CVE-2024-53044

In the Linux kernel, the following vulnerability has been resolved:

net/sched: schapi: fix xainsert() error path in tcfblockget_ext()

This command:

$ tc qdisc replace dev eth0 ingressblock 1 egressblock 1 clsact Error: block dev insert failed: -EBUSY.

fails because user space requests the same block index to be set for both ingress and egress.

[ side note, I don't think it even failed prior to commit 913b47d3424e ("net/sched: Introduce tc block netdev tracking infra"), because this is a command from an old set of notes of mine which used to work, but alas, I did not scientifically bisect this ]

The problem is not that it fails, but rather, that the second time around, it fails differently (and irrecoverably):

$ tc qdisc replace dev eth0 ingressblock 1 egressblock 1 clsact Error: dsa_core: Flow block cb is busy.

[ another note: the extack is added by me for illustration purposes. the context of the problem is that clsactinit() obtains the same &q->ingressblock pointer as &q->egressblock, and since we call tcfblockgetext() on both of them, "dev" will be added to the block->ports xarray twice, thus failing the operation: once through the ingress block pointer, and once again through the egress block pointer. the problem itself is that when xainsert() fails, we have emitted a FLOWBLOCKBIND command through ndosetuptc(), but the offload never sees a corresponding FLOWBLOCK_UNBIND. ]

Even correcting the bad user input, we still cannot recover:

$ tc qdisc replace dev swp3 ingressblock 1 egressblock 2 clsact Error: dsa_core: Flow block cb is busy.

Basically the only way to recover is to reboot the system, or unbind and rebind the net device driver.

To fix the bug, we need to fill the correct error teardown path which was missed during code movement, and call tcfblockoffloadunbind() when xainsert() fails.

[ last note, fundamentally I blame the label naming convention in tcfblockget_ext() for the bug. The labels should be named after what they do, not after the error path that jumps to them. This way, it is obviously wrong that two labels pointing to the same code mean something is wrong, and checking the code correctness at the goto site is also easier ]