CVE-2023-53463

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ibmvnic: Do not reset dql stats on NON_FATAL err<br /> <br /> All ibmvnic resets, make a call to netdev_tx_reset_queue() when<br /> re-opening the device. netdev_tx_reset_queue() resets the num_queued<br /> and num_completed byte counters. These stats are used in Byte Queue<br /> Limit (BQL) algorithms. The difference between these two stats tracks<br /> the number of bytes currently sitting on the physical NIC. ibmvnic<br /> increases the number of queued bytes though calls to<br /> netdev_tx_sent_queue() in the drivers xmit function. When, VIOS reports<br /> that it is done transmitting bytes, the ibmvnic device increases the<br /> number of completed bytes through calls to netdev_tx_completed_queue().<br /> It is important to note that the driver batches its transmit calls and<br /> num_queued is increased every time that an skb is added to the next<br /> batch, not necessarily when the batch is sent to VIOS for transmission.<br /> <br /> Unlike other reset types, a NON FATAL reset will not flush the sub crq<br /> tx buffers. Therefore, it is possible for the batched skb array to be<br /> partially full. So if there is call to netdev_tx_reset_queue() when<br /> re-opening the device, the value of num_queued (0) would not account<br /> for the skb&amp;#39;s that are currently batched. Eventually, when the batch<br /> is sent to VIOS, the call to netdev_tx_completed_queue() would increase<br /> num_completed to a value greater than the num_queued. This causes a<br /> BUG_ON crash:<br /> <br /> ibmvnic 30000002: Firmware reports error, cause: adapter problem.<br /> Starting recovery...<br /> ibmvnic 30000002: tx error 600<br /> ibmvnic 30000002: tx error 600<br /> ibmvnic 30000002: tx error 600<br /> ibmvnic 30000002: tx error 600<br /> ------------[ cut here ]------------<br /> kernel BUG at lib/dynamic_queue_limits.c:27!<br /> Oops: Exception in kernel mode, sig: 5<br /> [....]<br /> NIP dql_completed+0x28/0x1c0<br /> LR ibmvnic_complete_tx.isra.0+0x23c/0x420 [ibmvnic]<br /> Call Trace:<br /> ibmvnic_complete_tx.isra.0+0x3f8/0x420 [ibmvnic] (unreliable)<br /> ibmvnic_interrupt_tx+0x40/0x70 [ibmvnic]<br /> __handle_irq_event_percpu+0x98/0x270<br /> ---[ end trace ]---<br /> <br /> Therefore, do not reset the dql stats when performing a NON_FATAL reset.