In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix page reclaim for dead peer hairpin
When adding a hairpin flow, a firmware-side send queue is created for the peer net device, which claims some host memory pages for its internal ring buffer. If the peer net device is removed/unbound before the hairpin flow is deleted, then the send queue is not destroyed which leads to a stack trace on pci device remove:
[ 748.005230] mlx5core 0000:08:00.2: waitfunc:1094:(pid 12985): MANAGEPAGES(0x108) timeout. Will cause a leak of a command resource [ 748.005231] mlx5core 0000:08:00.2: reclaimpages:514:(pid 12985): failed reclaiming pages: err -110 [ 748.001835] mlx5core 0000:08:00.2: mlx5reclaimrootpages:653:(pid 12985): failed reclaiming pages (-110) for func id 0x0 [ 748.002171] ------------[ cut here ]------------ [ 748.001177] FW pages counter is 4 after reclaiming all pages [ 748.001186] WARNING: CPU: 1 PID: 12985 at drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c:685 mlx5reclaimstartuppages+0x34b/0x460 [mlx5core] [ +0.002771] Modules linked in: clsflower mlx5ib mlx5core ptp ppscore actmirred schingress openvswitch nsh xtconntrack xtMASQUERADE nfconntracknetlink nfnetlink xtaddrtype iptablenat nfnat nfconntrack nfdefragipv6 nfdefragipv4 brnetfilter rpcrdma rdmaucm ibiser libiscsi scsitransportiscsi rdmacm ibumad ibipoib iwcm ibcm ibuverbs ibcore overlay fuse [last unloaded: ppscore] [ 748.007225] CPU: 1 PID: 12985 Comm: tee Not tainted 5.12.0+ #1 [ 748.001376] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 748.002315] RIP: 0010:mlx5reclaimstartuppages+0x34b/0x460 [mlx5core] [ 748.001679] Code: 28 00 00 00 0f 85 22 01 00 00 48 81 c4 b0 00 00 00 31 c0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 c7 c7 40 cc 19 a1 e8 9f 71 0e e2 <0f> 0b e9 30 ff ff ff 48 c7 c7 a0 cc 19 a1 e8 8c 71 0e e2 0f 0b e9 [ 748.003781] RSP: 0018:ffff88815220faf8 EFLAGS: 00010286 [ 748.001149] RAX: 0000000000000000 RBX: ffff8881b4900280 RCX: 0000000000000000 [ 748.001445] RDX: 0000000000000027 RSI: 0000000000000004 RDI: ffffed102a441f51 [ 748.001614] RBP: 00000000000032b9 R08: 0000000000000001 R09: ffffed1054a15ee8 [ 748.001446] R10: ffff8882a50af73b R11: ffffed1054a15ee7 R12: fffffbfff07c1e30 [ 748.001447] R13: dffffc0000000000 R14: ffff8881b492cba8 R15: 0000000000000000 [ 748.001429] FS: 00007f58bd08b580(0000) GS:ffff8882a5080000(0000) knlGS:0000000000000000 [ 748.001695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 748.001309] CR2: 000055a026351740 CR3: 00000001d3b48006 CR4: 0000000000370ea0 [ 748.001506] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 748.001483] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 748.001654] Call Trace: [ 748.000576] ? mlx5satisfystartuppages+0x290/0x290 [mlx5core] [ 748.001416] ? mlx5cmdteardownhca+0xa2/0xd0 [mlx5core] [ 748.001354] ? mlx5cmdinithca+0x280/0x280 [mlx5core] [ 748.001203] mlx5functionteardown+0x30/0x60 [mlx5core] [ 748.001275] mlx5uninitone+0xa7/0xc0 [mlx5core] [ 748.001200] removeone+0x5f/0xc0 [mlx5core] [ 748.001075] pcideviceremove+0x9f/0x1d0 [ 748.000833] devicereleasedriverinternal+0x1e0/0x490 [ 748.001207] unbindstore+0x19f/0x200 [ 748.000942] ? sysfsfileops+0x170/0x170 [ 748.001000] kernfsfopwriteiter+0x2bc/0x450 [ 748.000970] newsyncwrite+0x373/0x610 [ 748.001124] ? newsyncread+0x600/0x600 [ 748.001057] ? lockacquire+0x4d6/0x700 [ 748.000908] ? lockdephardirqsonprepare+0x400/0x400 [ 748.001126] ? fdinstall+0x1c9/0x4d0 [ 748.000951] vfswrite+0x4d0/0x800 [ 748.000804] ksyswrite+0xf9/0x1d0 [ 748.000868] ? _x64sysread+0xb0/0xb0 [ 748.000811] ? filpopen+0x50/0x50 [ 748.000919] ? syscallenterfromusermode+0x1d/0x50 [ 748.001223] dosyscall64+0x3f/0x80 [ 748.000892] entrySYSCALL64afterhwframe+0x44/0xae [ 748.00 ---truncated---