CVE-2024-35960

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: Properly link new fs rules into the tree<br /> <br /> Previously, add_rule_fg would only add newly created rules from the<br /> handle into the tree when they had a refcount of 1. On the other hand,<br /> create_flow_handle tries hard to find and reference already existing<br /> identical rules instead of creating new ones.<br /> <br /> These two behaviors can result in a situation where create_flow_handle<br /> 1) creates a new rule and references it, then<br /> 2) in a subsequent step during the same handle creation references it<br /> again,<br /> resulting in a rule with a refcount of 2 that is not linked into the<br /> tree, will have a NULL parent and root and will result in a crash when<br /> the flow group is deleted because del_sw_hw_rule, invoked on rule<br /> deletion, assumes node-&gt;parent is != NULL.<br /> <br /> This happened in the wild, due to another bug related to incorrect<br /> handling of duplicate pkt_reformat ids, which lead to the code in<br /> create_flow_handle incorrectly referencing a just-added rule in the same<br /> flow handle, resulting in the problem described above. Full details are<br /> at [1].<br /> <br /> This patch changes add_rule_fg to add new rules without parents into<br /> the tree, properly initializing them and avoiding the crash. This makes<br /> it more consistent with how rules are added to an FTE in<br /> create_flow_handle.