Description
In the Linux kernel, the following vulnerability has been resolved: ice: fix double-free of tx_buf skb If ice_tso() or ice_tx_csum() fail, the error path in ice_xmit_frame_ring() frees the skb, but the 'first' tx_buf still points to it and is marked as valid (ICE_TX_BUF_SKB). 'next_to_use' remains unchanged, so the potential problem will likely fix itself when the next packet is transmitted and the tx_buf gets overwritten. But if there is no next packet and the interface is brought down instead, ice_clean_tx_ring() -> ice_unmap_and_free_tx_buf() will find the tx_buf and free the skb for the second time. The fix is to reset the tx_buf type to ICE_TX_BUF_EMPTY in the error path, so that ice_unmap_and_free_tx_buf(). Move the initialization of 'first' up, to ensure it's already valid in case we hit the linearization error path. The bug was spotted by AI while I had it looking for something else. It also proposed an initial version of the patch. I reproduced the bug and tested the fix by adding code to inject failures, on a build with KASAN. I looked for similar bugs in related Intel drivers and did not find any.
CVSS breakdown
Affected products
- Linux / Linuxd76a60ba7afb89523c88cf2ed3a044ce4180289e – 4c08fc2119ef0281cfa2cee007acf0a251be55f2
- Linux / Linuxd76a60ba7afb89523c88cf2ed3a044ce4180289e – 1a303baa715e6b78d6a406aaf335f87ff35acfcd
- Linux / Linux4.17 – 4.17
- Linux / Linux0 – 4.17
- Linux / Linux7.0.10 – 7.0.*
- Linux / Linux7.1 – *