Oracle Linux: (CVE-2023-52578) (Multiple Advisories): kernel update

Description

In the Linux kernel, the following vulnerability has been resolved:

net: bridge: use DEV_STATS_INC()

syzbot/KCSAN reported data-races in br_handle_frame_finish() [1]

This function can run from multiple cpus without mutual exclusion.

Adopt SMP safe DEV_STATS_INC() to update dev->stats fields.

Handles updates to dev->stats.tx_dropped while we are at it.

[1]

BUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish

read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:

br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189

br_nf_hook_thresh+0x1ed/0x220

br_nf_pre_routing_finish_ipv6+0x50f/0x540

NF_HOOK include/linux/netfilter.h:304 [inline]

br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178

br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508

nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]

nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]

br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417

__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417

__netif_receive_skb_one_core net/core/dev.c:5521 [inline]

__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637

process_backlog+0x21f/0x380 net/core/dev.c:5965

__napi_poll+0x60/0x3b0 net/core/dev.c:6527

napi_poll net/core/dev.c:6594 [inline]

net_rx_action+0x32b/0x750 net/core/dev.c:6727

__do_softirq+0xc1/0x265 kernel/softirq.c:553

run_ksoftirqd+0x17/0x20 kernel/softirq.c:921

smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164

kthread+0x1d7/0x210 kernel/kthread.c:388

ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147

ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:

br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189

br_nf_hook_thresh+0x1ed/0x220

br_nf_pre_routing_finish_ipv6+0x50f/0x540

NF_HOOK include/linux/netfilter.h:304 [inline]

br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178

br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508

nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]

nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]

br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417

__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417

__netif_receive_skb_one_core net/core/dev.c:5521 [inline]

__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637

process_backlog+0x21f/0x380 net/core/dev.c:5965

__napi_poll+0x60/0x3b0 net/core/dev.c:6527

napi_poll net/core/dev.c:6594 [inline]

net_rx_action+0x32b/0x750 net/core/dev.c:6727

__do_softirq+0xc1/0x265 kernel/softirq.c:553

do_softirq+0x5e/0x90 kernel/softirq.c:454

__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381

__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]

_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210

spin_unlock_bh include/linux/spinlock.h:396 [inline]

batadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356

batadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560

process_one_work kernel/workqueue.c:2630 [inline]

process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703

worker_thread+0x525/0x730 kernel/workqueue.c:2784

kthread+0x1d7/0x210 kernel/kthread.c:388

ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147

ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

value changed: 0x00000000000d7190 -> 0x00000000000d7191

Reported by Kernel Concurrency Sanitizer on:

CPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0