CVE-2024-50042

In the Linux kernel, the following vulnerability has been resolved:

ice: Fix increasing MSI-X on VF

Increasing MSI-X value on a VF leads to invalid memory operations. This is caused by not reallocating some arrays.

Reproducer: modprobe ice echo 0 > /sys/bus/pci/devices/$PFPCI/sriovdriversautoprobe echo 1 > /sys/bus/pci/devices/$PFPCI/sriovnumvfs echo 17 > /sys/bus/pci/devices/$VF0PCI/sriovvfmsix_count

Default MSI-X is 16, so 17 and above triggers this issue.

KASAN reports:

BUG: KASAN: slab-out-of-bounds in icevsiallocringstats+0x38d/0x4b0 [ice] Read of size 8 at addr ffff8888b937d180 by task bash/28433 (...)

Call Trace: (...) ? icevsiallocringstats+0x38d/0x4b0 [ice] kasanreport+0xed/0x120 ? icevsiallocringstats+0x38d/0x4b0 [ice] icevsiallocringstats+0x38d/0x4b0 [ice] icevsicfgdef+0x3360/0x4770 [ice] ? mutex_unlock+0x83/0xd0 ? __pfxicevsicfgdef+0x10/0x10 [ice] ? _pfxiceremovevsilkupfltr+0x10/0x10 [ice] icevsicfg+0x7f/0x3b0 [ice] icevfreconfigvsi+0x114/0x210 [ice] icesriovsetmsixveccount+0x3d0/0x960 [ice] sriovvfmsixcountstore+0x21c/0x300 (...)

Allocated by task 28201: (...) icevsicfgdef+0x1c8e/0x4770 [ice] icevsicfg+0x7f/0x3b0 [ice] icevsisetup+0x179/0xa30 [ice] icesriovconfigure+0xcaa/0x1520 [ice] sriovnumvfs_store+0x212/0x390 (...)

To fix it, use icevsirebuild() instead of icevfreconfigvsi(). This causes the required arrays to be reallocated taking the new queue count into account (icevsireallocstatarrays()). Set reqtxq and reqrxq before icevsi_rebuild(), so that realloc uses the newly set queue count.

Additionally, icevsirebuild() does not remove VSI filters (icefltrremoveall()), so icevfinithost_cfg() is no longer necessary.