In the Linux kernel, the following vulnerability has been resolved:
ixgbe: Fix NULL pointer dereference in ixgbexdpsetup
The ixgbe driver currently generates a NULL pointer dereference with some machine (online cpus < 63). This is due to the fact that the maximum value of numxdpqueues is nrcpuids. Code is in "ixgbesetrss_queues"".
Here's how the problem repeats itself: Some machine (online cpus < 63), And user set numqueues to 63 through ethtool. Code is in the "ixgbesetchannels", adapter->ringfeature[RINGFFDIR].limit = count;
It becomes 63.
When user use xdp, "ixgbesetrssqueues" will set queues num. adapter->numrxqueues = rssi; adapter->numtxqueues = rssi; adapter->numxdpqueues = ixgbexdp_queues(adapter);
And rssi's value is from f = &adapter->ringfeature[RINGFFDIR]; rss_i = f->indices = f->limit;
So "numrxqueues" > "numxdpqueues", when run to "ixgbexdpsetup", for (i = 0; i < adapter->numrxqueues; i++) if (adapter->xdpring[i]->xskumem)
It leads to panic.
Call trace: [exception RIP: ixgbexdp+368] RIP: ffffffffc02a76a0 RSP: ffff9fe16202f8d0 RFLAGS: 00010297 RAX: 0000000000000000 RBX: 0000000000000020 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 000000000000001c RDI: ffffffffa94ead90 RBP: ffff92f8f24c0c18 R8: 0000000000000000 R9: 0000000000000000 R10: ffff9fe16202f830 R11: 0000000000000000 R12: ffff92f8f24c0000 R13: ffff9fe16202fc01 R14: 000000000000000a R15: ffffffffc02a7530 ORIGRAX: ffffffffffffffff CS: 0010 SS: 0018 7 [ffff9fe16202f8f0] devxdpinstall at ffffffffa89fbbcc 8 [ffff9fe16202f920] devchangexdpfd at ffffffffa8a08808 9 [ffff9fe16202f960] dosetlink at ffffffffa8a20235 10 [ffff9fe16202fa88] rtnlsetlink at ffffffffa8a20384 11 [ffff9fe16202fc78] rtnetlinkrcvmsg at ffffffffa8a1a8dd 12 [ffff9fe16202fcf0] netlinkrcvskb at ffffffffa8a717eb 13 [ffff9fe16202fd40] netlinkunicast at ffffffffa8a70f88 14 [ffff9fe16202fd80] netlinksendmsg at ffffffffa8a71319 15 [ffff9fe16202fdf0] socksendmsg at ffffffffa89df290 16 [ffff9fe16202fe08] _syssendto at ffffffffa89e19c8 17 [ffff9fe16202ff30] _x64syssendto at ffffffffa89e1a64 18 [ffff9fe16202ff38] dosyscall64 at ffffffffa84042b9 19 [ffff9fe16202ff50] entrySYSCALL64after_hwframe at ffffffffa8c0008c
So I fix ixgbemaxchannels so that it will not allow a setting of queues to be higher than the numonlinecpus(). And when run to ixgbexdpsetup, take the smaller value of numrxqueues and numxdpqueues.