CVE-2024-35852

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work<br /> <br /> The rehash delayed work is rescheduled with a delay if the number of<br /> credits at end of the work is not negative as supposedly it means that<br /> the migration ended. Otherwise, it is rescheduled immediately.<br /> <br /> After "mlxsw: spectrum_acl_tcam: Fix possible use-after-free during<br /> rehash" the above is no longer accurate as a non-negative number of<br /> credits is no longer indicative of the migration being done. It can also<br /> happen if the work encountered an error in which case the migration will<br /> resume the next time the work is scheduled.<br /> <br /> The significance of the above is that it is possible for the work to be<br /> pending and associated with hints that were allocated when the migration<br /> started. This leads to the hints being leaked [1] when the work is<br /> canceled while pending as part of ACL region dismantle.<br /> <br /> Fix by freeing the hints if hints are associated with a work that was<br /> canceled while pending.<br /> <br /> Blame the original commit since the reliance on not having a pending<br /> work associated with hints is fragile.<br /> <br /> [1]<br /> unreferenced object 0xffff88810e7c3000 (size 256):<br /> comm "kworker/0:16", pid 176, jiffies 4295460353<br /> hex dump (first 32 bytes):<br /> 00 30 95 11 81 88 ff ff 61 00 00 00 00 00 00 80 .0......a.......<br /> 00 00 61 00 40 00 00 00 00 00 00 00 04 00 00 00 ..a.@...........<br /> backtrace (crc 2544ddb9):<br /> [] kmalloc_trace+0x23f/0x2a0<br /> [] objagg_hints_get+0x42/0x390<br /> [] mlxsw_sp_acl_erp_rehash_hints_get+0xca/0x400<br /> [] mlxsw_sp_acl_tcam_vregion_rehash_work+0x868/0x1160<br /> [] process_one_work+0x59c/0xf20<br /> [] worker_thread+0x799/0x12c0<br /> [] kthread+0x246/0x300<br /> [] ret_from_fork+0x34/0x70<br /> [] ret_from_fork_asm+0x1a/0x30