CVE-2024-53209

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bnxt_en: Fix receive ring space parameters when XDP is active<br /> <br /> The MTU setting at the time an XDP multi-buffer is attached<br /> determines whether the aggregation ring will be used and the<br /> rx_skb_func handler. This is done in bnxt_set_rx_skb_mode().<br /> <br /> If the MTU is later changed, the aggregation ring setting may need<br /> to be changed and it may become out-of-sync with the settings<br /> initially done in bnxt_set_rx_skb_mode(). This may result in<br /> random memory corruption and crashes as the HW may DMA data larger<br /> than the allocated buffer size, such as:<br /> <br /> BUG: kernel NULL pointer dereference, address: 00000000000003c0<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 17 PID: 0 Comm: swapper/17 Kdump: loaded Tainted: G S OE 6.1.0-226bf9805506 #1<br /> Hardware name: Wiwynn Delta Lake PVT BZA.02601.0150/Delta Lake-Class1, BIOS F0E_3A12 08/26/2021<br /> RIP: 0010:bnxt_rx_pkt+0xe97/0x1ae0 [bnxt_en]<br /> Code: 8b 95 70 ff ff ff 4c 8b 9d 48 ff ff ff 66 41 89 87 b4 00 00 00 e9 0b f7 ff ff 0f b7 43 0a 49 8b 95 a8 04 00 00 25 ff 0f 00 00 b7 14 42 48 c1 e2 06 49 03 95 a0 04 00 00 0f b6 42 33f<br /> RSP: 0018:ffffa19f40cc0d18 EFLAGS: 00010202<br /> RAX: 00000000000001e0 RBX: ffff8e2c805c6100 RCX: 00000000000007ff<br /> RDX: 0000000000000000 RSI: ffff8e2c271ab990 RDI: ffff8e2c84f12380<br /> RBP: ffffa19f40cc0e48 R08: 000000000001000d R09: 974ea2fcddfa4cbf<br /> R10: 0000000000000000 R11: ffffa19f40cc0ff8 R12: ffff8e2c94b58980<br /> R13: ffff8e2c952d6600 R14: 0000000000000016 R15: ffff8e2c271ab990<br /> FS: 0000000000000000(0000) GS:ffff8e3b3f840000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00000000000003c0 CR3: 0000000e8580a004 CR4: 00000000007706e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> __bnxt_poll_work+0x1c2/0x3e0 [bnxt_en]<br /> <br /> To address the issue, we now call bnxt_set_rx_skb_mode() within<br /> bnxt_change_mtu() to properly set the AGG rings configuration and<br /> update rx_skb_func based on the new MTU value.<br /> Additionally, BNXT_FLAG_NO_AGG_RINGS is cleared at the beginning of<br /> bnxt_set_rx_skb_mode() to make sure it gets set or cleared based on<br /> the current MTU.