Linux Kernel net/mlx5e XDP Multi-Buf Fragment Counting Vulnerability

A vulnerability in the Linux kernel's mlx5 Ethernet driver can lead to improper fragment counting for XDP (eXpress Data Path) multi-buffer programs. When these programs adjust the XDP buffer layout, the driver fails to track dropped fragments, causing reference counting issues. This problem manifests as a negative reference count during page release, leading to warnings about fragmented page releases. The issue can be reproduced with a specific self-test that simulates the fragment release scenario.

Impact

Exploitation of this vulnerability causes page reference counting errors, with negative reference counts during page releases, which can lead to improper memory management and potential memory corruption issues.

Reproduction

The vulnerability can be reproduced using the 'test_xdp_native_adjst_tail_shrnk_data' self-test. This test should be run with a payload of 3600 bytes, shrinking the data by 256 bytes. The self-test will trigger the fragment counting issue by releasing the last fragment without proper tracking, resulting in a negative reference count during the page release process.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.