CVE-2023-53632

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Take RTNL lock when needed before calling xdpsetfeatures()

Hold RTNL lock when calling xdpsetfeatures() with a registered netdev, as the call triggers the netdev notifiers. This could happen when switching from uplink rep to nic profile for example.

This resolves the following call trace:

RTNL: assertion failed at net/core/dev.c (1953) WARNING: CPU: 6 PID: 112670 at net/core/dev.c:1953 callnetdevicenotifiersinfo+0x7c/0x80 Modules linked in: schmqprio schmqpriolib acttunnelkey actmirred actskbedit clsmatchall nfnetlinkcttimeout actgact clsflower schingress bonding ibumad ipgre rdmaucm mlx5vfiopci ipip tunnel4 ip6gre gre mlx5ib vfiopci vfiopcicore vfioiommutype1 ibuverbs vfio mlx5core ibipoib geneve nftables ip6tunnel tunnel6 iptableraw openvswitch nsh rpcrdma ibiser libiscsi scsitransportiscsi rdmacm iwcm ibcm ibcore xtconntrack xtMASQUERADE nfconntracknetlink nfnetlink xtaddrtype iptablenat nfnat brnetfilter rpcsecgsskrb5 authrpcgss oidregistry overlay zram zsmalloc fuse [last unloaded: ibuverbs] CPU: 6 PID: 112670 Comm: devlink Not tainted 6.4.0-rc7forupstreammindebug202306281702 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:callnetdevicenotifiersinfo+0x7c/0x80 Code: 90 ff 80 3d 2d 6b f7 00 00 75 c5 ba a1 07 00 00 48 c7 c6 e4 ce 0b 82 48 c7 c7 c8 f4 04 82 c6 05 11 6b f7 00 01 e8 a4 7c 8e ff <0f> 0b eb a2 0f 1f 44 00 00 55 48 89 e5 41 54 48 83 e4 f0 48 83 ec RSP: 0018:ffff8882a21c3948 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffffff82e6f880 RCX: 0000000000000027 RDX: ffff88885f99b5c8 RSI: 0000000000000001 RDI: ffff88885f99b5c0 RBP: 0000000000000028 R08: ffff88887ffabaa8 R09: 0000000000000003 R10: ffff88887fecbac0 R11: ffff88887ff7bac0 R12: ffff8882a21c3968 R13: ffff88811c018940 R14: 0000000000000000 R15: ffff8881274401a0 FS: 00007fe141c81800(0000) GS:ffff88885f980000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f787c28b948 CR3: 000000014bcf3005 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? _warn+0x79/0x120 ? callnetdevicenotifiersinfo+0x7c/0x80 ? reportbug+0x17c/0x190 ? handlebug+0x3c/0x60 ? excinvalidop+0x14/0x70 ? asmexcinvalidop+0x16/0x20 ? callnetdevicenotifiersinfo+0x7c/0x80 ? callnetdevicenotifiersinfo+0x7c/0x80 callnetdevicenotifiers+0x2e/0x50 mlx5esetxdpfeature+0x21/0x50 [mlx5core] mlx5enicinit+0xf1/0x1a0 [mlx5core] mlx5enetdevinitprofile+0x76/0x110 [mlx5core] mlx5enetdevattachprofile+0x1f/0x90 [mlx5core] mlx5enetdevchangeprofile+0x92/0x160 [mlx5core] mlx5enetdevattachnicprofile+0x1b/0x30 [mlx5core] mlx5evportrepunload+0xaa/0xc0 [mlx5core] _eswoffloadsunloadrep+0x52/0x60 [mlx5core] mlx5eswoffloadsrepunload+0x52/0x70 [mlx5core] eswoffloadsunloadrep+0x34/0x70 [mlx5core] eswoffloadsdisable+0x2b/0x90 [mlx5core] mlx5eswitchdisablelocked+0x1b9/0x210 [mlx5core] mlx5devlinkeswitchmodeset+0xf5/0x630 [mlx5core] ? devlinkgetfromattrslock+0x9e/0x110 devlinknlcmdeswitchsetdoit+0x60/0xe0 genlfamilyrcvmsgdoit.isra.0+0xc2/0x110 genlrcvmsg+0x17d/0x2b0 ? devlinkgetfromattrslock+0x110/0x110 ? devlinknlcmdeswitchgetdoit+0x290/0x290 ? devlinkpernetpreexit+0xf0/0xf0 ? genlfamilyrcvmsgdoit.isra.0+0x110/0x110 netlinkrcvskb+0x54/0x100 genlrcv+0x24/0x40 netlinkunicast+0x1f6/0x2c0 netlinksendmsg+0x232/0x4a0 socksendmsg+0x38/0x60 ? _copyfromuser+0x2a/0x60 _syssendto+0x110/0x160 ? _countmemcgevents+0x48/0x90 ? handlemmfault+0x161/0x260 ? douseraddrfault+0x278/0x6e0 _x64syssendto+0x20/0x30 dosyscall64+0x3d/0x90 entrySYSCALL64afterhwframe+0x46/0xb0 RIP: 0033 ---truncated---