In the Linux kernel, the following vulnerability has been resolved: ice:
fix vsi->txq_map sizing The approach of having XDP queue per CPU regardless
of user’s setting exposed a hidden bug that could occur in case when Rx
queue count differ from Tx queue count. Currently vsi->txq_map’s size is
equal to the doubled vsi->alloc_txq, which is not correct due to the fact
that XDP rings were previously based on the Rx queue count. Below splat can
be seen when ethtool -L is used and XDP rings are configured: [ 682.875339]
BUG: kernel NULL pointer dereference, address: 000000000000000f [
682.883403] #PF: supervisor read access in kernel mode [ 682.889345] #PF:
error_code(0x0000) - not-present page [ 682.895289] PGD 0 P4D 0 [
682.898218] Oops: 0000 [#1] PREEMPT SMP PTI [ 682.903055] CPU: 42 PID: 2878
Comm: ethtool Tainted: G OE 5.15.0-rc5+ #1 [ 682.912214] Hardware name:
Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235
05/19/2016 [ 682.923380] RIP: 0010:devres_remove+0x44/0x130 [ 682.928527]
Code: 49 89 f4 55 48 89 fd 4c 89 ff 53 48 83 ec 10 e8 92 b9 49 00 48 8b 9d
a8 02 00 00 48 8d 8d a0 02 00 00 49 89 c2 48 39 cb 74 0f <4c> 3b 63 10 74
25 48 8b 5b 08 48 39 cb 75 f1 4c 89 ff 4c 89 d6 e8 [ 682.950237] RSP:
0018:ffffc90006a679f0 EFLAGS: 00010002 [ 682.956285] RAX: 0000000000000286
RBX: ffffffffffffffff RCX: ffff88908343a370 [ 682.964538] RDX:
0000000000000001 RSI: ffffffff81690d60 RDI: 0000000000000000 [ 682.972789]
RBP: ffff88908343a0d0 R08: 0000000000000000 R09: 0000000000000000 [
682.981040] R10: 0000000000000286 R11: 3fffffffffffffff R12:
ffffffff81690d60 [ 682.989282] R13: ffffffff81690a00 R14: ffff8890819807a8
R15: ffff88908343a36c [ 682.997535] FS: 00007f08c7bfa740(0000)
GS:ffff88a03fd00000(0000) knlGS:0000000000000000 [ 683.006910] CS: 0010 DS:
0000 ES: 0000 CR0: 0000000080050033 [ 683.013557] CR2: 000000000000000f
CR3: 0000001080a66003 CR4: 00000000003706e0 [ 683.021819] DR0:
0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 683.030075]
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [
683.038336] Call Trace: [ 683.041167] devm_kfree+0x33/0x50 [ 683.045004]
ice_vsi_free_arrays+0x5e/0xc0 [ice] [ 683.050380]
ice_vsi_rebuild+0x4c8/0x750 [ice] [ 683.055543] ice_vsi_recfg_qs+0x9a/0x110
[ice] [ 683.060697] ice_set_channels+0x14f/0x290 [ice] [ 683.065962]
ethnl_set_channels+0x333/0x3f0 [ 683.070807]
genl_family_rcv_msg_doit+0xea/0x150 [ 683.076152] genl_rcv_msg+0xde/0x1d0 [
683.080289] ? channels_prepare_data+0x60/0x60 [ 683.085432] ?
genl_get_cmd+0xd0/0xd0 [ 683.089667] netlink_rcv_skb+0x50/0xf0 [
683.094006] genl_rcv+0x24/0x40 [ 683.097638] netlink_unicast+0x239/0x340 [
683.102177] netlink_sendmsg+0x22e/0x470 [ 683.106717]
sock_sendmsg+0x5e/0x60 [ 683.110756] __sys_sendto+0xee/0x150 [ 683.114894]
? handle_mm_fault+0xd0/0x2a0 [ 683.119535] ? do_user_addr_fault+0x1f3/0x690
[ 683.134173] __x64_sys_sendto+0x25/0x30 [ 683.148231]
do_syscall_64+0x3b/0xc0 [ 683.161992]
entry_SYSCALL_64_after_hwframe+0x44/0xae Fix this by taking into account
the value that num_possible_cpus() yields in addition to vsi->alloc_txq
instead of doubling the latter.
git.kernel.org/linus/792b2086584f25d84081a526beee80d103c2a913 (5.16-rc3)
git.kernel.org/stable/c/1eb5395add786613c7c5579d3947aa0b8f0ec241
git.kernel.org/stable/c/792b2086584f25d84081a526beee80d103c2a913
git.kernel.org/stable/c/992ba40a67638dfe2772b84dfc8168dc328d5c4c
launchpad.net/bugs/cve/CVE-2021-47562
nvd.nist.gov/vuln/detail/CVE-2021-47562
security-tracker.debian.org/tracker/CVE-2021-47562
www.cve.org/CVERecord?id=CVE-2021-47562