cve/published/2021/CVE-2021-47619.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47619: i40e: Fix queues reservation for XDP

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 i40e: Fix queues reservation for XDP

 When XDP was configured on a system with large number of CPUs
 and X722 NIC there was a call trace with NULL pointer dereference.

 i40e 0000:87:00.0: failed to get tracking for 256 queues for VSI 0 err -12
 i40e 0000:87:00.0: setup of MAIN VSI failed

 BUG: kernel NULL pointer dereference, address: 0000000000000000
 RIP: 0010:i40e_xdp+0xea/0x1b0 [i40e]
 Call Trace:
 ? i40e_reconfig_rss_queues+0x130/0x130 [i40e]
 dev_xdp_install+0x61/0xe0
 dev_xdp_attach+0x18a/0x4c0
 dev_change_xdp_fd+0x1e6/0x220
 do_setlink+0x616/0x1030
 ? ahci_port_stop+0x80/0x80
 ? ata_qc_issue+0x107/0x1e0
 ? lock_timer_base+0x61/0x80
 ? __mod_timer+0x202/0x380
 rtnl_setlink+0xe5/0x170
 ? bpf_lsm_binder_transaction+0x10/0x10
 ? security_capable+0x36/0x50
 rtnetlink_rcv_msg+0x121/0x350
 ? rtnl_calcit.isra.0+0x100/0x100
 netlink_rcv_skb+0x50/0xf0
 netlink_unicast+0x1d3/0x2a0
 netlink_sendmsg+0x22a/0x440
 sock_sendmsg+0x5e/0x60
 __sys_sendto+0xf0/0x160
 ? __sys_getsockname+0x7e/0xc0
 ? _copy_from_user+0x3c/0x80
 ? __sys_setsockopt+0xc8/0x1a0
 __x64_sys_sendto+0x20/0x30
 do_syscall_64+0x33/0x40
 entry_SYSCALL_64_after_hwframe+0x44/0xae
 RIP: 0033:0x7f83fa7a39e0

 This was caused by PF queue pile fragmentation due to
 flow director VSI queue being placed right after main VSI.
 Because of this main VSI was not able to resize its
 queue allocation for XDP resulting in no queues allocated
 for main VSI when XDP was turned on.

 Fix this by always allocating last queue in PF queue pile
 for a flow director VSI.

 The Linux kernel CVE team has assigned CVE-2021-47619 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.12 with commit 41c445ff0f482bb6e6b72dcee9e598e20575f743 and fixed in 4.19.228 with commit d46fa4ea9756ef6cbcf9752d0832cc66e2d7121b
 	Issue introduced in 3.12 with commit 41c445ff0f482bb6e6b72dcee9e598e20575f743 and fixed in 5.4.176 with commit be6998f232b8e4ca8225029e305b8329d89bfd59
 	Issue introduced in 3.12 with commit 41c445ff0f482bb6e6b72dcee9e598e20575f743 and fixed in 5.10.96 with commit 768eb705e6381f0c70ca29d4e66f19790d5d19a1
 	Issue introduced in 3.12 with commit 41c445ff0f482bb6e6b72dcee9e598e20575f743 and fixed in 5.15.19 with commit 00eddb0e4ea115154581d1049507a996acfc2d3e
 	Issue introduced in 3.12 with commit 41c445ff0f482bb6e6b72dcee9e598e20575f743 and fixed in 5.16.5 with commit 4b3aa858268b7b9aeef02e5f9c4cd8f8fac101c8
 	Issue introduced in 3.12 with commit 41c445ff0f482bb6e6b72dcee9e598e20575f743 and fixed in 5.17 with commit 92947844b8beee988c0ce17082b705c2f75f0742

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47619
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/intel/i40e/i40e_main.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/d46fa4ea9756ef6cbcf9752d0832cc66e2d7121b
 	https://git.kernel.org/stable/c/be6998f232b8e4ca8225029e305b8329d89bfd59
 	https://git.kernel.org/stable/c/768eb705e6381f0c70ca29d4e66f19790d5d19a1
 	https://git.kernel.org/stable/c/00eddb0e4ea115154581d1049507a996acfc2d3e
 	https://git.kernel.org/stable/c/4b3aa858268b7b9aeef02e5f9c4cd8f8fac101c8
 	https://git.kernel.org/stable/c/92947844b8beee988c0ce17082b705c2f75f0742
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47619: i40e: Fix queues reservation for XDP

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	i40e: Fix queues reservation for XDP

	When XDP was configured on a system with large number of CPUs
	and X722 NIC there was a call trace with NULL pointer dereference.

	i40e 0000:87:00.0: failed to get tracking for 256 queues for VSI 0 err -12
	i40e 0000:87:00.0: setup of MAIN VSI failed

	BUG: kernel NULL pointer dereference, address: 0000000000000000
	RIP: 0010:i40e_xdp+0xea/0x1b0 [i40e]
	Call Trace:
	? i40e_reconfig_rss_queues+0x130/0x130 [i40e]
	dev_xdp_install+0x61/0xe0
	dev_xdp_attach+0x18a/0x4c0
	dev_change_xdp_fd+0x1e6/0x220
	do_setlink+0x616/0x1030
	? ahci_port_stop+0x80/0x80
	? ata_qc_issue+0x107/0x1e0
	? lock_timer_base+0x61/0x80
	? __mod_timer+0x202/0x380
	rtnl_setlink+0xe5/0x170
	? bpf_lsm_binder_transaction+0x10/0x10
	? security_capable+0x36/0x50
	rtnetlink_rcv_msg+0x121/0x350
	? rtnl_calcit.isra.0+0x100/0x100
	netlink_rcv_skb+0x50/0xf0
	netlink_unicast+0x1d3/0x2a0
	netlink_sendmsg+0x22a/0x440
	sock_sendmsg+0x5e/0x60
	__sys_sendto+0xf0/0x160
	? __sys_getsockname+0x7e/0xc0
	? _copy_from_user+0x3c/0x80
	? __sys_setsockopt+0xc8/0x1a0
	__x64_sys_sendto+0x20/0x30
	do_syscall_64+0x33/0x40
	entry_SYSCALL_64_after_hwframe+0x44/0xae
	RIP: 0033:0x7f83fa7a39e0

	This was caused by PF queue pile fragmentation due to
	flow director VSI queue being placed right after main VSI.
	Because of this main VSI was not able to resize its
	queue allocation for XDP resulting in no queues allocated
	for main VSI when XDP was turned on.

	Fix this by always allocating last queue in PF queue pile
	for a flow director VSI.

	The Linux kernel CVE team has assigned CVE-2021-47619 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.12 with commit 41c445ff0f482bb6e6b72dcee9e598e20575f743 and fixed in 4.19.228 with commit d46fa4ea9756ef6cbcf9752d0832cc66e2d7121b
	Issue introduced in 3.12 with commit 41c445ff0f482bb6e6b72dcee9e598e20575f743 and fixed in 5.4.176 with commit be6998f232b8e4ca8225029e305b8329d89bfd59
	Issue introduced in 3.12 with commit 41c445ff0f482bb6e6b72dcee9e598e20575f743 and fixed in 5.10.96 with commit 768eb705e6381f0c70ca29d4e66f19790d5d19a1
	Issue introduced in 3.12 with commit 41c445ff0f482bb6e6b72dcee9e598e20575f743 and fixed in 5.15.19 with commit 00eddb0e4ea115154581d1049507a996acfc2d3e
	Issue introduced in 3.12 with commit 41c445ff0f482bb6e6b72dcee9e598e20575f743 and fixed in 5.16.5 with commit 4b3aa858268b7b9aeef02e5f9c4cd8f8fac101c8
	Issue introduced in 3.12 with commit 41c445ff0f482bb6e6b72dcee9e598e20575f743 and fixed in 5.17 with commit 92947844b8beee988c0ce17082b705c2f75f0742

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47619
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/intel/i40e/i40e_main.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/d46fa4ea9756ef6cbcf9752d0832cc66e2d7121b
	https://git.kernel.org/stable/c/be6998f232b8e4ca8225029e305b8329d89bfd59
	https://git.kernel.org/stable/c/768eb705e6381f0c70ca29d4e66f19790d5d19a1
	https://git.kernel.org/stable/c/00eddb0e4ea115154581d1049507a996acfc2d3e
	https://git.kernel.org/stable/c/4b3aa858268b7b9aeef02e5f9c4cd8f8fac101c8
	https://git.kernel.org/stable/c/92947844b8beee988c0ce17082b705c2f75f0742