CVE-2023-52998

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fec: Use page_pool_put_full_page when freeing rx buffers<br /> <br /> The page_pool_release_page was used when freeing rx buffers, and this<br /> function just unmaps the page (if mapped) and does not recycle the page.<br /> So after hundreds of down/up the eth0, the system will out of memory.<br /> For more details, please refer to the following reproduce steps and<br /> bug logs. To solve this issue and refer to the doc of page pool, the<br /> page_pool_put_full_page should be used to replace page_pool_release_page.<br /> Because this API will try to recycle the page if the page refcnt equal to<br /> 1. After testing 20000 times, the issue can not be reproduced anymore<br /> (about testing 391 times the issue will occur on i.MX8MN-EVK before).<br /> <br /> Reproduce steps:<br /> Create the test script and run the script. The script content is as<br /> follows:<br /> LOOPS=20000<br /> i=1<br /> while [ $i -le $LOOPS ]<br /> do<br /> echo "TINFO:ENET $curface up and down test $i times"<br /> org_macaddr=$(cat /sys/class/net/eth0/address)<br /> ifconfig eth0 down<br /> ifconfig eth0 hw ether $org_macaddr up<br /> i=$(expr $i + 1)<br /> done<br /> sleep 5<br /> if cat /sys/class/net/eth0/operstate | grep &amp;#39;up&amp;#39;;then<br /> echo "TEST PASS"<br /> else<br /> echo "TEST FAIL"<br /> fi<br /> <br /> Bug detail logs:<br /> TINFO:ENET up and down test 391 times<br /> [ 850.471205] Qualcomm Atheros AR8031/AR8033 30be0000.ethernet-1:00: attached PHY driver (mii_bus:phy_addr=30be0000.ethernet-1:00, irq=POLL)<br /> [ 853.535318] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready<br /> [ 853.541694] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx<br /> [ 870.590531] page_pool_release_retry() stalled pool shutdown 199 inflight 60 sec<br /> [ 931.006557] page_pool_release_retry() stalled pool shutdown 199 inflight 120 sec<br /> TINFO:ENET up and down test 392 times<br /> [ 991.426544] page_pool_release_retry() stalled pool shutdown 192 inflight 181 sec<br /> [ 1051.838531] page_pool_release_retry() stalled pool shutdown 170 inflight 241 sec<br /> [ 1093.751217] Qualcomm Atheros AR8031/AR8033 30be0000.ethernet-1:00: attached PHY driver (mii_bus:phy_addr=30be0000.ethernet-1:00, irq=POLL)<br /> [ 1096.446520] page_pool_release_retry() stalled pool shutdown 308 inflight 60 sec<br /> [ 1096.831245] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx<br /> [ 1096.839092] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready<br /> [ 1112.254526] page_pool_release_retry() stalled pool shutdown 103 inflight 302 sec<br /> [ 1156.862533] page_pool_release_retry() stalled pool shutdown 308 inflight 120 sec<br /> [ 1172.674516] page_pool_release_retry() stalled pool shutdown 103 inflight 362 sec<br /> [ 1217.278532] page_pool_release_retry() stalled pool shutdown 308 inflight 181 sec<br /> TINFO:ENET up and down test 393 times<br /> [ 1233.086535] page_pool_release_retry() stalled pool shutdown 103 inflight 422 sec<br /> [ 1277.698513] page_pool_release_retry() stalled pool shutdown 308 inflight 241 sec<br /> [ 1293.502525] page_pool_release_retry() stalled pool shutdown 86 inflight 483 sec<br /> [ 1338.110518] page_pool_release_retry() stalled pool shutdown 308 inflight 302 sec<br /> [ 1353.918540] page_pool_release_retry() stalled pool shutdown 32 inflight 543 sec<br /> [ 1361.179205] Qualcomm Atheros AR8031/AR8033 30be0000.ethernet-1:00: attached PHY driver (mii_bus:phy_addr=30be0000.ethernet-1:00, irq=POLL)<br /> [ 1364.255298] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx<br /> [ 1364.263189] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready<br /> [ 1371.998532] page_pool_release_retry() stalled pool shutdown 310 inflight 60 sec<br /> [ 1398.530542] page_pool_release_retry() stalled pool shutdown 308 inflight 362 sec<br /> [ 1414.334539] page_pool_release_retry() stalled pool shutdown 16 inflight 604 sec<br /> [ 1432.414520] page_pool_release_retry() stalled pool shutdown 310 inflight 120 sec<br /> [ 1458.942523] page_pool_release_retry() stalled pool shutdown 308 inflight 422 sec<br /> [ 1474.750521] page_pool_release_retry() stalled pool shutdown 16 inflight 664 sec<br /> TINFO:ENET up and down test 394 times<br /> [ 1492.8305<br /> ---truncated---