CVE-2023-53999
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
24/12/2025
Última modificación:
29/12/2025
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net/mlx5e: TC, Fix internal port memory leak<br />
<br />
The flow rule can be splited, and the extra post_act rules are added<br />
to post_act table. It&#39;s possible to trigger memleak when the rule<br />
forwards packets from internal port and over tunnel, in the case that,<br />
for example, CT &#39;new&#39; state offload is allowed. As int_port object is<br />
assigned to the flow attribute of post_act rule, and its refcnt is<br />
incremented by mlx5e_tc_int_port_get(), but mlx5e_tc_int_port_put() is<br />
not called, the refcnt is never decremented, then int_port is never<br />
freed.<br />
<br />
The kmemleak reports the following error:<br />
unreferenced object 0xffff888128204b80 (size 64):<br />
comm "handler20", pid 50121, jiffies 4296973009 (age 642.932s)<br />
hex dump (first 32 bytes):<br />
01 00 00 00 19 00 00 00 03 f0 00 00 04 00 00 00 ................<br />
98 77 67 41 81 88 ff ff 98 77 67 41 81 88 ff ff .wgA.....wgA....<br />
backtrace:<br />
[] kmalloc_trace+0x27/0x120<br />
[] mlx5e_tc_int_port_get+0x3f3/0xe20 [mlx5_core]<br />
[] mlx5e_tc_add_fdb_flow+0x473/0xcf0 [mlx5_core]<br />
[] __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core]<br />
[] mlx5e_configure_flower+0xd40/0x4c40 [mlx5_core]<br />
[] mlx5e_rep_indr_offload.isra.0+0x10e/0x1c0 [mlx5_core]<br />
[] mlx5e_rep_indr_setup_tc_cb+0x90/0x130 [mlx5_core]<br />
[] tc_setup_cb_add+0x1cf/0x410<br />
[] fl_hw_replace_filter+0x38f/0x670 [cls_flower]<br />
[] fl_change+0x1fd5/0x4430 [cls_flower]<br />
[] tc_new_tfilter+0x867/0x2010<br />
[] rtnetlink_rcv_msg+0x6fc/0x9f0<br />
[] netlink_rcv_skb+0x12c/0x360<br />
[] netlink_unicast+0x438/0x710<br />
[] netlink_sendmsg+0x794/0xc50<br />
[] sock_sendmsg+0xc5/0x190<br />
<br />
So fix this by moving int_port cleanup code to the flow attribute<br />
free helper, which is used by all the attribute free cases.



