From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 653E3160657 for ; Thu, 29 Feb 2024 15:53:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709221995; cv=none; b=tWrOrqkcZ8tEBlMSBOjvgQRwP2SlmpuA1f4pbvqmK9qD6q1r2WKWgYk2CCqgDZWjnZhKEN6IpT+3aekZ8DU7giJrl24gY0Mpv3wLBtQXMvpxu1q14aSecLGyG3FCXhMTYIt7H0+bghlYnNfopfmrErKRtSe1PzF8s4eToJ/x5RE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709221995; c=relaxed/simple; bh=rfMg+kCS0JEvsPW2dvFKd3PYACOWWDjMsgdKgjChkcA=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=bQ1eW1ultSvW1Y4OkSY2m7ICmZdyXb/WmgH7XREzfHU2e0ePyX7x0q+MklS2ygS07IWp4CzzN2uDHTcJLyTZ2pQ6nmmoT8OyUI3TRFHVyWmDChar0+QBei25TLJmmmns+Dr0CeXkHKio2v4iKsLlQ3XV5CWjWNY8vXGCc+uD6is= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=TN+OvVuS; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="TN+OvVuS" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 93E23C43394; Thu, 29 Feb 2024 15:53:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1709221995; bh=rfMg+kCS0JEvsPW2dvFKd3PYACOWWDjMsgdKgjChkcA=; h=From:To:Cc:Subject:Date:Reply-to:From; b=TN+OvVuSKY6WQ2EuxvWu80CL+xVLK0gj54s6b7fLRGCWZNQQ7D2dC5eUDoettQw8r nGvwQOYjzmygg1Q8vkLoyuj6b388cPhtpvGsM5XCvkHwfxd6EvUuz33LTy7xuVGzJA VNNtBf6+tP8ztEyqLTA8BmnyZrD6SV7hayiIr4oIh0rsCweVvYCqAM+aR9JYVCwEtI dAQesDAcd+PeBD/R5d9n0sUYByFT6opuTv1aE2G3jim/tl11HkP+sLpBFe/Sf3dSCU AvTFzHW+zgdat1leF3YTjrsmDMHYraB7Erycn/tltKFJc93ytZjQEMXGeRCZpw1hFG ymvvrECCmSxQQ== From: Lee Jones To: linux-cve-announce@vger.kernel.org Cc: Lee Jones Subject: CVE-2023-52487: net/mlx5e: Fix peer flow lists handling Date: Thu, 29 Feb 2024 15:52:47 +0000 Message-ID: <20240229155245.1571576-28-lee@kernel.org> X-Mailer: git-send-email 2.44.0.rc1.240.g4c46232300-goog Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=7649; i=lee@kernel.org; h=from:subject; bh=rfMg+kCS0JEvsPW2dvFKd3PYACOWWDjMsgdKgjChkcA=; b=owEBbQKS/ZANAwAKAVGvii+H/HdhAcsmYgBl4KhNUxTBQvIdZ3CHx2cG18cs3rDyZ3aiFWSJg wvKevPpCXWJAjMEAAEKAB0WIQR2tsk1o74gmpTwh0hRr4ovh/x3YQUCZeCoTQAKCRBRr4ovh/x3 Ya+LEACXnHPepVCyP8gmpMXC/tkE0DlNt+HfgkVJBAniKg+tNZv6kQrnhPa03bdcaGpLzReguFN 9r3BhZrRvL3dC0irKR+96RIMpUxYAPbKt58WQ3ClInR5I1Av3DWh2dZyupc/nSRllD1BUQuVsi6 JIIZdgqUx+NlS09vkzwb+v8HZ76AHkRNPlKFIbA+9oSjopMqFDmvNg48Z843mfn4u51CCB1qQfu hAn3ln6RsyqADC0mlPqMsWuGhWWt1SPDRlLatTuwdkRy93JAklWz5cH59QuDsl8VecATW8vTh32 1JArOvlCYk0xPuIl6F1HCeCNI04YzGBKSmhTy57T4xrBZLoZ2f8w+zeZCr080lHsGdxN3JkRzjA jI7ZGAKyu5MEFSn90uoIRNwgEbmQI72a8LSmQnleKlaRDJA7XWjs6AIF4mlRGtiocd8l+HQnCeA lmVXhHs/PP0fxNR2kGWzlWupPpve1kxKNTO9HG1wuBU9eo3z3RAWlBvpkZbSmMYjChJAPP9Clzb vJ9TQMkiXi4b9DolkW8wg0eLZSeIWcYfirRo6xYJzUsHi7XA8znjEh7nPQcPUrKNKBFMVewhVQK ow/lqhCOEXGhJAxGPkxsEcgyK9jLul+uUaAm68Bf+KbS+mpNjJCYi7tKlJjSMb2qoLJXCyrHuEp 1XCZYSchiEkyaJg== X-Developer-Key: i=lee@kernel.org; a=openpgp; fpr=76B6C935A3BE209A94F0874851AF8A2F87FC7761 Content-Transfer-Encoding: 8bit Description =========== In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix peer flow lists handling The cited change refactored mlx5e_tc_del_fdb_peer_flow() to only clear DUP flag when list of peer flows has become empty. However, if any concurrent user holds a reference to a peer flow (for example, the neighbor update workqueue task is updating peer flow's parent encap entry concurrently), then the flow will not be removed from the peer list and, consecutively, DUP flag will remain set. Since mlx5e_tc_del_fdb_peers_flow() calls mlx5e_tc_del_fdb_peer_flow() for every possible peer index the algorithm will try to remove the flow from eswitch instances that it has never peered with causing either NULL pointer dereference when trying to remove the flow peer list head of peer_index that was never initialized or a warning if the list debug config is enabled[0]. Fix the issue by always removing the peer flow from the list even when not releasing the last reference to it. [0]: [ 3102.985806] ------------[ cut here ]------------ [ 3102.986223] list_del corruption, ffff888139110698->next is NULL [ 3102.986757] WARNING: CPU: 2 PID: 22109 at lib/list_debug.c:53 __list_del_entry_valid_or_report+0x4f/0xc0 [ 3102.987561] Modules linked in: act_ct nf_flow_table bonding act_tunnel_key act_mirred act_skbedit vxlan cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress mlx5_vdpa vringh vhost_iotlb vdpa openvswitch nsh xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcg ss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core [last unloaded: bonding] [ 3102.991113] CPU: 2 PID: 22109 Comm: revalidator28 Not tainted 6.6.0-rc6+ #3 [ 3102.991695] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 3102.992605] RIP: 0010:__list_del_entry_valid_or_report+0x4f/0xc0 [ 3102.993122] Code: 39 c2 74 56 48 8b 32 48 39 fe 75 62 48 8b 51 08 48 39 f2 75 73 b8 01 00 00 00 c3 48 89 fe 48 c7 c7 48 fd 0a 82 e8 41 0b ad ff <0f> 0b 31 c0 c3 48 89 fe 48 c7 c7 70 fd 0a 82 e8 2d 0b ad ff 0f 0b [ 3102.994615] RSP: 0018:ffff8881383e7710 EFLAGS: 00010286 [ 3102.995078] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 [ 3102.995670] RDX: 0000000000000001 RSI: ffff88885f89b640 RDI: ffff88885f89b640 [ 3102.997188] DEL flow 00000000be367878 on port 0 [ 3102.998594] RBP: dead000000000122 R08: 0000000000000000 R09: c0000000ffffdfff [ 3102.999604] R10: 0000000000000008 R11: ffff8881383e7598 R12: dead000000000100 [ 3103.000198] R13: 0000000000000002 R14: ffff888139110000 R15: ffff888101901240 [ 3103.000790] FS: 00007f424cde4700(0000) GS:ffff88885f880000(0000) knlGS:0000000000000000 [ 3103.001486] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3103.001986] CR2: 00007fd42e8dcb70 CR3: 000000011e68a003 CR4: 0000000000370ea0 [ 3103.002596] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 3103.003190] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 3103.003787] Call Trace: [ 3103.004055] [ 3103.004297] ? __warn+0x7d/0x130 [ 3103.004623] ? __list_del_entry_valid_or_report+0x4f/0xc0 [ 3103.005094] ? report_bug+0xf1/0x1c0 [ 3103.005439] ? console_unlock+0x4a/0xd0 [ 3103.005806] ? handle_bug+0x3f/0x70 [ 3103.006149] ? exc_invalid_op+0x13/0x60 [ 3103.006531] ? asm_exc_invalid_op+0x16/0x20 [ 3103.007430] ? __list_del_entry_valid_or_report+0x4f/0xc0 [ 3103.007910] mlx5e_tc_del_fdb_peers_flow+0xcf/0x240 [mlx5_core] [ 3103.008463] mlx5e_tc_del_flow+0x46/0x270 [mlx5_core] [ 3103.008944] mlx5e_flow_put+0x26/0x50 [mlx5_core] [ 3103.009401] mlx5e_delete_flower+0x25f/0x380 [mlx5_core] [ 3103.009901] tc_setup_cb_destroy+0xab/0x180 [ 3103.010292] fl_hw_destroy_filter+0x99/0xc0 [cls_flower] [ 3103.010779] __fl_delete+0x2d4/0x2f0 [cls_flower] [ 3103.011207] fl_delete+0x36/0x80 [cls_flower] [ 3103.011614] tc_del_tfilter+0x56f/0x750 [ 3103.011982] rtnetlink_rcv_msg+0xff/0x3a0 [ 3103.012362] ? netlink_ack+0x1c7/0x4e0 [ 3103.012719] ? rtnl_calcit.isra.44+0x130/0x130 [ 3103.013134] netlink_rcv_skb+0x54/0x100 [ 3103.013533] netlink_unicast+0x1ca/0x2b0 [ 3103.013902] netlink_sendmsg+0x361/0x4d0 [ 3103.014269] __sock_sendmsg+0x38/0x60 [ 3103.014643] ____sys_sendmsg+0x1f2/0x200 [ 3103.015018] ? copy_msghdr_from_user+0x72/0xa0 [ 3103.015265] ___sys_sendmsg+0x87/0xd0 [ 3103.016608] ? copy_msghdr_from_user+0x72/0xa0 [ 3103.017014] ? ___sys_recvmsg+0x9b/0xd0 [ 3103.017381] ? ttwu_do_activate.isra.137+0x58/0x180 [ 3103.017821] ? wake_up_q+0x49/0x90 [ 3103.018157] ? futex_wake+0x137/0x160 [ 3103.018521] ? __sys_sendmsg+0x51/0x90 [ 3103.018882] __sys_sendmsg+0x51/0x90 [ 3103.019230] ? exit_to_user_mode_prepare+0x56/0x130 [ 3103.019670] do_syscall_64+0x3c/0x80 [ 3103.020017] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 3103.020469] RIP: 0033:0x7f4254811ef4 [ 3103.020816] Code: 89 f3 48 83 ec 10 48 89 7c 24 08 48 89 14 24 e8 42 eb ff ff 48 8b 14 24 41 89 c0 48 89 de 48 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 30 44 89 c7 48 89 04 24 e8 78 eb ff ff 48 8b [ 3103.022290] RSP: 002b:00007f424cdd9480 EFLAGS: 00000293 ORIG_RAX: 000000000000002e [ 3103.022970] RAX: ffffffffffffffda RBX: 00007f424cdd9510 RCX: 00007f4254811ef4 [ 3103.023564] RDX: 0000000000000000 RSI: 00007f424cdd9510 RDI: 0000000000000012 [ 3103.024158] RBP: 00007f424cdda238 R08: 0000000000000000 R09: 00007f41d801a4b0 [ 3103.024748] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001 [ 3103.025341] R13: 00007f424cdd9510 R14: 00007f424cdda240 R15: 00007f424cdd99a0 [ 3103.025931] [ 3103.026182] ---[ end trace 0000000000000000 ]--- [ 3103.027033] ------------[ cut here ]------------ The Linux kernel CVE team has assigned CVE-2023-52487 to this issue. Affected and fixed versions =========================== Issue introduced in 6.5 with commit 9be6c21fdcf8 and fixed in 6.6.15 with commit 74cec142f89b Issue introduced in 6.5 with commit 9be6c21fdcf8 and fixed in 6.7.3 with commit e24d6f5a7f2d Issue introduced in 6.5 with commit 9be6c21fdcf8 and fixed in 6.8-rc2 with commit d76fdd31f953 Please see https://www.kernel.org or a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-52487 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/ethernet/mellanox/mlx5/core/en_tc.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/74cec142f89bf85c6c99c5db957da9f663f9f16f https://git.kernel.org/stable/c/e24d6f5a7f2d95a98a46257a5a5a5381d572894f https://git.kernel.org/stable/c/d76fdd31f953ac5046555171620f2562715e9b71