In the Linux kernel, the following vulnerability has been resolved:
net: esp: fix bad handling of pages from page_pool
When the skb is reorganized during espoutput (!esp->inline), the pages coming from the original skb fragments are supposed to be released back to the system through putpage. But if the skb fragment pages are originating from a pagepool, calling putpage on them will trigger a page_pool leak which will eventually result in a crash.
This leak can be easily observed when using CONFIGDEBUGVM and doing ipsec + gre (non offloaded) forwarding:
BUG: Bad page state in process ksoftirqd/16 pfn:1451b6 page:00000000de2b8d32 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1451b6000 pfn:0x1451b6 flags: 0x200000000000000(node=0|zone=2) pagetype: 0xffffffff() raw: 0200000000000000 dead000000000040 ffff88810d23c000 0000000000000000 raw: 00000001451b6000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: pagepool leak Modules linked in: ipgre gre mlx5ib mlx5core xtconntrack xtMASQUERADE nfconntracknetlink nfnetlink iptablenat nfnat xtaddrtype brnetfilter rpcrdma rdmaucm ibiser libiscsi scsitransportiscsi ibumad rdmacm ibipoib iwcm ibcm ibuverbs ibcore overlay zram zsmalloc fuse [last unloaded: mlx5core] CPU: 16 PID: 96 Comm: ksoftirqd/16 Not tainted 6.8.0-rc4+ #22 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x36/0x50 badpage+0x70/0xf0 freeunrefpageprepare+0x27a/0x460 freeunrefpage+0x38/0x120 espssgunref.isra.0+0x15f/0x200 espoutputtail+0x66d/0x780 espxmit+0x2c5/0x360 validatexmitxfrm+0x313/0x370 ? validatexmitskb+0x1d/0x330 validatexmitskblist+0x4c/0x70 schdirectxmit+0x23e/0x350 _devqueuexmit+0x337/0xba0 ? nfhookslow+0x3f/0xd0 ipfinishoutput2+0x25e/0x580 iptunnelxmit+0x19b/0x240 iptunnelxmit+0x5fb/0xb60 ipgrexmit+0x14d/0x280 [ipgre] devhardstartxmit+0xc3/0x1c0 _devqueuexmit+0x208/0xba0 ? nfhookslow+0x3f/0xd0 ipfinishoutput2+0x1ca/0x580 ipsublistrcvfinish+0x32/0x40 ipsublistrcv+0x1b2/0x1f0 ? iprcvfinishcore.constprop.0+0x460/0x460 iplistrcv+0x103/0x130 _netifreceiveskblistcore+0x181/0x1e0 netifreceiveskblistinternal+0x1b3/0x2c0 napigroreceive+0xc8/0x200 grocellpoll+0x52/0x90 _napipoll+0x25/0x1a0 netrxaction+0x28e/0x300 _dosoftirq+0xc3/0x276 ? sortrange+0x20/0x20 runksoftirqd+0x1e/0x30 smpbootthreadfn+0xa6/0x130 kthread+0xcd/0x100 ? kthreadcompleteandexit+0x20/0x20 retfromfork+0x31/0x50 ? kthreadcompleteandexit+0x20/0x20 retfromfork_asm+0x11/0x20 </TASK>
The suggested fix is to introduce a new wrapper (skbpageunref) that covers page refcounting for page_pool pages as well.
{ "vanir_signatures": [ { "id": "CVE-2024-26953-07be0286", "target": { "function": "esp_output_tail", "file": "net/ipv4/esp4.c" }, "digest": { "length": 2571.0, "function_hash": "210588440563513071929241578942430337357" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1abb20a5f4b02fb3020f88456fc1e6069b3cdc45", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-0be5d89c", "target": { "function": "esp_output_done", "file": "net/ipv4/esp4.c" }, "digest": { "length": 800.0, "function_hash": "20140137149387878287932774948782987612" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1abb20a5f4b02fb3020f88456fc1e6069b3cdc45", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-0c299804", "target": { "function": "esp_ssg_unref", "file": "net/ipv4/esp4.c" }, "digest": { "length": 423.0, "function_hash": "7395780917016477907083524109871267144" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1abb20a5f4b02fb3020f88456fc1e6069b3cdc45", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-1929af91", "target": { "file": "net/ipv6/esp6.c" }, "digest": { "line_hashes": [ "235955791114879276242560521788587345619", "492667449794850851063213764971756011", "160648486716125877841547712193612319315", "29644483187059567951866387527989434921", "184975892970287389502102680328966104643", "208652685549534569890840432256156108054", "194585889951719872226606426726934835762", "108256990008591336964182748424493071812", "305941524940677372009490340096442936918", "298029709185796106247446893947351740394", "318036959095453620062043395354196667408", "132548764203669805023797731957922998899", "332774094514968661683005120586756116575", "31901688532869909094432289573203594742", "67688234910399907075587044196146662525", "22974307298430466939728420037197304819" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1abb20a5f4b02fb3020f88456fc1e6069b3cdc45", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "id": "CVE-2024-26953-1bdaf319", "target": { "function": "esp_output_done", "file": "net/ipv6/esp6.c" }, "digest": { "length": 819.0, "function_hash": "227286274404432212770590387245074476422" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8291b4eac429c480386669444c6377573f5d8664", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-26104e21", "target": { "function": "esp_output_done", "file": "net/ipv4/esp4.c" }, "digest": { "length": 800.0, "function_hash": "20140137149387878287932774948782987612" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c3198822c6cb9fb588e446540485669cc81c5d34", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-29006c15", "target": { "function": "esp_ssg_unref", "file": "net/ipv6/esp6.c" }, "digest": { "length": 423.0, "function_hash": "7395780917016477907083524109871267144" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1abb20a5f4b02fb3020f88456fc1e6069b3cdc45", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-369edd4c", "target": { "file": "include/linux/skbuff.h" }, "digest": { "line_hashes": [ "265566118402544337859749290556686268157", "280376224085441214913605389838099496204", "42679479520720797186593412908309296028" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1abb20a5f4b02fb3020f88456fc1e6069b3cdc45", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "id": "CVE-2024-26953-40de5671", "target": { "function": "esp_output_done", "file": "net/ipv6/esp6.c" }, "digest": { "length": 819.0, "function_hash": "227286274404432212770590387245074476422" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f278ff9db67264715d0d50e3e75044f8b78990f4", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-48cd4be0", "target": { "function": "esp6_output_tail", "file": "net/ipv6/esp6.c" }, "digest": { "length": 2592.0, "function_hash": "282351030175974464728394127416022711760" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f278ff9db67264715d0d50e3e75044f8b78990f4", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-5d16fec6", "target": { "file": "net/ipv6/esp6.c" }, "digest": { "line_hashes": [ "235955791114879276242560521788587345619", "492667449794850851063213764971756011", "160648486716125877841547712193612319315", "29644483187059567951866387527989434921", "184975892970287389502102680328966104643", "208652685549534569890840432256156108054", "194585889951719872226606426726934835762", "108256990008591336964182748424493071812", "305941524940677372009490340096442936918", "298029709185796106247446893947351740394", "318036959095453620062043395354196667408", "132548764203669805023797731957922998899", "332774094514968661683005120586756116575", "31901688532869909094432289573203594742", "67688234910399907075587044196146662525", "22974307298430466939728420037197304819" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8291b4eac429c480386669444c6377573f5d8664", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "id": "CVE-2024-26953-63ed59f1", "target": { "file": "net/ipv6/esp6.c" }, "digest": { "line_hashes": [ "235955791114879276242560521788587345619", "492667449794850851063213764971756011", "160648486716125877841547712193612319315", "29644483187059567951866387527989434921", "184975892970287389502102680328966104643", "208652685549534569890840432256156108054", "194585889951719872226606426726934835762", "108256990008591336964182748424493071812", "305941524940677372009490340096442936918", "298029709185796106247446893947351740394", "318036959095453620062043395354196667408", "132548764203669805023797731957922998899", "332774094514968661683005120586756116575", "31901688532869909094432289573203594742", "67688234910399907075587044196146662525", "22974307298430466939728420037197304819" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c3198822c6cb9fb588e446540485669cc81c5d34", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "id": "CVE-2024-26953-6ae3f879", "target": { "file": "include/linux/skbuff.h" }, "digest": { "line_hashes": [ "265566118402544337859749290556686268157", "280376224085441214913605389838099496204", "42679479520720797186593412908309296028" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8291b4eac429c480386669444c6377573f5d8664", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "id": "CVE-2024-26953-6fc72265", "target": { "function": "esp_output_done", "file": "net/ipv6/esp6.c" }, "digest": { "length": 819.0, "function_hash": "227286274404432212770590387245074476422" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c3198822c6cb9fb588e446540485669cc81c5d34", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-7033ff66", "target": { "file": "net/ipv6/esp6.c" }, "digest": { "line_hashes": [ "235955791114879276242560521788587345619", "492667449794850851063213764971756011", "160648486716125877841547712193612319315", "29644483187059567951866387527989434921", "184975892970287389502102680328966104643", "208652685549534569890840432256156108054", "194585889951719872226606426726934835762", "108256990008591336964182748424493071812", "305941524940677372009490340096442936918", "298029709185796106247446893947351740394", "318036959095453620062043395354196667408", "132548764203669805023797731957922998899", "332774094514968661683005120586756116575", "31901688532869909094432289573203594742", "67688234910399907075587044196146662525", "22974307298430466939728420037197304819" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f278ff9db67264715d0d50e3e75044f8b78990f4", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "id": "CVE-2024-26953-7240a491", "target": { "function": "esp_ssg_unref", "file": "net/ipv4/esp4.c" }, "digest": { "length": 423.0, "function_hash": "7395780917016477907083524109871267144" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c3198822c6cb9fb588e446540485669cc81c5d34", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-82d31ab8", "target": { "file": "include/linux/skbuff.h" }, "digest": { "line_hashes": [ "265566118402544337859749290556686268157", "280376224085441214913605389838099496204", "42679479520720797186593412908309296028" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f278ff9db67264715d0d50e3e75044f8b78990f4", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "id": "CVE-2024-26953-87e23c02", "target": { "file": "net/ipv4/esp4.c" }, "digest": { "line_hashes": [ "235955791114879276242560521788587345619", "492667449794850851063213764971756011", "160648486716125877841547712193612319315", "29644483187059567951866387527989434921", "184975892970287389502102680328966104643", "208652685549534569890840432256156108054", "159349868868344964885725423138044685759", "28778533059872847144469451203821640695", "305941524940677372009490340096442936918", "298029709185796106247446893947351740394", "9839688842458549545576265607723801307", "317978464257765041587557808770466698087", "213540814091415385417384552674346525906", "31901688532869909094432289573203594742", "67688234910399907075587044196146662525", "22974307298430466939728420037197304819" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8291b4eac429c480386669444c6377573f5d8664", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "id": "CVE-2024-26953-88cdda8d", "target": { "file": "include/linux/skbuff.h" }, "digest": { "line_hashes": [ "326619038587472755360881766063647301263", "157881328114243271727673102729711784159", "42679479520720797186593412908309296028" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c3198822c6cb9fb588e446540485669cc81c5d34", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "id": "CVE-2024-26953-8a0fec68", "target": { "function": "esp6_output_tail", "file": "net/ipv6/esp6.c" }, "digest": { "length": 2592.0, "function_hash": "282351030175974464728394127416022711760" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c3198822c6cb9fb588e446540485669cc81c5d34", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-8b667ba6", "target": { "function": "esp_output_tail", "file": "net/ipv4/esp4.c" }, "digest": { "length": 2571.0, "function_hash": "210588440563513071929241578942430337357" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f278ff9db67264715d0d50e3e75044f8b78990f4", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-995d40e6", "target": { "function": "esp6_output_tail", "file": "net/ipv6/esp6.c" }, "digest": { "length": 2592.0, "function_hash": "282351030175974464728394127416022711760" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8291b4eac429c480386669444c6377573f5d8664", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-9971f27a", "target": { "function": "esp_output_done", "file": "net/ipv6/esp6.c" }, "digest": { "length": 819.0, "function_hash": "227286274404432212770590387245074476422" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1abb20a5f4b02fb3020f88456fc1e6069b3cdc45", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-a3d887ff", "target": { "function": "esp_output_done", "file": "net/ipv4/esp4.c" }, "digest": { "length": 800.0, "function_hash": "20140137149387878287932774948782987612" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f278ff9db67264715d0d50e3e75044f8b78990f4", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-a5273afb", "target": { "function": "esp6_output_tail", "file": "net/ipv6/esp6.c" }, "digest": { "length": 2592.0, "function_hash": "282351030175974464728394127416022711760" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1abb20a5f4b02fb3020f88456fc1e6069b3cdc45", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-a6966f39", "target": { "file": "net/ipv4/esp4.c" }, "digest": { "line_hashes": [ "235955791114879276242560521788587345619", "492667449794850851063213764971756011", "160648486716125877841547712193612319315", "29644483187059567951866387527989434921", "184975892970287389502102680328966104643", "208652685549534569890840432256156108054", "159349868868344964885725423138044685759", "28778533059872847144469451203821640695", "305941524940677372009490340096442936918", "298029709185796106247446893947351740394", "9839688842458549545576265607723801307", "317978464257765041587557808770466698087", "213540814091415385417384552674346525906", "31901688532869909094432289573203594742", "67688234910399907075587044196146662525", "22974307298430466939728420037197304819" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1abb20a5f4b02fb3020f88456fc1e6069b3cdc45", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "id": "CVE-2024-26953-b163556f", "target": { "function": "esp_ssg_unref", "file": "net/ipv4/esp4.c" }, "digest": { "length": 423.0, "function_hash": "7395780917016477907083524109871267144" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8291b4eac429c480386669444c6377573f5d8664", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-bdcb1eda", "target": { "function": "esp_ssg_unref", "file": "net/ipv4/esp4.c" }, "digest": { "length": 423.0, "function_hash": "7395780917016477907083524109871267144" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f278ff9db67264715d0d50e3e75044f8b78990f4", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-c12de829", "target": { "file": "net/ipv4/esp4.c" }, "digest": { "line_hashes": [ "235955791114879276242560521788587345619", "492667449794850851063213764971756011", "160648486716125877841547712193612319315", "29644483187059567951866387527989434921", "184975892970287389502102680328966104643", "208652685549534569890840432256156108054", "159349868868344964885725423138044685759", "28778533059872847144469451203821640695", "305941524940677372009490340096442936918", "298029709185796106247446893947351740394", "9839688842458549545576265607723801307", "317978464257765041587557808770466698087", "213540814091415385417384552674346525906", "31901688532869909094432289573203594742", "67688234910399907075587044196146662525", "22974307298430466939728420037197304819" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c3198822c6cb9fb588e446540485669cc81c5d34", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "id": "CVE-2024-26953-c291504b", "target": { "function": "esp_ssg_unref", "file": "net/ipv6/esp6.c" }, "digest": { "length": 423.0, "function_hash": "7395780917016477907083524109871267144" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c3198822c6cb9fb588e446540485669cc81c5d34", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-d03ad158", "target": { "function": "esp_output_tail", "file": "net/ipv4/esp4.c" }, "digest": { "length": 2571.0, "function_hash": "210588440563513071929241578942430337357" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c3198822c6cb9fb588e446540485669cc81c5d34", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-e0bd68b7", "target": { "file": "net/ipv4/esp4.c" }, "digest": { "line_hashes": [ "235955791114879276242560521788587345619", "492667449794850851063213764971756011", "160648486716125877841547712193612319315", "29644483187059567951866387527989434921", "184975892970287389502102680328966104643", "208652685549534569890840432256156108054", "159349868868344964885725423138044685759", "28778533059872847144469451203821640695", "305941524940677372009490340096442936918", "298029709185796106247446893947351740394", "9839688842458549545576265607723801307", "317978464257765041587557808770466698087", "213540814091415385417384552674346525906", "31901688532869909094432289573203594742", "67688234910399907075587044196146662525", "22974307298430466939728420037197304819" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f278ff9db67264715d0d50e3e75044f8b78990f4", "deprecated": false, "signature_type": "Line", "signature_version": "v1" }, { "id": "CVE-2024-26953-e2a8d1a6", "target": { "function": "esp_output_done", "file": "net/ipv4/esp4.c" }, "digest": { "length": 800.0, "function_hash": "20140137149387878287932774948782987612" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8291b4eac429c480386669444c6377573f5d8664", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-ecccb920", "target": { "function": "esp_output_tail", "file": "net/ipv4/esp4.c" }, "digest": { "length": 2571.0, "function_hash": "210588440563513071929241578942430337357" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8291b4eac429c480386669444c6377573f5d8664", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-fa11bfa2", "target": { "function": "esp_ssg_unref", "file": "net/ipv6/esp6.c" }, "digest": { "length": 423.0, "function_hash": "7395780917016477907083524109871267144" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8291b4eac429c480386669444c6377573f5d8664", "deprecated": false, "signature_type": "Function", "signature_version": "v1" }, { "id": "CVE-2024-26953-fd7d9f41", "target": { "function": "esp_ssg_unref", "file": "net/ipv6/esp6.c" }, "digest": { "length": 423.0, "function_hash": "7395780917016477907083524109871267144" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f278ff9db67264715d0d50e3e75044f8b78990f4", "deprecated": false, "signature_type": "Function", "signature_version": "v1" } ] }