| The Linux kernel is vulnerable to a NULL pointer dereference bug in the `ice` driver, specifically in the AF_XDP (Zero Copy) mode. This vulnerability was introduced in version 5.12 with commit c7a219048e45 and fixed in versions 5.12.10 and 5.13. |
| |
| The bug occurs because the `xsk_pool` on `ice_ring` is set only based on the existence of the XDP program on the VSI, which leads to the execution of `ice_clean_tx_irq_zc` instead of `ice_clean_tx_irq`. This results in a NULL pointer dereference when running `xdpsock` in txonly or l2fwd scenarios in copy mode. |
| |
| The fix involves introducing a bitmap to track AF_XDP Zero Copy enabled queues, where each bit corresponds to a queue ID. The bitmap is set/cleared within `ice_xsk_pool_{en,dis}able` and checked within `ice_xsk_pool()`. This approach is similar to that used in other drivers such as i40e and ixgbe. |
| |
| The affected files are `drivers/net/ethernet/intel/ice/ice.h`, `drivers/net/ethernet/intel/ice/ice_lib.c`, and `drivers/net/ethernet/intel/ice/ice_xsk.c`. The Linux kernel CVE team recommends updating to the latest stable kernel version to fix this issue, as individual changes are not tested or supported. |
| |
