CVE-2021-47587

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: systemport: Add global locking for descriptor lifecycle<br /> <br /> The descriptor list is a shared resource across all of the transmit queues, and<br /> the locking mechanism used today only protects concurrency across a given<br /> transmit queue between the transmit and reclaiming. This creates an opportunity<br /> for the SYSTEMPORT hardware to work on corrupted descriptors if we have<br /> multiple producers at once which is the case when using multiple transmit<br /> queues.<br /> <br /> This was particularly noticeable when using multiple flows/transmit queues and<br /> it showed up in interesting ways in that UDP packets would get a correct UDP<br /> header checksum being calculated over an incorrect packet length. Similarly TCP<br /> packets would get an equally correct checksum computed by the hardware over an<br /> incorrect packet length.<br /> <br /> The SYSTEMPORT hardware maintains an internal descriptor list that it re-arranges<br /> when the driver produces a new descriptor anytime it writes to the<br /> WRITE_PORT_{HI,LO} registers, there is however some delay in the hardware to<br /> re-organize its descriptors and it is possible that concurrent TX queues<br /> eventually break this internal allocation scheme to the point where the<br /> length/status part of the descriptor gets used for an incorrect data buffer.<br /> <br /> The fix is to impose a global serialization for all TX queues in the short<br /> section where we are writing to the WRITE_PORT_{HI,LO} registers which solves<br /> the corruption even with multiple concurrent TX queues being used.