CVE-2024-40907

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ionic: fix kernel panic in XDP_TX action<br /> <br /> In the XDP_TX path, ionic driver sends a packet to the TX path with rx<br /> page and corresponding dma address.<br /> After tx is done, ionic_tx_clean() frees that page.<br /> But RX ring buffer isn&amp;#39;t reset to NULL.<br /> So, it uses a freed page, which causes kernel panic.<br /> <br /> BUG: unable to handle page fault for address: ffff8881576c110c<br /> PGD 773801067 P4D 773801067 PUD 87f086067 PMD 87efca067 PTE 800ffffea893e060<br /> Oops: Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI<br /> CPU: 1 PID: 25 Comm: ksoftirqd/1 Not tainted 6.9.0+ #11<br /> Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021<br /> RIP: 0010:bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f<br /> Code: 00 53 41 55 41 56 41 57 b8 01 00 00 00 48 8b 5f 08 4c 8b 77 00 4c 89 f7 48 83 c7 0e 48 39 d8<br /> RSP: 0018:ffff888104e6fa28 EFLAGS: 00010283<br /> RAX: 0000000000000002 RBX: ffff8881576c1140 RCX: 0000000000000002<br /> RDX: ffffffffc0051f64 RSI: ffffc90002d33048 RDI: ffff8881576c110e<br /> RBP: ffff888104e6fa88 R08: 0000000000000000 R09: ffffed1027a04a23<br /> R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881b03a21a8<br /> R13: ffff8881589f800f R14: ffff8881576c1100 R15: 00000001576c1100<br /> FS: 0000000000000000(0000) GS:ffff88881ae00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ffff8881576c110c CR3: 0000000767a90000 CR4: 00000000007506f0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? __die+0x20/0x70<br /> ? page_fault_oops+0x254/0x790<br /> ? __pfx_page_fault_oops+0x10/0x10<br /> ? __pfx_is_prefetch.constprop.0+0x10/0x10<br /> ? search_bpf_extables+0x165/0x260<br /> ? fixup_exception+0x4a/0x970<br /> ? exc_page_fault+0xcb/0xe0<br /> ? asm_exc_page_fault+0x22/0x30<br /> ? 0xffffffffc0051f64<br /> ? bpf_prog_f0b8caeac1068a55_balancer_ingress+0x3b/0x44f<br /> ? do_raw_spin_unlock+0x54/0x220<br /> ionic_rx_service+0x11ab/0x3010 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]<br /> ? ionic_tx_clean+0x29b/0xc60 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]<br /> ? __pfx_ionic_tx_clean+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]<br /> ? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]<br /> ? ionic_tx_cq_service+0x25d/0xa00 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]<br /> ? __pfx_ionic_rx_service+0x10/0x10 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]<br /> ionic_cq_service+0x69/0x150 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]<br /> ionic_txrx_napi+0x11a/0x540 [ionic 9180c3001ab627d82bbc5f3ebe8a0decaf6bb864]<br /> __napi_poll.constprop.0+0xa0/0x440<br /> net_rx_action+0x7e7/0xc30<br /> ? __pfx_net_rx_action+0x10/0x10