In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Fix RX consumer index logic in the error path.
In bnxtrxpkt(), the RX buffers are expected to complete in order. If the RX consumer index indicates an out of order buffer completion, it means we are hitting a hardware bug and the driver will abort all remaining RX packets and reset the RX ring. The RX consumer index that we pass to bnxtdiscardrx() is not correct. We should be passing the current index (tmprawcons) instead of the old index (raw_cons). This bug can cause us to be at the wrong index when trying to abort the next RX packet. It can crash like this:
#0 [ffff9bbcdf5c39a8] machinekexec at ffffffff9b05e007 #1 [ffff9bbcdf5c3a00] _crashkexec at ffffffff9b111232 #2 [ffff9bbcdf5c3ad0] panic at ffffffff9b07d61e #3 [ffff9bbcdf5c3b50] oopsend at ffffffff9b030978 #4 [ffff9bbcdf5c3b78] nocontext at ffffffff9b06aaf0 #5 [ffff9bbcdf5c3bd8] _badareanosemaphore at ffffffff9b06ae2e #6 [ffff9bbcdf5c3c28] badareanosemaphore at ffffffff9b06af24 #7 [ffff9bbcdf5c3c38] _dopagefault at ffffffff9b06b67e #8 [ffff9bbcdf5c3cb0] dopagefault at ffffffff9b06bb12 #9 [ffff9bbcdf5c3ce0] pagefault at ffffffff9bc015c5 [exception RIP: bnxtrxpkt+237] RIP: ffffffffc0259cdd RSP: ffff9bbcdf5c3d98 RFLAGS: 00010213 RAX: 000000005dd8097f RBX: ffff9ba4cb11b7e0 RCX: ffffa923cf6e9000 RDX: 0000000000000fff RSI: 0000000000000627 RDI: 0000000000001000 RBP: ffff9bbcdf5c3e60 R8: 0000000000420003 R9: 000000000000020d R10: ffffa923cf6ec138 R11: ffff9bbcdf5c3e83 R12: ffff9ba4d6f928c0 R13: ffff9ba4cac28080 R14: ffff9ba4cb11b7f0 R15: ffff9ba4d5a30000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018