In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix use-after-free of encap entry in neigh update handler
Function mlx5erepneigh_update() wasn't updated to accommodate rtnl lock removal from TC filter update path and properly handle concurrent encap entry insertion/deletion which can lead to following use-after-free:
[23827.464923] ================================================================== [23827.469446] BUG: KASAN: use-after-free in mlx5eencaptake+0x72/0x140 [mlx5core] [23827.470971] Read of size 4 at addr ffff8881d132228c by task kworker/u20:6/21635 [23827.472251] [23827.472615] CPU: 9 PID: 21635 Comm: kworker/u20:6 Not tainted 5.13.0-rc3+ #5 [23827.473788] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [23827.475639] Workqueue: mlx5e mlx5erepneighupdate [mlx5core] [23827.476731] Call Trace: [23827.477260] dumpstack+0xbb/0x107 [23827.477906] printaddressdescription.constprop.0+0x18/0x140 [23827.478896] ? mlx5eencaptake+0x72/0x140 [mlx5core] [23827.479879] ? mlx5eencaptake+0x72/0x140 [mlx5core] [23827.480905] kasanreport.cold+0x7c/0xd8 [23827.481701] ? mlx5eencaptake+0x72/0x140 [mlx5core] [23827.482744] kasancheckrange+0x145/0x1a0 [23827.493112] mlx5eencaptake+0x72/0x140 [mlx5core] [23827.494054] ? mlx5etctunencapinfoequalgeneric+0x140/0x140 [mlx5core] [23827.495296] mlx5erepneighupdate+0x41e/0x5e0 [mlx5core] [23827.496338] ? mlx5erepneighentryrelease+0xb80/0xb80 [mlx5core] [23827.497486] ? readwordatatime+0xe/0x20 [23827.498250] ? strscpy+0xa0/0x2a0 [23827.498889] processonework+0x8ac/0x14e0 [23827.499638] ? lockdephardirqsonprepare+0x400/0x400 [23827.500537] ? pwqdecnrinflight+0x2c0/0x2c0 [23827.501359] ? rwlockbug.part.0+0x90/0x90 [23827.502116] workerthread+0x53b/0x1220 [23827.502831] ? processonework+0x14e0/0x14e0 [23827.503627] kthread+0x328/0x3f0 [23827.504254] ? rawspinunlockirq+0x24/0x40 [23827.505065] ? kthreadbindmask+0x90/0x90 [23827.505912] retfromfork+0x1f/0x30 [23827.506621] [23827.506987] Allocated by task 28248: [23827.507694] kasansavestack+0x1b/0x40 [23827.508476] _kasankmalloc+0x7c/0x90 [23827.509197] mlx5eattachencap+0xde1/0x1d40 [mlx5core] [23827.510194] mlx5etcaddfdbflow+0x397/0xc40 [mlx5core] [23827.511218] _mlx5eaddfdbflow+0x519/0xb30 [mlx5core] [23827.512234] mlx5econfigureflower+0x191c/0x4870 [mlx5core] [23827.513298] tcsetupcbadd+0x1d5/0x420 [23827.514023] flhwreplacefilter+0x382/0x6a0 [clsflower] [23827.514975] flchange+0x2ceb/0x4a51 [clsflower] [23827.515821] tcnewtfilter+0x89a/0x2070 [23827.516548] rtnetlinkrcvmsg+0x644/0x8c0 [23827.517300] netlinkrcvskb+0x11d/0x340 [23827.518021] netlinkunicast+0x42b/0x700 [23827.518742] netlinksendmsg+0x743/0xc20 [23827.519467] socksendmsg+0xb2/0xe0 [23827.520131] syssendmsg+0x590/0x770 [23827.520851] _syssendmsg+0xd8/0x160 [23827.521552] _syssendmsg+0xb7/0x140 [23827.522238] dosyscall64+0x3a/0x70 [23827.522907] entrySYSCALL64afterhwframe+0x44/0xae [23827.523797] [23827.524163] Freed by task 25948: [23827.524780] kasansavestack+0x1b/0x40 [23827.525488] kasansettrack+0x1c/0x30 [23827.526187] kasansetfreeinfo+0x20/0x30 [23827.526968] _kasanslabfree+0xed/0x130 [23827.527709] slabfreefreelisthook+0xcf/0x1d0 [23827.528528] kmemcachefreebulk+0x33a/0x6e0 [23827.529317] kfreercuwork+0x55f/0xb70 [23827.530024] processonework+0x8ac/0x14e0 [23827.530770] workerthread+0x53b/0x1220 [23827.531480] kthread+0x328/0x3f0 [23827.532114] retfromfork+0x1f/0x30 [23827.532785] [23827.533147] Last potentially related work creation: [23827.534007] kasansavestack+0x1b/0x40 [23827.534710] kasanrecordauxstack+0xab/0xc0 [23827.535492] kvfreecallrcu+0x31/0x7b0 [23827.536206] mlx5etcdel ---truncated---