CVE-2023-53509

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> qed: allow sleep in qed_mcp_trace_dump()<br /> <br /> By default, qed_mcp_cmd_and_union() delays 10us at a time in a loop<br /> that can run 500K times, so calls to qed_mcp_nvm_rd_cmd()<br /> may block the current thread for over 5s.<br /> We observed thread scheduling delays over 700ms in production,<br /> with stacktraces pointing to this code as the culprit.<br /> <br /> qed_mcp_trace_dump() is called from ethtool, so sleeping is permitted.<br /> It already can sleep in qed_mcp_halt(), which calls qed_mcp_cmd().<br /> Add a "can sleep" parameter to qed_find_nvram_image() and<br /> qed_nvram_read() so they can sleep during qed_mcp_trace_dump().<br /> qed_mcp_trace_get_meta_info() and qed_mcp_trace_read_meta(),<br /> called only by qed_mcp_trace_dump(), allow these functions to sleep.<br /> I can&amp;#39;t tell if the other caller (qed_grc_dump_mcp_hw_dump()) can sleep,<br /> so keep b_can_sleep set to false when it calls these functions.<br /> <br /> An example stacktrace from a custom warning we added to the kernel<br /> showing a thread that has not scheduled despite long needing resched:<br /> [ 2745.362925,17] ------------[ cut here ]------------<br /> [ 2745.362941,17] WARNING: CPU: 23 PID: 5640 at arch/x86/kernel/irq.c:233 do_IRQ+0x15e/0x1a0()<br /> [ 2745.362946,17] Thread not rescheduled for 744 ms after irq 99<br /> [ 2745.362956,17] Modules linked in: ...<br /> [ 2745.363339,17] CPU: 23 PID: 5640 Comm: lldpd Tainted: P O 4.4.182+ #202104120910+6d1da174272d.61x<br /> [ 2745.363343,17] Hardware name: FOXCONN MercuryB/Quicksilver Controller, BIOS H11P1N09 07/08/2020<br /> [ 2745.363346,17] 0000000000000000 ffff885ec07c3ed8 ffffffff8131eb2f ffff885ec07c3f20<br /> [ 2745.363358,17] ffffffff81d14f64 ffff885ec07c3f10 ffffffff81072ac2 ffff88be98ed0000<br /> [ 2745.363369,17] 0000000000000063 0000000000000174 0000000000000074 0000000000000000<br /> [ 2745.363379,17] Call Trace:<br /> [ 2745.363382,17] [] dump_stack+0x8e/0xcf<br /> [ 2745.363393,17] [] warn_slowpath_common+0x82/0xc0<br /> [ 2745.363398,17] [] warn_slowpath_fmt+0x4c/0x50<br /> [ 2745.363404,17] [] ? rcu_irq_exit+0xae/0xc0<br /> [ 2745.363408,17] [] do_IRQ+0x15e/0x1a0<br /> [ 2745.363413,17] [] common_interrupt+0x89/0x89<br /> [ 2745.363416,17] [] ? delay_tsc+0x24/0x50<br /> [ 2745.363425,17] [] __udelay+0x34/0x40<br /> [ 2745.363457,17] [] qed_mcp_cmd_and_union+0x36f/0x7d0 [qed]<br /> [ 2745.363473,17] [] qed_mcp_nvm_rd_cmd+0x4d/0x90 [qed]<br /> [ 2745.363490,17] [] qed_mcp_trace_dump+0x4a7/0x630 [qed]<br /> [ 2745.363504,17] [] ? qed_fw_asserts_dump+0x1d6/0x1f0 [qed]<br /> [ 2745.363520,17] [] qed_dbg_mcp_trace_get_dump_buf_size+0x37/0x80 [qed]<br /> [ 2745.363536,17] [] qed_dbg_feature_size+0x61/0xa0 [qed]<br /> [ 2745.363551,17] [] qed_dbg_all_data_size+0x247/0x260 [qed]<br /> [ 2745.363560,17] [] qede_get_regs_len+0x30/0x40 [qede]<br /> [ 2745.363566,17] [] ethtool_get_drvinfo+0xe3/0x190<br /> [ 2745.363570,17] [] dev_ethtool+0x1362/0x2140<br /> [ 2745.363575,17] [] ? finish_task_switch+0x76/0x260<br /> [ 2745.363580,17] [] ? __schedule+0x3c6/0x9d0<br /> [ 2745.363585,17] [] ? hrtimer_start_range_ns+0x1d0/0x370<br /> [ 2745.363589,17] [] ? dev_get_by_name_rcu+0x6b/0x90<br /> [ 2745.363594,17] [] dev_ioctl+0xe8/0x710<br /> [ 2745.363599,17] [] sock_do_ioctl+0x48/0x60<br /> [ 2745.363603,17] [] sock_ioctl+0x1c7/0x280<br /> [ 2745.363608,17] [] ? seccomp_phase1+0x83/0x220<br /> [ 2745.363612,17] [] do_vfs_ioctl+0x2b3/0x4e0<br /> [ 2745.363616,17] [] SyS_ioctl+0x41/0x70<br /> [ 2745.363619,17] [] entry_SYSCALL_64_fastpath+0x1e/0x79<br /> [ 2745.363622,17] ---[ end trace f6954aa440266421 ]---