CVE-2023-53509

In the Linux kernel, the following vulnerability has been resolved:

qed: allow sleep in qedmcptrace_dump()

By default, qedmcpcmdandunion() delays 10us at a time in a loop that can run 500K times, so calls to qedmcpnvmrdcmd() may block the current thread for over 5s. We observed thread scheduling delays over 700ms in production, with stacktraces pointing to this code as the culprit.

qedmcptracedump() is called from ethtool, so sleeping is permitted. It already can sleep in qedmcphalt(), which calls qedmcpcmd(). Add a "can sleep" parameter to qedfindnvramimage() and qednvramread() so they can sleep during qedmcptracedump(). qedmcptracegetmetainfo() and qedmcptracereadmeta(), called only by qedmcptracedump(), allow these functions to sleep. I can't tell if the other caller (qedgrcdumpmcphwdump()) can sleep, so keep bcansleep set to false when it calls these functions.

An example stacktrace from a custom warning we added to the kernel showing a thread that has not scheduled despite long needing resched: [ 2745.362925,17] ------------[ cut here ]------------ [ 2745.362941,17] WARNING: CPU: 23 PID: 5640 at arch/x86/kernel/irq.c:233 doIRQ+0x15e/0x1a0() [ 2745.362946,17] Thread not rescheduled for 744 ms after irq 99 [ 2745.362956,17] Modules linked in: ... [ 2745.363339,17] CPU: 23 PID: 5640 Comm: lldpd Tainted: P O 4.4.182+ #202104120910+6d1da174272d.61x [ 2745.363343,17] Hardware name: FOXCONN MercuryB/Quicksilver Controller, BIOS H11P1N09 07/08/2020 [ 2745.363346,17] 0000000000000000 ffff885ec07c3ed8 ffffffff8131eb2f ffff885ec07c3f20 [ 2745.363358,17] ffffffff81d14f64 ffff885ec07c3f10 ffffffff81072ac2 ffff88be98ed0000 [ 2745.363369,17] 0000000000000063 0000000000000174 0000000000000074 0000000000000000 [ 2745.363379,17] Call Trace: [ 2745.363382,17] <IRQ> [<ffffffff8131eb2f>] dumpstack+0x8e/0xcf [ 2745.363393,17] [<ffffffff81072ac2>] warnslowpathcommon+0x82/0xc0 [ 2745.363398,17] [<ffffffff81072b4c>] warnslowpathfmt+0x4c/0x50 [ 2745.363404,17] [<ffffffff810d5a8e>] ? rcuirqexit+0xae/0xc0 [ 2745.363408,17] [<ffffffff817c99fe>] doIRQ+0x15e/0x1a0 [ 2745.363413,17] [<ffffffff817c7ac9>] commoninterrupt+0x89/0x89 [ 2745.363416,17] <EOI> [<ffffffff8132aa74>] ? delay_tsc+0x24/0x50 [ 2745.363425,17] [<ffffffff8132aa04>] __udelay+0x34/0x40 [ 2745.363457,17] [<ffffffffa04d45ff>] qedmcpcmdandunion+0x36f/0x7d0 [qed] [ 2745.363473,17] [<ffffffffa04d5ced>] qedmcpnvmrdcmd+0x4d/0x90 [qed] [ 2745.363490,17] [<ffffffffa04e1dc7>] qedmcptracedump+0x4a7/0x630 [qed] [ 2745.363504,17] [<ffffffffa04e2556>] ? qedfwassertsdump+0x1d6/0x1f0 [qed] [ 2745.363520,17] [<ffffffffa04e4ea7>] qeddbgmcptracegetdumpbufsize+0x37/0x80 [qed] [ 2745.363536,17] [<ffffffffa04ea881>] qeddbgfeaturesize+0x61/0xa0 [qed] [ 2745.363551,17] [<ffffffffa04eb427>] qeddbgalldatasize+0x247/0x260 [qed] [ 2745.363560,17] [<ffffffffa0482c10>] qedegetregslen+0x30/0x40 [qede] [ 2745.363566,17] [<ffffffff816c9783>] ethtoolgetdrvinfo+0xe3/0x190 [ 2745.363570,17] [<ffffffff816cc152>] devethtool+0x1362/0x2140 [ 2745.363575,17] [<ffffffff8109bcc6>] ? finishtaskswitch+0x76/0x260 [ 2745.363580,17] [<ffffffff817c2116>] ? __schedule+0x3c6/0x9d0 [ 2745.363585,17] [<ffffffff810dbd50>] ? hrtimerstartrangens+0x1d0/0x370 [ 2745.363589,17] [<ffffffff816c1e5b>] ? devgetbynamercu+0x6b/0x90 [ 2745.363594,17] [<ffffffff816de6a8>] devioctl+0xe8/0x710 [ 2745.363599,17] [<ffffffff816a58a8>] sockdoioctl+0x48/0x60 [ 2745.363603,17] [<ffffffff816a5d87>] sockioctl+0x1c7/0x280 [ 2745.363608,17] [<ffffffff8111f393>] ? seccompphase1+0x83/0x220 [ 2745.363612,17] [<ffffffff811e3503>] dovfsioctl+0x2b3/0x4e0 [ 2745.363616,17] [<ffffffff811e3771>] SySioctl+0x41/0x70 [ 2745.363619,17] [<ffffffff817c6ffe>] entrySYSCALL64fastpath+0x1e/0x79 [ 2745.363622,17] ---[ end trace f6954aa440266421 ]---