cve/published/2024/CVE-2024-40907.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-40907: ionic: fix kernel panic in XDP_TX action

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ionic: fix kernel panic in XDP_TX action

 In the XDP_TX path, ionic driver sends a packet to the TX path with rx
 page and corresponding dma address.
 After tx is done, ionic_tx_clean() frees that page.
 But RX ring buffer isn't reset to NULL.
 So, it uses a freed page, which causes kernel panic.

 BUG: unable to handle page fault for address: ffff8881576c110c
 PGD 773801067 P4D 773801067 PUD 87f086067 PMD 87efca067 PTE 800ffffea893e060
 Oops: Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI
 CPU: 1 PID: 25 Comm: ksoftirqd/1 Not tainted 6.9.0+ #11
 Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021
 RIP: 0010:bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f
 Code: 00 53 41 55 41 56 41 57 b8 01 00 00 00 48 8b 5f 08 4c 8b 77 00 4c 89 f7 48 83 c7 0e 48 39 d8
 RSP: 0018:ffff888104e6fa28 EFLAGS: 00010283
 RAX: 0000000000000002 RBX: ffff8881576c1140 RCX: 0000000000000002
 RDX: ffffffffc0051f64 RSI: ffffc90002d33048 RDI: ffff8881576c110e
 RBP: ffff888104e6fa88 R08: 0000000000000000 R09: ffffed1027a04a23
 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881b03a21a8
 R13: ffff8881589f800f R14: ffff8881576c1100 R15: 00000001576c1100
 FS: 0000000000000000(0000) GS:ffff88881ae00000(0000) knlGS:0000000000000000
 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: ffff8881576c110c CR3: 0000000767a90000 CR4: 00000000007506f0
 PKRU: 55555554
 Call Trace:
 <TASK>
 ? __die+0x20/0x70
 ? page_fault_oops+0x254/0x790
 ? __pfx_page_fault_oops+0x10/0x10
 ? __pfx_is_prefetch.constprop.0+0x10/0x10
 ? search_bpf_extables+0x165/0x260
 ? fixup_exception+0x4a/0x970
 ? exc_page_fault+0xcb/0xe0
 ? asm_exc_page_fault+0x22/0x30
 ? 0xffffffffc0051f64
 ? bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f
 ? do_raw_spin_unlock+0x54/0x220
 ionic_rx_service+0x11ab/0x3010 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
 ? ionic_tx_clean+0x29b/0xc60 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
 ? __pfx_ionic_tx_clean+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
 ? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
 ? ionic_tx_cq_service+0x25d/0xa00 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
 ? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
 ionic_cq_service+0x69/0x150 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
 ionic_txrx_napi+0x11a/0x540 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
 __napi_poll.constprop.0+0xa0/0x440
 net_rx_action+0x7e7/0xc30
 ? __pfx_net_rx_action+0x10/0x10

 The Linux kernel CVE team has assigned CVE-2024-40907 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.9 with commit 8eeed8373e1cca836799bf8e4a05cffa8e444908 and fixed in 6.9.6 with commit 8812aa35f3e930f61074b9c1ecea26f354992c21
 	Issue introduced in 6.9 with commit 8eeed8373e1cca836799bf8e4a05cffa8e444908 and fixed in 6.10 with commit 491aee894a08bc9b8bb52e7363b9d4bc6403f363

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-40907
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/pensando/ionic/ionic_txrx.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8812aa35f3e930f61074b9c1ecea26f354992c21
 	https://git.kernel.org/stable/c/491aee894a08bc9b8bb52e7363b9d4bc6403f363
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-40907: ionic: fix kernel panic in XDP_TX action

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ionic: fix kernel panic in XDP_TX action

	In the XDP_TX path, ionic driver sends a packet to the TX path with rx
	page and corresponding dma address.
	After tx is done, ionic_tx_clean() frees that page.
	But RX ring buffer isn't reset to NULL.
	So, it uses a freed page, which causes kernel panic.

	BUG: unable to handle page fault for address: ffff8881576c110c
	PGD 773801067 P4D 773801067 PUD 87f086067 PMD 87efca067 PTE 800ffffea893e060
	Oops: Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI
	CPU: 1 PID: 25 Comm: ksoftirqd/1 Not tainted 6.9.0+ #11
	Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021
	RIP: 0010:bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f
	Code: 00 53 41 55 41 56 41 57 b8 01 00 00 00 48 8b 5f 08 4c 8b 77 00 4c 89 f7 48 83 c7 0e 48 39 d8
	RSP: 0018:ffff888104e6fa28 EFLAGS: 00010283
	RAX: 0000000000000002 RBX: ffff8881576c1140 RCX: 0000000000000002
	RDX: ffffffffc0051f64 RSI: ffffc90002d33048 RDI: ffff8881576c110e
	RBP: ffff888104e6fa88 R08: 0000000000000000 R09: ffffed1027a04a23
	R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881b03a21a8
	R13: ffff8881589f800f R14: ffff8881576c1100 R15: 00000001576c1100
	FS: 0000000000000000(0000) GS:ffff88881ae00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: ffff8881576c110c CR3: 0000000767a90000 CR4: 00000000007506f0
	PKRU: 55555554
	Call Trace:
	<TASK>
	? __die+0x20/0x70
	? page_fault_oops+0x254/0x790
	? __pfx_page_fault_oops+0x10/0x10
	? __pfx_is_prefetch.constprop.0+0x10/0x10
	? search_bpf_extables+0x165/0x260
	? fixup_exception+0x4a/0x970
	? exc_page_fault+0xcb/0xe0
	? asm_exc_page_fault+0x22/0x30
	? 0xffffffffc0051f64
	? bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f
	? do_raw_spin_unlock+0x54/0x220
	ionic_rx_service+0x11ab/0x3010 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
	? ionic_tx_clean+0x29b/0xc60 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
	? __pfx_ionic_tx_clean+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
	? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
	? ionic_tx_cq_service+0x25d/0xa00 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
	? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
	ionic_cq_service+0x69/0x150 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
	ionic_txrx_napi+0x11a/0x540 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]
	__napi_poll.constprop.0+0xa0/0x440
	net_rx_action+0x7e7/0xc30
	? __pfx_net_rx_action+0x10/0x10

	The Linux kernel CVE team has assigned CVE-2024-40907 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.9 with commit 8eeed8373e1cca836799bf8e4a05cffa8e444908 and fixed in 6.9.6 with commit 8812aa35f3e930f61074b9c1ecea26f354992c21
	Issue introduced in 6.9 with commit 8eeed8373e1cca836799bf8e4a05cffa8e444908 and fixed in 6.10 with commit 491aee894a08bc9b8bb52e7363b9d4bc6403f363

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-40907
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/pensando/ionic/ionic_txrx.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8812aa35f3e930f61074b9c1ecea26f354992c21
	https://git.kernel.org/stable/c/491aee894a08bc9b8bb52e7363b9d4bc6403f363