DEBIAN-CVE-2022-49093

In the Linux kernel, the following vulnerability has been resolved: skbuff: fix coalescing for pagepool fragment recycling Fix a use-after-free when using pagepool with page fragments. We encountered this problem during normal RX in the hns3 driver: (1) Initially we have three descriptors in the RX queue. The first one allocates PAGE1 through pagepool, and the other two allocate one half of PAGE2 each. Page references look like this: RXBD1 _ PAGE1 RXBD2 PAGE2 RXBD3 / (2) Handle RX on the first descriptor. Allocate SKB1, eventually added to the receive queue by tcpqueuercv(). (3) Handle RX on the second descriptor. Allocate SKB2 and pass it to netifreceiveskb(): netifreceiveskb(SKB2) iprcv(SKB2) SKB3 = skbclone(SKB2) SKB2 and SKB3 share a reference to PAGE2 through skbshinfo()->dataref. The other ref to PAGE2 is still held by RXBD3: SKB2 ---+- PAGE2 SKB3 _/ / RXBD3 / (3b) Now while handling TCP, coalesce SKB3 with SKB1: tcpv4rcv(SKB3) tcptrycoalesce(to=SKB1, from=SKB3) // succeeds kfreeskbpartial(SKB3) skbreleasedata(SKB3) // drops one dataref SKB1 PAGE1 __ SKB2 _ PAGE2 / RXBD3 / In skbtrycoalesce(), _skbfragref() takes a page reference to PAGE2, where it should instead have increased the pagepool frag reference, ppfragcount. Without coalescing, when releasing both SKB2 and SKB3, a single reference to PAGE2 would be dropped. Now when releasing SKB1 and SKB2, two references to PAGE2 will be dropped, resulting in underflow. (3c) Drop SKB2: afpacketrcv(SKB2) consumeskb(SKB2) skbreleasedata(SKB2) // drops second dataref pagepoolreturnskbpage(PAGE2) // drops one ppfragcount SKB1 __ PAGE1 __ PAGE2 / RXBD3 _/ (4) Userspace calls recvmsg() Copies SKB1 and releases it. Since SKB3 was coalesced with SKB1, we release the SKB3 page as well: tcpeatrecvskb(SKB1) skbreleasedata(SKB1) pagepoolreturnskbpage(PAGE1) pagepoolreturnskbpage(PAGE2) // drops second ppfragcount (5) PAGE2 is freed, but the third RX descriptor was still using it! In our case this causes IOMMU faults, but it would silently corrupt memory if the IOMMU was disabled. Change the logic that checks whether pprecycle SKBs can be coalesced. We still reject differing pprecycle between 'from' and 'to' SKBs, but in order to avoid the situation described above, we also reject coalescing when both 'from' and 'to' are pprecycled and 'from' is cloned. The new logic allows coalescing a cloned pprecycle SKB into a page refcounted one, because in this case the release (4) will drop the right reference, the one taken by skbtrycoalesce().