CVE-2022-49338

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: CT: Fix cleanup of CT before cleanup of TC ct rules<br /> <br /> CT cleanup assumes that all tc rules were deleted first, and so<br /> is free to delete the CT shared resources (e.g the dr_action<br /> fwd_action which is shared for all tuples). But currently for<br /> uplink, this is happens in reverse, causing the below trace.<br /> <br /> CT cleanup is called from:<br /> mlx5e_cleanup_rep_tx()-&gt;mlx5e_cleanup_uplink_rep_tx()-&gt;<br /> mlx5e_rep_tc_cleanup()-&gt;mlx5e_tc_esw_cleanup()-&gt;<br /> mlx5_tc_ct_clean()<br /> <br /> Only afterwards, tc cleanup is called from:<br /> mlx5e_cleanup_rep_tx()-&gt;mlx5e_tc_ht_cleanup()<br /> which would have deleted all the tc ct rules, and so delete<br /> all the offloaded tuples.<br /> <br /> Fix this reversing the order of init and on cleanup, which<br /> will result in tc cleanup then ct cleanup.<br /> <br /> [ 9443.593347] WARNING: CPU: 2 PID: 206774 at drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c:1882 mlx5dr_action_destroy+0x188/0x1a0 [mlx5_core]<br /> [ 9443.593349] Modules linked in: act_ct nf_flow_table rdma_ucm(O) rdma_cm(O) iw_cm(O) ib_ipoib(O) ib_cm(O) ib_umad(O) mlx5_core(O-) mlxfw(O) mlxdevm(O) auxiliary(O) ib_uverbs(O) psample ib_core(O) mlx_compat(O) ip_gre gre ip_tunnel act_vlan bonding geneve esp6_offload esp6 esp4_offload esp4 act_tunnel_key vxlan ip6_udp_tunnel udp_tunnel act_mirred act_skbedit act_gact cls_flower sch_ingress nfnetlink_cttimeout nfnetlink xfrm_user xfrm_algo 8021q garp stp ipmi_devintf mrp ipmi_msghandler llc openvswitch nsh nf_conncount nf_nat mst_pciconf(O) dm_multipath sbsa_gwdt uio_pdrv_genirq uio mlxbf_pmc mlxbf_pka mlx_trio mlx_bootctl(O) bluefield_edac sch_fq_codel ip_tables ipv6 crc_ccitt btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor xor_neon raid6_pq raid1 raid0 crct10dif_ce i2c_mlxbf gpio_mlxbf2 mlxbf_gige aes_neon_bs aes_neon_blk [last unloaded: mlx5_ib]<br /> [ 9443.593419] CPU: 2 PID: 206774 Comm: modprobe Tainted: G O 5.4.0-1023.24.gc14613d-bluefield #1<br /> [ 9443.593422] Hardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS BlueField:143ebaf Jan 11 2022<br /> [ 9443.593424] pstate: 20000005 (nzCv daif -PAN -UAO)<br /> [ 9443.593489] pc : mlx5dr_action_destroy+0x188/0x1a0 [mlx5_core]<br /> [ 9443.593545] lr : mlx5_ct_fs_smfs_destroy+0x24/0x30 [mlx5_core]<br /> [ 9443.593546] sp : ffff8000135dbab0<br /> [ 9443.593548] x29: ffff8000135dbab0 x28: ffff0003a6ab8e80<br /> [ 9443.593550] x27: 0000000000000000 x26: ffff0003e07d7000<br /> [ 9443.593552] x25: ffff800009609de0 x24: ffff000397fb2120<br /> [ 9443.593554] x23: ffff0003975c0000 x22: 0000000000000000<br /> [ 9443.593556] x21: ffff0003975f08c0 x20: ffff800009609de0<br /> [ 9443.593558] x19: ffff0003c8a13380 x18: 0000000000000014<br /> [ 9443.593560] x17: 0000000067f5f125 x16: 000000006529c620<br /> [ 9443.593561] x15: 000000000000000b x14: 0000000000000000<br /> [ 9443.593563] x13: 0000000000000002 x12: 0000000000000001<br /> [ 9443.593565] x11: ffff800011108868 x10: 0000000000000000<br /> [ 9443.593567] x9 : 0000000000000000 x8 : ffff8000117fb270<br /> [ 9443.593569] x7 : ffff0003ebc01288 x6 : 0000000000000000<br /> [ 9443.593571] x5 : ffff800009591ab8 x4 : fffffe000f6d9a20<br /> [ 9443.593572] x3 : 0000000080040001 x2 : fffffe000f6d9a20<br /> [ 9443.593574] x1 : ffff8000095901d8 x0 : 0000000000000025<br /> [ 9443.593577] Call trace:<br /> [ 9443.593634] mlx5dr_action_destroy+0x188/0x1a0 [mlx5_core]<br /> [ 9443.593688] mlx5_ct_fs_smfs_destroy+0x24/0x30 [mlx5_core]<br /> [ 9443.593743] mlx5_tc_ct_clean+0x34/0xa8 [mlx5_core]<br /> [ 9443.593797] mlx5e_tc_esw_cleanup+0x58/0x88 [mlx5_core]<br /> [ 9443.593851] mlx5e_rep_tc_cleanup+0x24/0x30 [mlx5_core]<br /> [ 9443.593905] mlx5e_cleanup_rep_tx+0x6c/0x78 [mlx5_core]<br /> [ 9443.593959] mlx5e_detach_netdev+0x74/0x98 [mlx5_core]<br /> [ 9443.594013] mlx5e_netdev_change_profile+0x70/0x180 [mlx5_core]<br /> [ 9443.594067] mlx5e_netdev_attach_nic_profile+0x34/0x40 [mlx5_core]<br /> [ 9443.594122] mlx5e_vport_rep_unload+0x15c/0x1a8 [mlx5_core]<br /> [ 9443.594177] mlx5_eswitch_unregister_vport_reps+0x228/0x298 [mlx5_core]<br /> [ 9443.594231] mlx5e_rep_remove+0x2c/0x38<br /> ---truncated---