CVE-2023-53029

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> octeontx2-pf: Fix the use of GFP_KERNEL in atomic context on rt<br /> <br /> The commit 4af1b64f80fb ("octeontx2-pf: Fix lmtst ID used in aura<br /> free") uses the get/put_cpu() to protect the usage of percpu pointer<br /> in -&gt;aura_freeptr() callback, but it also unnecessarily disable the<br /> preemption for the blockable memory allocation. The commit 87b93b678e95<br /> ("octeontx2-pf: Avoid use of GFP_KERNEL in atomic context") tried to<br /> fix these sleep inside atomic warnings. But it only fix the one for<br /> the non-rt kernel. For the rt kernel, we still get the similar warnings<br /> like below.<br /> BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46<br /> in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0<br /> preempt_count: 1, expected: 0<br /> RCU nest depth: 0, expected: 0<br /> 3 locks held by swapper/0/1:<br /> #0: ffff800009fc5fe8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock+0x24/0x30<br /> #1: ffff000100c276c0 (&amp;mbox-&gt;lock){+.+.}-{3:3}, at: otx2_init_hw_resources+0x8c/0x3a4<br /> #2: ffffffbfef6537e0 (&amp;cpu_rcache-&gt;lock){+.+.}-{2:2}, at: alloc_iova_fast+0x1ac/0x2ac<br /> Preemption disabled at:<br /> [] otx2_rq_aura_pool_init+0x14c/0x284<br /> CPU: 20 PID: 1 Comm: swapper/0 Tainted: G W 6.2.0-rc3-rt1-yocto-preempt-rt #1<br /> Hardware name: Marvell OcteonTX CN96XX board (DT)<br /> Call trace:<br /> dump_backtrace.part.0+0xe8/0xf4<br /> show_stack+0x20/0x30<br /> dump_stack_lvl+0x9c/0xd8<br /> dump_stack+0x18/0x34<br /> __might_resched+0x188/0x224<br /> rt_spin_lock+0x64/0x110<br /> alloc_iova_fast+0x1ac/0x2ac<br /> iommu_dma_alloc_iova+0xd4/0x110<br /> __iommu_dma_map+0x80/0x144<br /> iommu_dma_map_page+0xe8/0x260<br /> dma_map_page_attrs+0xb4/0xc0<br /> __otx2_alloc_rbuf+0x90/0x150<br /> otx2_rq_aura_pool_init+0x1c8/0x284<br /> otx2_init_hw_resources+0xe4/0x3a4<br /> otx2_open+0xf0/0x610<br /> __dev_open+0x104/0x224<br /> __dev_change_flags+0x1e4/0x274<br /> dev_change_flags+0x2c/0x7c<br /> ic_open_devs+0x124/0x2f8<br /> ip_auto_config+0x180/0x42c<br /> do_one_initcall+0x90/0x4dc<br /> do_basic_setup+0x10c/0x14c<br /> kernel_init_freeable+0x10c/0x13c<br /> kernel_init+0x2c/0x140<br /> ret_from_fork+0x10/0x20<br /> <br /> Of course, we can shuffle the get/put_cpu() to only wrap the invocation<br /> of -&gt;aura_freeptr() as what commit 87b93b678e95 does. But there are only<br /> two -&gt;aura_freeptr() callbacks, otx2_aura_freeptr() and<br /> cn10k_aura_freeptr(). There is no usage of perpcu variable in the<br /> otx2_aura_freeptr() at all, so the get/put_cpu() seems redundant to it.<br /> We can move the get/put_cpu() into the corresponding callback which<br /> really has the percpu variable usage and avoid the sprinkling of<br /> get/put_cpu() in several places.