CVE-2024-39506

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet<br /> <br /> In lio_vf_rep_copy_packet() pg_info-&gt;page is compared to a NULL value,<br /> but then it is unconditionally passed to skb_add_rx_frag() which looks<br /> strange and could lead to null pointer dereference.<br /> <br /> lio_vf_rep_copy_packet() call trace looks like:<br /> octeon_droq_process_packets<br /> octeon_droq_fast_process_packets<br /> octeon_droq_dispatch_pkt<br /> octeon_create_recv_info<br /> ...search in the dispatch_list...<br /> -&gt;disp_fn(rdisp-&gt;rinfo, ...)<br /> lio_vf_rep_pkt_recv(struct octeon_recv_info *recv_info, ...)<br /> In this path there is no code which sets pg_info-&gt;page to NULL.<br /> So this check looks unneeded and doesn&amp;#39;t solve potential problem.<br /> But I guess the author had reason to add a check and I have no such card<br /> and can&amp;#39;t do real test.<br /> In addition, the code in the function liquidio_push_packet() in<br /> liquidio/lio_core.c does exactly the same.<br /> <br /> Based on this, I consider the most acceptable compromise solution to<br /> adjust this issue by moving skb_add_rx_frag() into conditional scope.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE.