CVE-2023-54257

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: macb: fix a memory corruption in extended buffer descriptor mode<br /> <br /> For quite some time we were chasing a bug which looked like a sudden<br /> permanent failure of networking and mmc on some of our devices.<br /> The bug was very sensitive to any software changes and even more to<br /> any kernel debug options.<br /> <br /> Finally we got a setup where the problem was reproducible with<br /> CONFIG_DMA_API_DEBUG=y and it revealed the issue with the rx dma:<br /> <br /> [ 16.992082] ------------[ cut here ]------------<br /> [ 16.996779] DMA-API: macb ff0b0000.ethernet: device driver tries to free DMA memory it has not allocated [device address=0x0000000875e3e244] [size=1536 bytes]<br /> [ 17.011049] WARNING: CPU: 0 PID: 85 at kernel/dma/debug.c:1011 check_unmap+0x6a0/0x900<br /> [ 17.018977] Modules linked in: xxxxx<br /> [ 17.038823] CPU: 0 PID: 85 Comm: irq/55-8000f000 Not tainted 5.4.0 #28<br /> [ 17.045345] Hardware name: xxxxx<br /> [ 17.049528] pstate: 60000005 (nZCv daif -PAN -UAO)<br /> [ 17.054322] pc : check_unmap+0x6a0/0x900<br /> [ 17.058243] lr : check_unmap+0x6a0/0x900<br /> [ 17.062163] sp : ffffffc010003c40<br /> [ 17.065470] x29: ffffffc010003c40 x28: 000000004000c03c<br /> [ 17.070783] x27: ffffffc010da7048 x26: ffffff8878e38800<br /> [ 17.076095] x25: ffffff8879d22810 x24: ffffffc010003cc8<br /> [ 17.081407] x23: 0000000000000000 x22: ffffffc010a08750<br /> [ 17.086719] x21: ffffff8878e3c7c0 x20: ffffffc010acb000<br /> [ 17.092032] x19: 0000000875e3e244 x18: 0000000000000010<br /> [ 17.097343] x17: 0000000000000000 x16: 0000000000000000<br /> [ 17.102647] x15: ffffff8879e4a988 x14: 0720072007200720<br /> [ 17.107959] x13: 0720072007200720 x12: 0720072007200720<br /> [ 17.113261] x11: 0720072007200720 x10: 0720072007200720<br /> [ 17.118565] x9 : 0720072007200720 x8 : 000000000000022d<br /> [ 17.123869] x7 : 0000000000000015 x6 : 0000000000000098<br /> [ 17.129173] x5 : 0000000000000000 x4 : 0000000000000000<br /> [ 17.134475] x3 : 00000000ffffffff x2 : ffffffc010a1d370<br /> [ 17.139778] x1 : b420c9d75d27bb00 x0 : 0000000000000000<br /> [ 17.145082] Call trace:<br /> [ 17.147524] check_unmap+0x6a0/0x900<br /> [ 17.151091] debug_dma_unmap_page+0x88/0x90<br /> [ 17.155266] gem_rx+0x114/0x2f0<br /> [ 17.158396] macb_poll+0x58/0x100<br /> [ 17.161705] net_rx_action+0x118/0x400<br /> [ 17.165445] __do_softirq+0x138/0x36c<br /> [ 17.169100] irq_exit+0x98/0xc0<br /> [ 17.172234] __handle_domain_irq+0x64/0xc0<br /> [ 17.176320] gic_handle_irq+0x5c/0xc0<br /> [ 17.179974] el1_irq+0xb8/0x140<br /> [ 17.183109] xiic_process+0x5c/0xe30<br /> [ 17.186677] irq_thread_fn+0x28/0x90<br /> [ 17.190244] irq_thread+0x208/0x2a0<br /> [ 17.193724] kthread+0x130/0x140<br /> [ 17.196945] ret_from_fork+0x10/0x20<br /> [ 17.200510] ---[ end trace 7240980785f81d6f ]---<br /> <br /> [ 237.021490] ------------[ cut here ]------------<br /> [ 237.026129] DMA-API: exceeded 7 overlapping mappings of cacheline 0x0000000021d79e7b<br /> [ 237.033886] WARNING: CPU: 0 PID: 0 at kernel/dma/debug.c:499 add_dma_entry+0x214/0x240<br /> [ 237.041802] Modules linked in: xxxxx<br /> [ 237.061637] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.4.0 #28<br /> [ 237.068941] Hardware name: xxxxx<br /> [ 237.073116] pstate: 80000085 (Nzcv daIf -PAN -UAO)<br /> [ 237.077900] pc : add_dma_entry+0x214/0x240<br /> [ 237.081986] lr : add_dma_entry+0x214/0x240<br /> [ 237.086072] sp : ffffffc010003c30<br /> [ 237.089379] x29: ffffffc010003c30 x28: ffffff8878a0be00<br /> [ 237.094683] x27: 0000000000000180 x26: ffffff8878e387c0<br /> [ 237.099987] x25: 0000000000000002 x24: 0000000000000000<br /> [ 237.105290] x23: 000000000000003b x22: ffffffc010a0fa00<br /> [ 237.110594] x21: 0000000021d79e7b x20: ffffffc010abe600<br /> [ 237.115897] x19: 00000000ffffffef x18: 0000000000000010<br /> [ 237.121201] x17: 0000000000000000 x16: 0000000000000000<br /> [ 237.126504] x15: ffffffc010a0fdc8 x14: 0720072007200720<br /> [ 237.131807] x13: 0720072007200720 x12: 0720072007200720<br /> [ 237.137111] x11: 0720072007200720 x10: 0720072007200720<br /> [ 237.142415] x9 : 0720072007200720 x8 : 0000000000000259<br /> [ 237.147718] x7 : 0000000000000001 x6 : 0000000000000000<br /> [ 237.15302<br /> ---truncated---