Linux Kernel Transmit Buffer Queue Pointer Reset Vulnerability on AMD ZynqMP Board

A vulnerability in the Linux kernel's macb driver affects systems using an NFS root filesystem on AMD ZynqMP boards. The issue arises because, when transmission is disabled, the transmit buffer queue pointer should reset to a specific address, but the current implementation only sets the queue head and tail to zero. This flaw causes several problems: packets in the transmit ring are lost, leading to memory leaks; concurrent writes to the queue head and tail can occur when they are reset to zero; and transmission can get stuck on packets that have been sent but not processed, causing delays in recovery after a suspend. To address this, the transmit ring and associated skb array should be shuffled to position the first unsent packet at the start of the ring, and updates to the queue head and tail must be properly locked.

Impact

The vulnerability can cause packets to be lost, memory leaks due to unreleased skbs, and delays in network recovery after a suspend, as observed with the NFS root filesystem on affected boards.

Reproduction

The vulnerability can be reproduced by using an NFS root filesystem on an AMD ZynqMP board and suspending the system. After resuming, the root filesystem will take an extended time to recover, indicating the issue with the macb driver's handling of the transmit buffer queue.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.