CVE-2021-47015

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bnxt_en: Fix RX consumer index logic in the error path.<br /> <br /> In bnxt_rx_pkt(), the RX buffers are expected to complete in order.<br /> If the RX consumer index indicates an out of order buffer completion,<br /> it means we are hitting a hardware bug and the driver will abort all<br /> remaining RX packets and reset the RX ring. The RX consumer index<br /> that we pass to bnxt_discard_rx() is not correct. We should be<br /> passing the current index (tmp_raw_cons) instead of the old index<br /> (raw_cons). This bug can cause us to be at the wrong index when<br /> trying to abort the next RX packet. It can crash like this:<br /> <br /> #0 [ffff9bbcdf5c39a8] machine_kexec at ffffffff9b05e007<br /> #1 [ffff9bbcdf5c3a00] __crash_kexec at ffffffff9b111232<br /> #2 [ffff9bbcdf5c3ad0] panic at ffffffff9b07d61e<br /> #3 [ffff9bbcdf5c3b50] oops_end at ffffffff9b030978<br /> #4 [ffff9bbcdf5c3b78] no_context at ffffffff9b06aaf0<br /> #5 [ffff9bbcdf5c3bd8] __bad_area_nosemaphore at ffffffff9b06ae2e<br /> #6 [ffff9bbcdf5c3c28] bad_area_nosemaphore at ffffffff9b06af24<br /> #7 [ffff9bbcdf5c3c38] __do_page_fault at ffffffff9b06b67e<br /> #8 [ffff9bbcdf5c3cb0] do_page_fault at ffffffff9b06bb12<br /> #9 [ffff9bbcdf5c3ce0] page_fault at ffffffff9bc015c5<br /> [exception RIP: bnxt_rx_pkt+237]<br /> RIP: ffffffffc0259cdd RSP: ffff9bbcdf5c3d98 RFLAGS: 00010213<br /> RAX: 000000005dd8097f RBX: ffff9ba4cb11b7e0 RCX: ffffa923cf6e9000<br /> RDX: 0000000000000fff RSI: 0000000000000627 RDI: 0000000000001000<br /> RBP: ffff9bbcdf5c3e60 R8: 0000000000420003 R9: 000000000000020d<br /> R10: ffffa923cf6ec138 R11: ffff9bbcdf5c3e83 R12: ffff9ba4d6f928c0<br /> R13: ffff9ba4cac28080 R14: ffff9ba4cb11b7f0 R15: ffff9ba4d5a30000<br /> ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018