CVE-2024-58071

In the Linux kernel, the following vulnerability has been resolved:

team: prevent adding a device which is already a team device lower

Prevent adding a device which is already a team device lower, e.g. adding veth0 if vlan1 was already added and veth0 is a lower of vlan1.

This is not useful in practice and can lead to recursive locking:

$ ip link add veth0 type veth peer name veth1 $ ip link set veth0 up $ ip link set veth1 up $ ip link add link veth0 name veth0.1 type vlan protocol 802.1Q id 1 $ ip link add team0 type team $ ip link set veth0.1 down $ ip link set veth0.1 master team0 team0: Port device veth0.1 added $ ip link set veth0 down $ ip link set veth0 master team0

============================================ WARNING: possible recursive locking detected

6.13.0-rc2-virtme-00441-ga14a429069bb #46 Not tainted

ip/7684 is trying to acquire lock: ffff888016848e00 (team->teamlockkey){+.+.}-{4:4}, at: teamdeviceevent (drivers/net/team/teamcore.c:2928 drivers/net/team/teamcore.c:2951 drivers/net/team/team_core.c:2973)

but task is already holding lock: ffff888016848e00 (team->teamlockkey){+.+.}-{4:4}, at: teamaddslave (drivers/net/team/teamcore.c:1147 drivers/net/team/teamcore.c:1977)

other info that might help us debug this: Possible unsafe locking scenario:

CPU0

lock(team->teamlockkey); lock(team->teamlockkey);

*** DEADLOCK ***

May be due to missing lock nesting notation

2 locks held by ip/7684:

stack backtrace: CPU: 3 UID: 0 PID: 7684 Comm: ip Not tainted 6.13.0-rc2-virtme-00441-ga14a429069bb #46 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dumpstacklvl (lib/dumpstack.c:122) printdeadlock_bug.cold (kernel/locking/lockdep.c:3040) __lockacquire (kernel/locking/lockdep.c:3893 kernel/locking/lockdep.c:5226) ? netlinkbroadcastfiltered (net/netlink/afnetlink.c:1548) lockacquire.part.0 (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851) ? teamdeviceevent (drivers/net/team/teamcore.c:2928 drivers/net/team/teamcore.c:2951 drivers/net/team/teamcore.c:2973) ? tracelockacquire (./include/trace/events/lock.h:24 (discriminator 2)) ? teamdeviceevent (drivers/net/team/teamcore.c:2928 drivers/net/team/teamcore.c:2951 drivers/net/team/teamcore.c:2973) ? lockacquire (kernel/locking/lockdep.c:5822) ? teamdeviceevent (drivers/net/team/teamcore.c:2928 drivers/net/team/teamcore.c:2951 drivers/net/team/team_core.c:2973) __mutexlock (kernel/locking/mutex.c:587 kernel/locking/mutex.c:735) ? teamdeviceevent (drivers/net/team/teamcore.c:2928 drivers/net/team/teamcore.c:2951 drivers/net/team/teamcore.c:2973) ? teamdeviceevent (drivers/net/team/teamcore.c:2928 drivers/net/team/teamcore.c:2951 drivers/net/team/teamcore.c:2973) ? fibsyncup (net/ipv4/fibsemantics.c:2167) ? teamdeviceevent (drivers/net/team/teamcore.c:2928 drivers/net/team/teamcore.c:2951 drivers/net/team/teamcore.c:2973) teamdeviceevent (drivers/net/team/teamcore.c:2928 drivers/net/team/teamcore.c:2951 drivers/net/team/teamcore.c:2973) notifiercallchain (kernel/notifier.c:85) callnetdevicenotifiers_info (net/core/dev.c:1996) __devnotifyflags (net/core/dev.c:8993) ? __devchangeflags (net/core/dev.c:8975) devchangeflags (net/core/dev.c:9027) vlandeviceevent (net/8021q/vlan.c:85 net/8021q/vlan.c:470) ? brdeviceevent (net/bridge/br.c:143) notifiercallchain (kernel/notifier.c:85) callnetdevicenotifiersinfo (net/core/dev.c:1996) devopen (net/core/dev.c:1519 net/core/dev.c:1505) teamaddslave (drivers/net/team/teamcore.c:1219 drivers/net/team/teamcore.c:1977) ? _pfxteamaddslave (drivers/net/team/teamcore.c:1972) dosetmaster (net/core/rtnetlink.c:2917) dosetlink.isra.0 (net/core/rtnetlink.c:3117)