CVE-2023-54216

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-54216
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54216.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-54216
Downstream
Published
2025-12-30T12:11:12.730Z
Modified
2025-12-30T20:08:10.166293Z
Summary
net/mlx5e: TC, Fix using eswitch mapping in nic mode
Details

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: TC, Fix using eswitch mapping in nic mode

Cited patch is using the eswitch object mapping pool while in nic mode where it isn't initialized. This results in the trace below [0].

Fix that by using either nic or eswitch object mapping pool depending if eswitch is enabled or not.

[ 826.446729] BUG: KASAN: slab-use-after-free in mlx5addflowrules+0x30/0x490 [mlx5core] [ 826.447515] Read of size 8 at addr ffff888194485830 by task tc/6233

[ 826.448243] CPU: 16 PID: 6233 Comm: tc Tainted: G W 6.3.0-rc6+ #1 [ 826.448890] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 826.449785] Call Trace: [ 826.450052] <TASK> [ 826.450302] dumpstacklvl+0x33/0x50 [ 826.450650] printreport+0xc2/0x610 [ 826.450998] ? _virtaddrvalid+0xb1/0x130 [ 826.451385] ? mlx5addflowrules+0x30/0x490 [mlx5core] [ 826.451935] kasanreport+0xae/0xe0 [ 826.452276] ? mlx5addflowrules+0x30/0x490 [mlx5core] [ 826.452829] mlx5addflowrules+0x30/0x490 [mlx5core] [ 826.453368] ? _kmallocnode+0x5a/0x120 [ 826.453733] eswaddrestorerule+0x20f/0x270 [mlx5core] [ 826.454288] ? mlx5eswitchaddsendtovportmetarule+0x260/0x260 [mlx5core] [ 826.455011] ? mutexunlock+0x80/0xd0 [ 826.455361] ? _mutexunlockslowpath.constprop.0+0x210/0x210 [ 826.455862] ? mappingadd+0x2cb/0x440 [mlx5core] [ 826.456425] mlx5etcactionmissmappingget+0x139/0x180 [mlx5core] [ 826.457058] ? mlx5etcupdateskbnic+0xb0/0xb0 [mlx5core] [ 826.457636] ? _kasankmalloc+0x77/0x90 [ 826.458000] ? _kmalloc+0x57/0x120 [ 826.458336] mlx5tcctflowoffload+0x325/0xe40 [mlx5core] [ 826.458916] ? ctkernelenter.constprop.0+0x48/0xa0 [ 826.459360] ? mlx5tcctparseaction+0xf0/0xf0 [mlx5core] [ 826.459933] ? mlx5emodhdrattach+0x491/0x520 [mlx5core] [ 826.460507] ? mlx5emodhdrget+0x12/0x20 [mlx5core] [ 826.461046] ? mlx5etcattachmodhdr+0x154/0x170 [mlx5core] [ 826.461635] mlx5econfigureflower+0x969/0x2110 [mlx5core] [ 826.462217] ? _rawspinlockbh+0x85/0xe0 [ 826.462597] ? _mlx5eaddfdbflow+0x750/0x750 [mlx5core] [ 826.463163] ? kasansavestack+0x2e/0x40 [ 826.463534] ? downread+0x115/0x1b0 [ 826.463878] ? downwritekillable+0x110/0x110 [ 826.464288] ? tcsetupaction.part.0+0x9f/0x3b0 [ 826.464701] ? mlx5eisuplinkrep+0x4c/0x90 [mlx5core] [ 826.465253] ? mlx5etcreoffloadflowswork+0x130/0x130 [mlx5core] [ 826.465878] tcsetupcbadd+0x112/0x250 [ 826.466247] flhwreplacefilter+0x230/0x310 [clsflower] [ 826.466724] ? flhwdestroyfilter+0x1a0/0x1a0 [clsflower] [ 826.467212] flchange+0x14e1/0x2030 [clsflower] [ 826.467636] ? sockdefreadable+0x89/0x120 [ 826.468019] ? fltmpltcreate+0x2d0/0x2d0 [clsflower] [ 826.468509] ? kasanunpoison+0x23/0x50 [ 826.468873] ? getrandomu16+0x180/0x180 [ 826.469244] ? _radixtreelookup+0x2b/0x130 [ 826.469640] ? flget+0x7b/0x140 [clsflower] [ 826.470042] ? flmaskput+0x200/0x200 [clsflower] [ 826.470478] ? _mutexunlockslowpath.constprop.0+0x210/0x210 [ 826.470973] ? fltmpltcreate+0x2d0/0x2d0 [clsflower] [ 826.471427] tcnewtfilter+0x644/0x1050 [ 826.471795] ? tcgettfilter+0x860/0x860 [ 826.472170] ? _thawtask+0x130/0x130 [ 826.472525] ? archstackwalk+0x98/0xf0 [ 826.472892] ? capcapable+0x9f/0xd0 [ 826.473235] ? securitycapable+0x47/0x60 [ 826.473608] rtnetlinkrcvmsg+0x1d5/0x550 [ 826.473985] ? rtnlcalcit.isra.0+0x1f0/0x1f0 [ 826.474383] ? _stackdepotsave+0x35/0x4c0 [ 826.474779] ? kasansavestack+0x2e/0x40 [ 826.475149] ? kasansavestack+0x1e/0x40 [ 826.475518] ? _kasanrecordauxstack+0x9f/0xb0 [ 826.475939] ? taskworkadd+0x77/0x1c0 [ 826.476305] netlinkrcvskb+0xe0/0x210 ---truncated---

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54216.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6702782845a5bf381a19b204c369e63420041665
Fixed
4150441c010dec36abc389828e2e4758bd8ad4b3
Fixed
dfa1e46d6093831b9d49f0f350227a1d13644a2f

Affected versions

v6.*

v6.2
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.3.1
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v6.4-rc1
v6.4-rc2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54216.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.3.0
Fixed
6.3.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-54216.json"