CVE-2023-53105
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix cleanup null-ptr deref on encap lock
During module is unloaded while a peer tc flow is still offloaded, first the peer uplink rep profile is changed to a nic profile, and so neigh encap lock is destroyed. Next during unload, the VF reps netdevs are unregistered which causes the original non-peer tc flow to be deleted, which deletes the peer flow. The peer flow deletion detaches the encap entry and try to take the already destroyed encap lock, causing the below trace.
Fix this by clearing peer flows during tc eswitch cleanup (mlx5e_tc_esw_cleanup()).
Relevant trace: [ 4316.837128] BUG: kernel NULL pointer dereference, address: 00000000000001d8 [ 4316.842239] RIP: 0010:__mutex_lock+0xb5/0xc40 [ 4316.851897] Call Trace: [ 4316.852481] <TASK> [ 4316.857214] mlx5e_rep_neigh_entry_release+0x93/0x790 [mlx5_core] [ 4316.858258] mlx5e_rep_encap_entry_detach+0xa7/0xf0 [mlx5_core] [ 4316.859134] mlx5e_encap_dealloc+0xa3/0xf0 [mlx5_core] [ 4316.859867] clean_encap_dests.part.0+0x5c/0xe0 [mlx5_core] [ 4316.860605] mlx5e_tc_del_fdb_flow+0x32a/0x810 [mlx5_core] [ 4316.862609] __mlx5e_tc_del_fdb_peer_flow+0x1a2/0x250 [mlx5_core] [ 4316.863394] mlx5e_tc_del_flow+0x(/0x630 [mlx5_core] [ 4316.864090] mlx5e_flow_put+0x5f/0x100 [mlx5_core] [ 4316.864771] mlx5e_delete_flower+0x4de/0xa40 [mlx5_core] [ 4316.865486] tc_setup_cb_reoffload+0x20/0x80 [ 4316.865905] fl_reoffload+0x47c/0x510 [cls_flower] [ 4316.869181] tcf_block_playback_offloads+0x91/0x1d0 [ 4316.869649] tcf_block_unbind+0xe7/0x1b0 [ 4316.870049] tcf_block_offload_cmd.isra.0+0x1ee/0x270 [ 4316.879266] tcf_block_offload_unbind+0x61/0xa0 [ 4316.879711] __tcf_block_put+0xa4/0x310
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 04de7dda7394fa9c2b0fc9cec65661d9b4f0d04d < b7350f8dbe0c2a1d4d3ad7c35b610abd3cb91750 | affected |
| Linux | Linux | 04de7dda7394fa9c2b0fc9cec65661d9b4f0d04d < 01fdaea410787fe372daeaeda93a29ed0606d334 | affected |
| Linux | Linux | 04de7dda7394fa9c2b0fc9cec65661d9b4f0d04d < c9668f0b1d28570327dbba189f2c61f6f9e43ae7 | affected |
| Linux | Linux | 5.0 | affected |
| Linux | Linux | 0 < 5.0 | unaffected |
| Linux | Linux | 6.1.21 <= 6.1.* | unaffected |
| Linux | Linux | 6.2.8 <= 6.2.* | unaffected |
| Linux | Linux | 6.3 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/b7350f8dbe0c2a1d4d3ad7c35b610abd3cb91750
- https://git.kernel.org/stable/c/01fdaea410787fe372daeaeda93a29ed0606d334
- https://git.kernel.org/stable/c/c9668f0b1d28570327dbba189f2c61f6f9e43ae7
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.