CVE-2023-52782

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Track xmit submission to PTP WQ after populating metadata map<br /> <br /> Ensure the skb is available in metadata mapping to skbs before tracking the<br /> metadata index for detecting undelivered CQEs. If the metadata index is put<br /> in the tracking list before putting the skb in the map, the metadata index<br /> might be used for detecting undelivered CQEs before the relevant skb is<br /> available in the map, which can lead to a null-ptr-deref.<br /> <br /> Log:<br /> general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN<br /> KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]<br /> CPU: 0 PID: 1243 Comm: kworker/0:2 Not tainted 6.6.0-rc4+ #108<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br /> Workqueue: events mlx5e_rx_dim_work [mlx5_core]<br /> RIP: 0010:mlx5e_ptp_napi_poll+0x9a4/0x2290 [mlx5_core]<br /> Code: 8c 24 38 cc ff ff 4c 8d 3c c1 4c 89 f9 48 c1 e9 03 42 80 3c 31 00 0f 85 97 0f 00 00 4d 8b 3f 49 8d 7f 28 48 89 f9 48 c1 e9 03 80 3c 31 00 0f 85 8b 0f 00 00 49 8b 47 28 48 85 c0 0f 84 05 07<br /> RSP: 0018:ffff8884d3c09c88 EFLAGS: 00010206<br /> RAX: 0000000000000069 RBX: ffff8881160349d8 RCX: 0000000000000005<br /> RDX: ffffed10218f48cf RSI: 0000000000000004 RDI: 0000000000000028<br /> RBP: ffff888122707700 R08: 0000000000000001 R09: ffffed109a781383<br /> R10: 0000000000000003 R11: 0000000000000003 R12: ffff88810c7a7a40<br /> R13: ffff888122707700 R14: dffffc0000000000 R15: 0000000000000000<br /> FS: 0000000000000000(0000) GS:ffff8884d3c00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f4f878dd6e0 CR3: 000000014d108002 CR4: 0000000000370eb0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> ? die_addr+0x3c/0xa0<br /> ? exc_general_protection+0x144/0x210<br /> ? asm_exc_general_protection+0x22/0x30<br /> ? mlx5e_ptp_napi_poll+0x9a4/0x2290 [mlx5_core]<br /> ? mlx5e_ptp_napi_poll+0x8f6/0x2290 [mlx5_core]<br /> __napi_poll.constprop.0+0xa4/0x580<br /> net_rx_action+0x460/0xb80<br /> ? _raw_spin_unlock_irqrestore+0x32/0x60<br /> ? __napi_poll.constprop.0+0x580/0x580<br /> ? tasklet_action_common.isra.0+0x2ef/0x760<br /> __do_softirq+0x26c/0x827<br /> irq_exit_rcu+0xc2/0x100<br /> common_interrupt+0x7f/0xa0<br /> <br /> <br /> asm_common_interrupt+0x22/0x40<br /> RIP: 0010:__kmem_cache_alloc_node+0xb/0x330<br /> Code: 41 5d 41 5e 41 5f c3 8b 44 24 14 8b 4c 24 10 09 c8 eb d5 e8 b7 43 ca 01 0f 1f 80 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 56 41 89 d6 41 55 41 89 f5 41 54 49 89 fc 53 48 83 e4 f0 48 83<br /> RSP: 0018:ffff88812c4079c0 EFLAGS: 00000246<br /> RAX: 1ffffffff083c7fe RBX: ffff888100042dc0 RCX: 0000000000000218<br /> RDX: 00000000ffffffff RSI: 0000000000000dc0 RDI: ffff888100042dc0<br /> RBP: ffff88812c4079c8 R08: ffffffffa0289f96 R09: ffffed1025880ea9<br /> R10: ffff888138839f80 R11: 0000000000000002 R12: 0000000000000dc0<br /> R13: 0000000000000100 R14: 000000000000008c R15: ffff8881271fc450<br /> ? cmd_exec+0x796/0x2200 [mlx5_core]<br /> kmalloc_trace+0x26/0xc0<br /> cmd_exec+0x796/0x2200 [mlx5_core]<br /> mlx5_cmd_do+0x22/0xc0 [mlx5_core]<br /> mlx5_cmd_exec+0x17/0x30 [mlx5_core]<br /> mlx5_core_modify_cq_moderation+0x139/0x1b0 [mlx5_core]<br /> ? mlx5_add_cq_to_tasklet+0x280/0x280 [mlx5_core]<br /> ? lockdep_set_lock_cmp_fn+0x190/0x190<br /> ? process_one_work+0x659/0x1220<br /> mlx5e_rx_dim_work+0x9d/0x100 [mlx5_core]<br /> process_one_work+0x730/0x1220<br /> ? lockdep_hardirqs_on_prepare+0x400/0x400<br /> ? max_active_store+0xf0/0xf0<br /> ? assign_work+0x168/0x240<br /> worker_thread+0x70f/0x12d0<br /> ? __kthread_parkme+0xd1/0x1d0<br /> ? process_one_work+0x1220/0x1220<br /> kthread+0x2d9/0x3b0<br /> ? kthread_complete_and_exit+0x20/0x20<br /> ret_from_fork+0x2d/0x70<br /> ? kthread_complete_and_exit+0x20/0x20<br /> ret_from_fork_as<br /> ---truncated---