net: ena: Fix incorrect descriptor free behavior (!4329) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Kamal Heib requested to merge kheib/centos-stream-9:37430 into main May 27, 2024

JIRA: https://issues.redhat.com/browse/RHEL-37430
CVE: CVE-2024-35958

commit bf02d9fe00632d22fa91d34749c7aacf397b6cde
Author: David Arinzon darinzon@amazon.com
Date: Wed Apr 10 09:13:57 2024 +0000

net: ena: Fix incorrect descriptor free behavior  

ENA has two types of TX queues:  
- queues which only process TX packets arriving from the network stack  
- queues which only process TX packets forwarded to it by XDP_REDIRECT  
  or XDP_TX instructions  

The ena_free_tx_bufs() cycles through all descriptors in a TX queue  
and unmaps + frees every descriptor that hasn't been acknowledged yet  
by the device (uncompleted TX transactions).  
The function assumes that the processed TX queue is necessarily from  
the first category listed above and ends up using napi_consume_skb()  
for descriptors belonging to an XDP specific queue.  

This patch solves a bug in which, in case of a VF reset, the  
descriptors aren't freed correctly, leading to crashes.  

Fixes: 548c4940b9f1 ("net: ena: Implement XDP_TX action")  
Signed-off-by: Shay Agroskin <shayagr@amazon.com>  
Signed-off-by: David Arinzon <darinzon@amazon.com>  
Reviewed-by: Shannon Nelson <shannon.nelson@amd.com>  
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Signed-off-by: Kamal Heib kheib@redhat.com

net: ena: Fix incorrect descriptor free behavior

Merge request reports