CVE-2023-53105

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Fix cleanup null-ptr deref on encap lock<br /> <br /> During module is unloaded while a peer tc flow is still offloaded,<br /> first the peer uplink rep profile is changed to a nic profile, and so<br /> neigh encap lock is destroyed. Next during unload, the VF reps netdevs<br /> are unregistered which causes the original non-peer tc flow to be deleted,<br /> which deletes the peer flow. The peer flow deletion detaches the encap<br /> entry and try to take the already destroyed encap lock, causing the<br /> below trace.<br /> <br /> Fix this by clearing peer flows during tc eswitch cleanup<br /> (mlx5e_tc_esw_cleanup()).<br /> <br /> Relevant trace:<br /> [ 4316.837128] BUG: kernel NULL pointer dereference, address: 00000000000001d8<br /> [ 4316.842239] RIP: 0010:__mutex_lock+0xb5/0xc40<br /> [ 4316.851897] Call Trace:<br /> [ 4316.852481] <br /> [ 4316.857214] mlx5e_rep_neigh_entry_release+0x93/0x790 [mlx5_core]<br /> [ 4316.858258] mlx5e_rep_encap_entry_detach+0xa7/0xf0 [mlx5_core]<br /> [ 4316.859134] mlx5e_encap_dealloc+0xa3/0xf0 [mlx5_core]<br /> [ 4316.859867] clean_encap_dests.part.0+0x5c/0xe0 [mlx5_core]<br /> [ 4316.860605] mlx5e_tc_del_fdb_flow+0x32a/0x810 [mlx5_core]<br /> [ 4316.862609] __mlx5e_tc_del_fdb_peer_flow+0x1a2/0x250 [mlx5_core]<br /> [ 4316.863394] mlx5e_tc_del_flow+0x(/0x630 [mlx5_core]<br /> [ 4316.864090] mlx5e_flow_put+0x5f/0x100 [mlx5_core]<br /> [ 4316.864771] mlx5e_delete_flower+0x4de/0xa40 [mlx5_core]<br /> [ 4316.865486] tc_setup_cb_reoffload+0x20/0x80<br /> [ 4316.865905] fl_reoffload+0x47c/0x510 [cls_flower]<br /> [ 4316.869181] tcf_block_playback_offloads+0x91/0x1d0<br /> [ 4316.869649] tcf_block_unbind+0xe7/0x1b0<br /> [ 4316.870049] tcf_block_offload_cmd.isra.0+0x1ee/0x270<br /> [ 4316.879266] tcf_block_offload_unbind+0x61/0xa0<br /> [ 4316.879711] __tcf_block_put+0xa4/0x310