In the Linux kernel, the following vulnerability has been resolved:
ice: fix vsi->txq_map sizing
The approach of having XDP queue per CPU regardless of user's setting exposed a hidden bug that could occur in case when Rx queue count differ from Tx queue count. Currently vsi->txqmap's size is equal to the doubled vsi->alloctxq, which is not correct due to the fact that XDP rings were previously based on the Rx queue count. Below splat can be seen when ethtool -L is used and XDP rings are configured:
[ 682.875339] BUG: kernel NULL pointer dereference, address: 000000000000000f [ 682.883403] #PF: supervisor read access in kernel mode [ 682.889345] #PF: errorcode(0x0000) - not-present page [ 682.895289] PGD 0 P4D 0 [ 682.898218] Oops: 0000 [#1] PREEMPT SMP PTI [ 682.903055] CPU: 42 PID: 2878 Comm: ethtool Tainted: G OE 5.15.0-rc5+ #1 [ 682.912214] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016 [ 682.923380] RIP: 0010:devresremove+0x44/0x130 [ 682.928527] Code: 49 89 f4 55 48 89 fd 4c 89 ff 53 48 83 ec 10 e8 92 b9 49 00 48 8b 9d a8 02 00 00 48 8d 8d a0 02 00 00 49 89 c2 48 39 cb 74 0f <4c> 3b 63 10 74 25 48 8b 5b 08 48 39 cb 75 f1 4c 89 ff 4c 89 d6 e8 [ 682.950237] RSP: 0018:ffffc90006a679f0 EFLAGS: 00010002 [ 682.956285] RAX: 0000000000000286 RBX: ffffffffffffffff RCX: ffff88908343a370 [ 682.964538] RDX: 0000000000000001 RSI: ffffffff81690d60 RDI: 0000000000000000 [ 682.972789] RBP: ffff88908343a0d0 R08: 0000000000000000 R09: 0000000000000000 [ 682.981040] R10: 0000000000000286 R11: 3fffffffffffffff R12: ffffffff81690d60 [ 682.989282] R13: ffffffff81690a00 R14: ffff8890819807a8 R15: ffff88908343a36c [ 682.997535] FS: 00007f08c7bfa740(0000) GS:ffff88a03fd00000(0000) knlGS:0000000000000000 [ 683.006910] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 683.013557] CR2: 000000000000000f CR3: 0000001080a66003 CR4: 00000000003706e0 [ 683.021819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 683.030075] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 683.038336] Call Trace: [ 683.041167] devmkfree+0x33/0x50 [ 683.045004] icevsifreearrays+0x5e/0xc0 [ice] [ 683.050380] icevsirebuild+0x4c8/0x750 [ice] [ 683.055543] icevsirecfgqs+0x9a/0x110 [ice] [ 683.060697] icesetchannels+0x14f/0x290 [ice] [ 683.065962] ethnlsetchannels+0x333/0x3f0 [ 683.070807] genlfamilyrcvmsgdoit+0xea/0x150 [ 683.076152] genlrcvmsg+0xde/0x1d0 [ 683.080289] ? channelspreparedata+0x60/0x60 [ 683.085432] ? genlgetcmd+0xd0/0xd0 [ 683.089667] netlinkrcvskb+0x50/0xf0 [ 683.094006] genlrcv+0x24/0x40 [ 683.097638] netlinkunicast+0x239/0x340 [ 683.102177] netlinksendmsg+0x22e/0x470 [ 683.106717] socksendmsg+0x5e/0x60 [ 683.110756] _syssendto+0xee/0x150 [ 683.114894] ? handlemmfault+0xd0/0x2a0 [ 683.119535] ? douseraddrfault+0x1f3/0x690 [ 683.134173] _x64syssendto+0x25/0x30 [ 683.148231] dosyscall64+0x3b/0xc0 [ 683.161992] entrySYSCALL64after_hwframe+0x44/0xae
Fix this by taking into account the value that numpossiblecpus() yields in addition to vsi->alloc_txq instead of doubling the latter.