CVE-2023-52851
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-52851
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52851.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-52851
- Downstream
- Related
- Published
- 2024-05-21T15:31:47Z
- Modified
- 2025-10-08T17:52:43.261751Z
- Summary
- IB/mlx5: Fix init stage error handling to avoid double free of same QP and UAF
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
IB/mlx5: Fix init stage error handling to avoid double free of same QP and UAF
In the unlikely event that workqueue allocation fails and returns NULL in mlx5mkeycacheinit(), delete the call to mlx5rumrresourcecleanup() (which frees the QP) in mlx5ibstagepostibregumrinit(). This will avoid attempted double free of the same QP when _mlx5ibadd() does its cleanup.
Resolves a splat:
Syzkaller reported a UAF in ibdestroyqp_user
workqueue: Failed to create a rescuer kthread for wq "mkeycache": -EINTR infiniband mlx50: mlx5mkeycacheinit:981:(pid 1642): failed to create work queue infiniband mlx50: mlx5ibstagepostibregumrinit:4075:(pid 1642): mr cache init failed -12 ================================================================== BUG: KASAN: slab-use-after-free in ibdestroyqpuser (drivers/infiniband/core/verbs.c:2073) Read of size 8 at addr ffff88810da310a8 by task repro_upstream/1642
Call Trace: <TASK> kasanreport (mm/kasan/report.c:590) ibdestroyqpuser (drivers/infiniband/core/verbs.c:2073) mlx5rumrresourcecleanup (drivers/infiniband/hw/mlx5/umr.c:198) _mlx5ibadd (drivers/infiniband/hw/mlx5/main.c:4178) mlx5r_probe (drivers/infiniband/hw/mlx5/main.c:4402) ... </TASK>
Allocated by task 1642: _kmalloc (./include/linux/kasan.h:198 mm/slabcommon.c:1026 mm/slabcommon.c:1039) createqp (./include/linux/slab.h:603 ./include/linux/slab.h:720 ./include/rdma/ibverbs.h:2795 drivers/infiniband/core/verbs.c:1209) ibcreateqpkernel (drivers/infiniband/core/verbs.c:1347) mlx5rumrresourceinit (drivers/infiniband/hw/mlx5/umr.c:164) mlx5ibstagepostibregumrinit (drivers/infiniband/hw/mlx5/main.c:4070) _mlx5ibadd (drivers/infiniband/hw/mlx5/main.c:4168) mlx5rprobe (drivers/infiniband/hw/mlx5/main.c:4402) ...
Freed by task 1642: _kmemcachefree (mm/slub.c:1826 mm/slub.c:3809 mm/slub.c:3822) ibdestroyqpuser (drivers/infiniband/core/verbs.c:2112) mlx5rumrresourcecleanup (drivers/infiniband/hw/mlx5/umr.c:198) mlx5ibstagepostibregumrinit (drivers/infiniband/hw/mlx5/main.c:4076 drivers/infiniband/hw/mlx5/main.c:4065) _mlx5ibadd (drivers/infiniband/hw/mlx5/main.c:4168) mlx5rprobe (drivers/infiniband/hw/mlx5/main.c:4402) ...
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/2ef422f063b74adcc4a4a9004b0a87bb55e0a836
- https://git.kernel.org/stable/c/437f033e30c897bb3723eac9e9003cd9f88d00a3
- https://git.kernel.org/stable/c/4f4a7a7d1404297f2a92df0046f7e64dc5c52dd9
- https://git.kernel.org/stable/c/6387f269d84e6e149499408c4d1fc805017729b2
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced04876c12c19e94bbbc94bb0446c7bc7cd75163deFixed437f033e30c897bb3723eac9e9003cd9f88d00a3
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced04876c12c19e94bbbc94bb0446c7bc7cd75163deFixed4f4a7a7d1404297f2a92df0046f7e64dc5c52dd9
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced04876c12c19e94bbbc94bb0446c7bc7cd75163deFixed6387f269d84e6e149499408c4d1fc805017729b2
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced04876c12c19e94bbbc94bb0446c7bc7cd75163deFixed2ef422f063b74adcc4a4a9004b0a87bb55e0a836