Re: [PATCH 5.15] ice: fix crash at allocation failure

Maciej Fijalkowski <maciej.fijalkowski@xxxxxxxxx> · Wed, 25 May 2022 11:46:52 +0200



On Wed, May 25, 2022 at 09:19:53AM +0200, Magnus Karlsson wrote:
> From: Magnus Karlsson <magnus.karlsson@xxxxxxxxx>
> 
> Fix a crash in the zero-copy driver that occurs when it fails to
> allocate buffers from user-space. This crash can easily be triggered
> by a malicious program that does not provide any buffers in the fill
> ring for the kernel to use.
> 
> Note that this bug does not exist in upstream since the batched buffer
> allocation interface got introduced in 5.16 and replaced this code.
> 
> Reported-by: Jeff Shaw <jeffrey.b.shaw@xxxxxxxxx>
> Tested-by: Jeff Shaw <jeffrey.b.shaw@xxxxxxxxx>
> Signed-off-by: Magnus Karlsson <magnus.karlsson@xxxxxxxxx>

Acked-by: Maciej Fijalkowski <maciej.fijalkowski@xxxxxxxxx>

> ---
>  drivers/net/ethernet/intel/ice/ice_xsk.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c
> index 2b1873061912..5581747947e5 100644
> --- a/drivers/net/ethernet/intel/ice/ice_xsk.c
> +++ b/drivers/net/ethernet/intel/ice/ice_xsk.c
> @@ -378,7 +378,7 @@ bool ice_alloc_rx_bufs_zc(struct ice_ring *rx_ring, u16 count)
>  
>  	do {
>  		*xdp = xsk_buff_alloc(rx_ring->xsk_pool);
> -		if (!xdp) {
> +		if (!*xdp) {
>  			ok = false;
>  			break;
>  		}
> 
> base-commit: 9f43e3ac7e662f352f829077723fa0b92ccaded1
> -- 
> 2.34.1
>