DEBIAN-CVE-2022-50483

In the Linux kernel, the following vulnerability has been resolved: net: enetc: avoid buffer leaks on xdpdoredirect() failure Before enetccleanrxringxdp() calls xdpdoredirect(), each software BD in the RX ring between index origi and i can have one of 2 refcount values on its page. We are the owner of the current buffer that is being processed, so the refcount will be at least 1. If the current owner of the buffer at the diametrically opposed index in the RX ring (i.o.w, the other half of this page) has not yet called kfree(), this page's refcount could even be 2. enetcpagereusable() in enetcfliprxbuff() tests for the page refcount against 1, and [ if it's 2 ] does not attempt to reuse it. But if enetcfliprxbuff() is put after the xdpdoredirect() call, the page refcount can have one of 3 values. It can also be 0, if there is no owner of the other page half, and xdpdoredirect() for this buffer ran so far that it triggered a flush of the devmap/cpumap bulk queue, and the consumers of those bulk queues also freed the buffer, all by the time xdpdoredirect() returns the execution back to enetc. This is the reason why enetcfliprxbuff() is called before xdpdoredirect(), but there is a big flaw with that reasoning: enetcfliprxbuff() will set rxswbd->page = NULL on both sides of the enetcpagereusable() branch, and if xdpdoredirect() returns an error, we call enetcxdpfree(), which does not deal gracefully with that. In fact, what happens is quite special. The page refcounts start as 1. enetcfliprxbuff() figures they're reusable, transfers these rxswbd->page pointers to a different rxswbd in enetcreusepage(), and bumps the refcount to 2. When xdpdoredirect() later returns an error, we call the no-op enetcxdpfree(), but we still haven't lost the reference to that page. A copy of it is still at rxring->nexttoalloc, but that has refcount 2 (and there are no concurrent owners of it in flight, to drop the refcount). What really kills the system is when we'll flip the rxswbd->page the second time around. With an updated refcount of 2, the page will not be reusable and we'll really leak it. Then enetcnewpage() will have to allocate more pages, which will then eventually leak again on further errors from xdpdoredirect(). The problem, summarized, is that we zeroize rxswbd->page before we're completely done with it, and this makes it impossible for the error path to do something with it. Since the packet is potentially multi-buffer and therefore the rxswbd->page is potentially an array, manual passing of the old pointers between enetcfliprxbuff() and enetcxdpfree() is a bit difficult. For the sake of going with a simple solution, we accept the possibility of racing with xdpdoredirect(), and we move the flip procedure to execute only on the redirect success path. By racing, I mean that the page may be deemed as not reusable by enetc (having a refcount of 0), but there will be no leak in that case, either. Once we accept that, we have something better to do with buffers on XDPREDIRECT failure. Since we haven't performed half-page flipping yet, we won't, either (and this way, we can avoid enetcxdpfree() completely, which gives the entire page to the slab allocator). Instead, we'll call enetcxdp_drop(), which will recycle this half of the buffer back to the RX ring.