CVE-2024-53121

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: fs, lock FTE when checking if active

The referenced commits introduced a two-step process for deleting FTEs:

• Lock the FTE, delete it from hardware, set the hardware deletion function to NULL and unlock the FTE.
• Lock the parent flow group, delete the software copy of the FTE, and remove it from the xarray.

However, this approach encounters a race condition if a rule with the same match value is added simultaneously. In this scenario, fs_core may set the hardware deletion function to NULL prematurely, causing a panic during subsequent rule deletions.

To prevent this, ensure the active flag of the FTE is checked under a lock, which will prevent the fs_core layer from attaching a new steering rule to an FTE that is in the process of deletion.

[ 438.967589] MOSHE: 2496 mlx5delflowrules delhwfunc [ 438.968205] ------------[ cut here ]------------ [ 438.968654] refcountt: decrement hit 0; leaking memory. [ 438.969249] WARNING: CPU: 0 PID: 8957 at lib/refcount.c:31 refcountwarnsaturate+0xfb/0x110 [ 438.970054] Modules linked in: actmirred clsflower actgact schingress openvswitch nsh mlx5vdpa vringh vhostiotlb vdpa mlx5ib mlx5core xtconntrack xtMASQUERADE nfconntracknetlink nfnetlink xtaddrtype iptablenat nfnat brnetfilter rpcsecgsskrb5 authrpcgss oidregistry overlay rpcrdma rdmaucm ibiser libiscsi scsitransportiscsi ibumad rdmacm ibipoib iwcm ibcm ibuverbs ibcore zram zsmalloc fuse [last unloaded: clsflower] [ 438.973288] CPU: 0 UID: 0 PID: 8957 Comm: tc Not tainted 6.12.0-rc1+ #8 [ 438.973888] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 438.974874] RIP: 0010:refcountwarnsaturate+0xfb/0x110 [ 438.975363] Code: 40 66 3b 82 c6 05 16 e9 4d 01 01 e8 1f 7c a0 ff 0f 0b c3 cc cc cc cc 48 c7 c7 10 66 3b 82 c6 05 fd e8 4d 01 01 e8 05 7c a0 ff <0f> 0b c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 90 [ 438.976947] RSP: 0018:ffff888124a53610 EFLAGS: 00010286 [ 438.977446] RAX: 0000000000000000 RBX: ffff888119d56de0 RCX: 0000000000000000 [ 438.978090] RDX: ffff88852c828700 RSI: ffff88852c81b3c0 RDI: ffff88852c81b3c0 [ 438.978721] RBP: ffff888120fa0e88 R08: 0000000000000000 R09: ffff888124a534b0 [ 438.979353] R10: 0000000000000001 R11: 0000000000000001 R12: ffff888119d56de0 [ 438.979979] R13: ffff888120fa0ec0 R14: ffff888120fa0ee8 R15: ffff888119d56de0 [ 438.980607] FS: 00007fe6dcc0f800(0000) GS:ffff88852c800000(0000) knlGS:0000000000000000 [ 438.983984] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 438.984544] CR2: 00000000004275e0 CR3: 0000000186982001 CR4: 0000000000372eb0 [ 438.985205] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 438.985842] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 438.986507] Call Trace: [ 438.986799] <TASK> [ 438.987070] ? _warn+0x7d/0x110 [ 438.987426] ? refcountwarnsaturate+0xfb/0x110 [ 438.987877] ? reportbug+0x17d/0x190 [ 438.988261] ? prbreadvalid+0x17/0x20 [ 438.988659] ? handlebug+0x53/0x90 [ 438.989054] ? excinvalidop+0x14/0x70 [ 438.989458] ? asmexcinvalidop+0x16/0x20 [ 438.989883] ? refcountwarnsaturate+0xfb/0x110 [ 438.990348] mlx5delflowrules+0x2f7/0x340 [mlx5core] [ 438.990932] _mlx5eswitchdelrule+0x49/0x170 [mlx5core] [ 438.991519] ? mlx5lagissriov+0x3c/0x50 [mlx5core] [ 438.992054] ? xasload+0x9/0xb0 [ 438.992407] mlx5etcruleunoffload+0x45/0xe0 [mlx5core] [ 438.993037] mlx5etcdelfdbflow+0x2a6/0x2e0 [mlx5core] [ 438.993623] mlx5eflowput+0x29/0x60 [mlx5core] [ 438.994161] mlx5edeleteflower+0x261/0x390 [mlx5core] [ 438.994728] tcsetupcbdestroy+0xb9/0x190 [ 438.995150] flhwdestroyfilter+0x94/0xc0 [clsflower] [ 438.995650] flchange+0x11a4/0x13c0 [clsflower] [ 438.996105] tcnewtfilter+0x347/0xbc0 [ 438.996503] ? __ ---truncated---