In the Linux kernel, the following vulnerability has been resolved:
IB/hfi1: Fix panic with larger ipoib sendqueuesize
When the ipoib sendqueuesize is increased from the default the following panic happens:
RIP: 0010:hfi1ipoibdraintxring+0x45/0xf0 [hfi1] Code: 31 e4 eb 0f 8b 85 c8 02 00 00 41 83 c4 01 44 39 e0 76 60 8b 8d cc 02 00 00 44 89 e3 be 01 00 00 00 d3 e3 48 03 9d c0 02 00 00 <c7> 83 18 01 00 00 00 00 00 00 48 8b bb 30 01 00 00 e8 25 af a7 e0 RSP: 0018:ffffc9000798f4a0 EFLAGS: 00010286 RAX: 0000000000008000 RBX: ffffc9000aa0f000 RCX: 000000000000000f RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88810ff08000 R08: ffff88889476d900 R09: 0000000000000101 R10: 0000000000000000 R11: ffffc90006590ff8 R12: 0000000000000200 R13: ffffc9000798fba8 R14: 0000000000000000 R15: 0000000000000001 FS: 00007fd0f79cc3c0(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000aa0f118 CR3: 0000000889c84001 CR4: 00000000001706e0 Call Trace: <TASK> hfi1ipoibnapitxdisable+0x45/0x60 [hfi1] hfi1ipoibdevstop+0x18/0x80 [hfi1] ipoibibdevstop+0x1d/0x40 [ibipoib] ipoibstop+0x48/0xc0 [ibipoib] _devclosemany+0x9e/0x110 _devchangeflags+0xd9/0x210 devchangeflags+0x21/0x60 dosetlink+0x31c/0x10f0 ? _nlavalidateparse+0x12d/0x1a0 ? _nlaparse+0x21/0x30 ? inet6validatelinkaf+0x5e/0xf0 ? cpumasknext+0x1f/0x20 ? _snmp6fillstats64.isra.53+0xbb/0x140 ? _nlavalidateparse+0x47/0x1a0 _rtnlnewlink+0x530/0x910 ? pskbexpandhead+0x73/0x300 ? _kmallocnodetrackcaller+0x109/0x280 ? _nlaput+0xc/0x20 ? cpumasknextand+0x20/0x30 ? updatesdlbstats.constprop.144+0xd3/0x820 ? rawspinunlockirqrestore+0x25/0x37 ? _wakeupcommonlock+0x87/0xc0 ? kmemcachealloctrace+0x3d/0x3d0 rtnlnewlink+0x43/0x60
The issue happens when the shift that should have been a function of the txq item size mistakenly used the ring size.
Fix by using the item size.