to previous incorrect implementation of tcdelvlanflow(), shown below, that uses flowclsoffloadflowrule() to get struct flowrule *rule which is no longer valid for tc filter delete operation.
struct flowrule *rule = flowclsoffloadflowrule(cls); struct flowdissector *dissector = rule->match.dissector;
So, to ensure tcdelvlanflow() deletes the right VLAN cls record for earlier configured RX queue (configured by hwtc) in tcaddvlanflow(), this patch introduces stmmacrfsentry as driver-side flowcls_offload record for 'RX frame steering' tc flower, currently used for VLAN priority. The implementation has taken consideration for future extension to include other type RX frame steering such as EtherType based.
v2: - Clean up overly extensive backtrace and rewrite git message to better explain the kernel NULL pointer issue.