CVE-2023-53347

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: Handle pairing of E-switch via uplink un/load APIs<br /> <br /> In case user switch a device from switchdev mode to legacy mode, mlx5<br /> first unpair the E-switch and afterwards unload the uplink vport.<br /> From the other hand, in case user remove or reload a device, mlx5<br /> first unload the uplink vport and afterwards unpair the E-switch.<br /> <br /> The latter is causing a bug[1], hence, handle pairing of E-switch as<br /> part of uplink un/load APIs.<br /> <br /> [1]<br /> In case VF_LAG is used, every tc fdb flow is duplicated to the peer<br /> esw. However, the original esw keeps a pointer to this duplicated<br /> flow, not the peer esw.<br /> e.g.: if user create tc fdb flow over esw0, the flow is duplicated<br /> over esw1, in FW/HW, but in SW, esw0 keeps a pointer to the duplicated<br /> flow.<br /> During module unload while a peer tc fdb flow is still offloaded, in<br /> case the first device to be removed is the peer device (esw1 in the<br /> example above), the peer net-dev is destroyed, and so the mlx5e_priv<br /> is memset to 0.<br /> Afterwards, the peer device is trying to unpair himself from the<br /> original device (esw0 in the example above). Unpair API invoke the<br /> original device to clear peer flow from its eswitch (esw0), but the<br /> peer flow, which is stored over the original eswitch (esw0), is<br /> trying to use the peer mlx5e_priv, which is memset to 0 and result in<br /> bellow kernel-oops.<br /> <br /> [ 157.964081 ] BUG: unable to handle page fault for address: 000000000002ce60<br /> [ 157.964662 ] #PF: supervisor read access in kernel mode<br /> [ 157.965123 ] #PF: error_code(0x0000) - not-present page<br /> [ 157.965582 ] PGD 0 P4D 0<br /> [ 157.965866 ] Oops: 0000 [#1] SMP<br /> [ 157.967670 ] RIP: 0010:mlx5e_tc_del_fdb_flow+0x48/0x460 [mlx5_core]<br /> [ 157.976164 ] Call Trace:<br /> [ 157.976437 ] <br /> [ 157.976690 ] __mlx5e_tc_del_fdb_peer_flow+0xe6/0x100 [mlx5_core]<br /> [ 157.977230 ] mlx5e_tc_clean_fdb_peer_flows+0x67/0x90 [mlx5_core]<br /> [ 157.977767 ] mlx5_esw_offloads_unpair+0x2d/0x1e0 [mlx5_core]<br /> [ 157.984653 ] mlx5_esw_offloads_devcom_event+0xbf/0x130 [mlx5_core]<br /> [ 157.985212 ] mlx5_devcom_send_event+0xa3/0xb0 [mlx5_core]<br /> [ 157.985714 ] esw_offloads_disable+0x5a/0x110 [mlx5_core]<br /> [ 157.986209 ] mlx5_eswitch_disable_locked+0x152/0x170 [mlx5_core]<br /> [ 157.986757 ] mlx5_eswitch_disable+0x51/0x80 [mlx5_core]<br /> [ 157.987248 ] mlx5_unload+0x2a/0xb0 [mlx5_core]<br /> [ 157.987678 ] mlx5_uninit_one+0x5f/0xd0 [mlx5_core]<br /> [ 157.988127 ] remove_one+0x64/0xe0 [mlx5_core]<br /> [ 157.988549 ] pci_device_remove+0x31/0xa0<br /> [ 157.988933 ] device_release_driver_internal+0x18f/0x1f0<br /> [ 157.989402 ] driver_detach+0x3f/0x80<br /> [ 157.989754 ] bus_remove_driver+0x70/0xf0<br /> [ 157.990129 ] pci_unregister_driver+0x34/0x90<br /> [ 157.990537 ] mlx5_cleanup+0xc/0x1c [mlx5_core]<br /> [ 157.990972 ] __x64_sys_delete_module+0x15a/0x250<br /> [ 157.991398 ] ? exit_to_user_mode_prepare+0xea/0x110<br /> [ 157.991840 ] do_syscall_64+0x3d/0x90<br /> [ 157.992198 ] entry_SYSCALL_64_after_hwframe+0x46/0xb0