CVE-2024-46766

In the Linux kernel, the following vulnerability has been resolved:

ice: move netifqueueset_napi to rtnl-protected sections

Currently, netifqueuesetnapi() is called from icevsirebuild() that is not rtnl-locked when called from the reset. This creates the need to take the rtnllock just for a single function and complicates the synchronization with .ndo_bpf. At the same time, there no actual need to fill napi-to-queue information at this exact point.

Fill napi-to-queue information when opening the VSI and clear it when the VSI is being closed. Those routines are already rtnl-locked.

Also, rewrite napi-to-queue assignment in a way that prevents inclusion of XDP queues, as this leads to out-of-bounds writes, such as one below.

[ +0.000004] BUG: KASAN: slab-out-of-bounds in netifqueuesetnapi+0x1c2/0x1e0 [ +0.000012] Write of size 8 at addr ffff889881727c80 by task bash/7047 [ +0.000006] CPU: 24 PID: 7047 Comm: bash Not tainted 6.10.0-rc2+ #2 [ +0.000004] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000003] Call Trace: [ +0.000003] <TASK> [ +0.000002] dumpstacklvl+0x60/0x80 [ +0.000007] printreport+0xce/0x630 [ +0.000007] ? pfxrawspinlockirqsave+0x10/0x10 [ +0.000007] ? virtaddrvalid+0x1c9/0x2c0 [ +0.000005] ? netifqueuesetnapi+0x1c2/0x1e0 [ +0.000003] kasanreport+0xe9/0x120 [ +0.000004] ? netifqueuesetnapi+0x1c2/0x1e0 [ +0.000004] netifqueuesetnapi+0x1c2/0x1e0 [ +0.000005] icevsiclose+0x161/0x670 [ice] [ +0.000114] icedisvsi+0x22f/0x270 [ice] [ +0.000095] icepfdisallvsi.constprop.0+0xae/0x1c0 [ice] [ +0.000086] iceprepareforreset+0x299/0x750 [ice] [ +0.000087] pcidevsaveanddisable+0x82/0xd0 [ +0.000006] pciresetfunction+0x12d/0x230 [ +0.000004] resetstore+0xa0/0x100 [ +0.000006] ? _pfxresetstore+0x10/0x10 [ +0.000002] ? _pfxmutexlock+0x10/0x10 [ +0.000004] ? _checkobjectsize+0x4c1/0x640 [ +0.000007] kernfsfopwriteiter+0x30b/0x4a0 [ +0.000006] vfswrite+0x5d6/0xdf0 [ +0.000005] ? fdinstall+0x180/0x350 [ +0.000005] ? _pfxvfswrite+0x10/0xA10 [ +0.000004] ? dofcntl+0x52c/0xcd0 [ +0.000004] ? kasansavetrack+0x13/0x60 [ +0.000003] ? kasansavefreeinfo+0x37/0x60 [ +0.000006] ksyswrite+0xfa/0x1d0 [ +0.000003] ? _pfxksyswrite+0x10/0x10 [ +0.000002] ? _x64sysfcntl+0x121/0x180 [ +0.000004] ? _rawspinlock+0x87/0xe0 [ +0.000005] dosyscall64+0x80/0x170 [ +0.000007] ? _rawspinlock+0x87/0xe0 [ +0.000004] ? _pfxrawspinlock+0x10/0x10 [ +0.000003] ? fileclosefdlocked+0x167/0x230 [ +0.000005] ? syscallexittousermode+0x7d/0x220 [ +0.000005] ? dosyscall64+0x8c/0x170 [ +0.000004] ? dosyscall64+0x8c/0x170 [ +0.000003] ? dosyscall64+0x8c/0x170 [ +0.000003] ? fput+0x1a/0x2c0 [ +0.000004] ? filpclose+0x19/0x30 [ +0.000004] ? dodup2+0x25a/0x4c0 [ +0.000004] ? _x64sysdup2+0x6e/0x2e0 [ +0.000002] ? syscallexittousermode+0x7d/0x220 [ +0.000004] ? dosyscall64+0x8c/0x170 [ +0.000003] ? _countmemcgevents+0x113/0x380 [ +0.000005] ? handlemmfault+0x136/0x820 [ +0.000005] ? douseraddrfault+0x444/0xa80 [ +0.000004] ? clearbhbloop+0x25/0x80 [ +0.000004] ? clearbhbloop+0x25/0x80 [ +0.000002] entrySYSCALL64afterhwframe+0x76/0x7e [ +0.000005] RIP: 0033:0x7f2033593154