CVE-2024-56656

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bnxt_en: Fix aggregation ID mask to prevent oops on 5760X chips<br /> <br /> The 5760X (P7) chip&amp;#39;s HW GRO/LRO interface is very similar to that of<br /> the previous generation (5750X or P5). However, the aggregation ID<br /> fields in the completion structures on P7 have been redefined from<br /> 16 bits to 12 bits. The freed up 4 bits are redefined for part of the<br /> metadata such as the VLAN ID. The aggregation ID mask was not modified<br /> when adding support for P7 chips. Including the extra 4 bits for the<br /> aggregation ID can potentially cause the driver to store or fetch the<br /> packet header of GRO/LRO packets in the wrong TPA buffer. It may hit<br /> the BUG() condition in __skb_pull() because the SKB contains no valid<br /> packet header:<br /> <br /> kernel BUG at include/linux/skbuff.h:2766!<br /> Oops: invalid opcode: 0000 1 PREEMPT SMP NOPTI<br /> CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Kdump: loaded Tainted: G OE 6.12.0-rc2+ #7<br /> Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE<br /> Hardware name: Dell Inc. PowerEdge R760/0VRV9X, BIOS 1.0.1 12/27/2022<br /> RIP: 0010:eth_type_trans+0xda/0x140<br /> Code: 80 00 00 00 eb c1 8b 47 70 2b 47 74 48 8b 97 d0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb a5 0b b8 00 01 00 00 eb 9c 48 85 ff 74 eb 31 f6 b9 02 00 00 00 48<br /> RSP: 0018:ff615003803fcc28 EFLAGS: 00010283<br /> RAX: 00000000000022d2 RBX: 0000000000000003 RCX: ff2e8c25da334040<br /> RDX: 0000000000000040 RSI: ff2e8c25c1ce8000 RDI: ff2e8c25869f9000<br /> RBP: ff2e8c258c31c000 R08: ff2e8c25da334000 R09: 0000000000000001<br /> R10: ff2e8c25da3342c0 R11: ff2e8c25c1ce89c0 R12: ff2e8c258e0990b0<br /> R13: ff2e8c25bb120000 R14: ff2e8c25c1ce89c0 R15: ff2e8c25869f9000<br /> FS: 0000000000000000(0000) GS:ff2e8c34be300000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000055f05317e4c8 CR3: 000000108bac6006 CR4: 0000000000773ef0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? die+0x33/0x90<br /> ? do_trap+0xd9/0x100<br /> ? eth_type_trans+0xda/0x140<br /> ? do_error_trap+0x65/0x80<br /> ? eth_type_trans+0xda/0x140<br /> ? exc_invalid_op+0x4e/0x70<br /> ? eth_type_trans+0xda/0x140<br /> ? asm_exc_invalid_op+0x16/0x20<br /> ? eth_type_trans+0xda/0x140<br /> bnxt_tpa_end+0x10b/0x6b0 [bnxt_en]<br /> ? bnxt_tpa_start+0x195/0x320 [bnxt_en]<br /> bnxt_rx_pkt+0x902/0xd90 [bnxt_en]<br /> ? __bnxt_tx_int.constprop.0+0x89/0x300 [bnxt_en]<br /> ? kmem_cache_free+0x343/0x440<br /> ? __bnxt_tx_int.constprop.0+0x24f/0x300 [bnxt_en]<br /> __bnxt_poll_work+0x193/0x370 [bnxt_en]<br /> bnxt_poll_p5+0x9a/0x300 [bnxt_en]<br /> ? try_to_wake_up+0x209/0x670<br /> __napi_poll+0x29/0x1b0<br /> <br /> Fix it by redefining the aggregation ID mask for P5_PLUS chips to be<br /> 12 bits. This will work because the maximum aggregation ID is less<br /> than 4096 on all P5_PLUS chips.