CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
5.1%
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Wrap the tx reporter dump callback to extract the sq Function
mlx5e_tx_reporter_dump_sq() casts its void * argument to struct mlx5e_txqsq
*, but in TX-timeout-recovery flow the argument is actually of type struct
mlx5e_tx_timeout_ctx *. mlx5_core 0000:08:00.1 enp8s0f1: TX timeout
detected mlx5_core 0000:08:00.1 enp8s0f1: TX timeout on queue: 1, SQ:
0x11ec, CQ: 0x146d, SQ Cons: 0x0 SQ Prod: 0x1, usecs since last trans:
21565000 BUG: stack guard page was hit at 0000000093f1a2de (stack is
00000000b66ea0dc…000000004d932dae) kernel stack overflow (page fault):
0000 [#1] SMP NOPTI CPU: 5 PID: 95 Comm: kworker/u20:1 Tainted: G W OE
5.13.0_mlnx #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5e
mlx5e_tx_timeout_work [mlx5_core] RIP:
0010:mlx5e_tx_reporter_dump_sq+0xd3/0x180 [mlx5_core] Call Trace:
mlx5e_tx_reporter_dump+0x43/0x1c0 [mlx5_core]
devlink_health_do_dump.part.91+0x71/0xd0 devlink_health_report+0x157/0x1b0
mlx5e_reporter_tx_timeout+0xb9/0xf0 [mlx5_core] ?
mlx5e_tx_reporter_err_cqe_recover+0x1d0/0x1d0 [mlx5_core] ?
mlx5e_health_queue_dump+0xd0/0xd0 [mlx5_core] ? update_load_avg+0x19b/0x550
? set_next_entity+0x72/0x80 ? pick_next_task_fair+0x227/0x340 ?
finish_task_switch+0xa2/0x280 mlx5e_tx_timeout_work+0x83/0xb0 [mlx5_core]
process_one_work+0x1de/0x3a0 worker_thread+0x2d/0x3c0 ?
process_one_work+0x3a0/0x3a0 kthread+0x115/0x130 ? kthread_park+0x90/0x90
ret_from_fork+0x1f/0x30 --[ end trace 51ccabea504edaff ]— RIP:
0010:mlx5e_tx_reporter_dump_sq+0xd3/0x180 PKRU: 55555554 Kernel panic - not
syncing: Fatal exception Kernel Offset: disabled end Kernel panic - not
syncing: Fatal exception To fix this bug add a wrapper for
mlx5e_tx_reporter_dump_sq() which extracts the sq from struct
mlx5e_tx_timeout_ctx and set it as the TX-timeout-recovery flow dump
callback.
git.kernel.org/linus/918fc3855a6507a200e9cf22c20be852c0982687 (5.16-rc8)
git.kernel.org/stable/c/07f13d58a8ecc3baf9a488588fb38c5cb0db484f
git.kernel.org/stable/c/73665165b64a8f3c5b3534009a69be55bb744f05
git.kernel.org/stable/c/918fc3855a6507a200e9cf22c20be852c0982687
launchpad.net/bugs/cve/CVE-2021-46931
nvd.nist.gov/vuln/detail/CVE-2021-46931
security-tracker.debian.org/tracker/CVE-2021-46931
www.cve.org/CVERecord?id=CVE-2021-46931