In the Linux kernel, the following vulnerability has been resolved:
net: macb: Shuffle the tx ring before enabling tx
Quanyang observed that when using an NFS rootfs on an AMD ZynqMp board, the rootfs may take an extended time to recover after a suspend. Upon investigation, it was determined that the issue originates from a problem in the macb driver.
According to the Zynq UltraScale TRM [1], when transmit is disabled, the transmit buffer queue pointer resets to point to the address specified by the transmit buffer queue base address register.
In the current implementation, the code merely resets queue->tx_head
and queue->tx_tail to '0'. This approach presents several issues:
- Packets already queued in the tx ring are silently lost,
- Concurrent write access to
queue->tx_headandqueue->tx_tailmay
macb_tx_poll() or macb_start_xmit() when these values
are reset to '0'.
- The transmission may become stuck on a packet that has already been sent
macb_tx_poll() incorrectly assumes there are no packets to handle
because queue->tx_head == queue->tx_tail. This issue is only resolved
when a new packet is placed at this position. This is the root cause of
the prolonged recovery time observed for the NFS root filesystem.To resolve this issue, shuffle the tx ring and tx skb array so that
the first unsent packet is positioned at the start of the tx ring.
Additionally, ensure that updates to queue->tx_head and
queue->tx_tail are properly protected with the appropriate lock.
[1] https://docs.amd.com/v/u/en-US/ug1085-zynq-ultrascale-trm