CVE-2021-47261

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> IB/mlx5: Fix initializing CQ fragments buffer<br /> <br /> The function init_cq_frag_buf() can be called to initialize the current CQ<br /> fragments buffer cq-&gt;buf, or the temporary cq-&gt;resize_buf that is filled<br /> during CQ resize operation.<br /> <br /> However, the offending commit started to use function get_cqe() for<br /> getting the CQEs, the issue with this change is that get_cqe() always<br /> returns CQEs from cq-&gt;buf, which leads us to initialize the wrong buffer,<br /> and in case of enlarging the CQ we try to access elements beyond the size<br /> of the current cq-&gt;buf and eventually hit a kernel panic.<br /> <br /> [exception RIP: init_cq_frag_buf+103]<br /> [ffff9f799ddcbcd8] mlx5_ib_resize_cq at ffffffffc0835d60 [mlx5_ib]<br /> [ffff9f799ddcbdb0] ib_resize_cq at ffffffffc05270df [ib_core]<br /> [ffff9f799ddcbdc0] llt_rdma_setup_qp at ffffffffc0a6a712 [llt]<br /> [ffff9f799ddcbe10] llt_rdma_cc_event_action at ffffffffc0a6b411 [llt]<br /> [ffff9f799ddcbe98] llt_rdma_client_conn_thread at ffffffffc0a6bb75 [llt]<br /> [ffff9f799ddcbec8] kthread at ffffffffa66c5da1<br /> [ffff9f799ddcbf50] ret_from_fork_nospec_begin at ffffffffa6d95ddd<br /> <br /> Fix it by getting the needed CQE by calling mlx5_frag_buf_get_wqe() that<br /> takes the correct source buffer as a parameter.