CVE-2024-26953

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26953
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26953.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-26953
Downstream
Related
Published
2024-05-01T05:18:43Z
Modified
2025-10-21T20:24:45.531041Z
Summary
net: esp: fix bad handling of pages from page_pool
Details

In the Linux kernel, the following vulnerability has been resolved:

net: esp: fix bad handling of pages from page_pool

When the skb is reorganized during espoutput (!esp->inline), the pages coming from the original skb fragments are supposed to be released back to the system through putpage. But if the skb fragment pages are originating from a pagepool, calling putpage on them will trigger a page_pool leak which will eventually result in a crash.

This leak can be easily observed when using CONFIGDEBUGVM and doing ipsec + gre (non offloaded) forwarding:

BUG: Bad page state in process ksoftirqd/16 pfn:1451b6 page:00000000de2b8d32 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1451b6000 pfn:0x1451b6 flags: 0x200000000000000(node=0|zone=2) pagetype: 0xffffffff() raw: 0200000000000000 dead000000000040 ffff88810d23c000 0000000000000000 raw: 00000001451b6000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: pagepool leak Modules linked in: ipgre gre mlx5ib mlx5core xtconntrack xtMASQUERADE nfconntracknetlink nfnetlink iptablenat nfnat xtaddrtype brnetfilter rpcrdma rdmaucm ibiser libiscsi scsitransportiscsi ibumad rdmacm ibipoib iwcm ibcm ibuverbs ibcore overlay zram zsmalloc fuse [last unloaded: mlx5core] CPU: 16 PID: 96 Comm: ksoftirqd/16 Not tainted 6.8.0-rc4+ #22 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x36/0x50 badpage+0x70/0xf0 freeunrefpageprepare+0x27a/0x460 freeunrefpage+0x38/0x120 espssgunref.isra.0+0x15f/0x200 espoutputtail+0x66d/0x780 espxmit+0x2c5/0x360 validatexmitxfrm+0x313/0x370 ? validatexmitskb+0x1d/0x330 validatexmitskblist+0x4c/0x70 schdirectxmit+0x23e/0x350 _devqueuexmit+0x337/0xba0 ? nfhookslow+0x3f/0xd0 ipfinishoutput2+0x25e/0x580 iptunnelxmit+0x19b/0x240 iptunnelxmit+0x5fb/0xb60 ipgrexmit+0x14d/0x280 [ipgre] devhardstartxmit+0xc3/0x1c0 _devqueuexmit+0x208/0xba0 ? nfhookslow+0x3f/0xd0 ipfinishoutput2+0x1ca/0x580 ipsublistrcvfinish+0x32/0x40 ipsublistrcv+0x1b2/0x1f0 ? iprcvfinishcore.constprop.0+0x460/0x460 iplistrcv+0x103/0x130 _netifreceiveskblistcore+0x181/0x1e0 netifreceiveskblistinternal+0x1b3/0x2c0 napigroreceive+0xc8/0x200 grocellpoll+0x52/0x90 _napipoll+0x25/0x1a0 netrxaction+0x28e/0x300 _dosoftirq+0xc3/0x276 ? sortrange+0x20/0x20 runksoftirqd+0x1e/0x30 smpbootthreadfn+0xa6/0x130 kthread+0xcd/0x100 ? kthreadcompleteandexit+0x20/0x20 retfromfork+0x31/0x50 ? kthreadcompleteandexit+0x20/0x20 retfromfork_asm+0x11/0x20 </TASK>

The suggested fix is to introduce a new wrapper (skbpageunref) that covers page refcounting for page_pool pages as well.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6a5bcd84e886a9a91982e515c539529c28acdcc2
Fixed
8291b4eac429c480386669444c6377573f5d8664
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6a5bcd84e886a9a91982e515c539529c28acdcc2
Fixed
1abb20a5f4b02fb3020f88456fc1e6069b3cdc45
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6a5bcd84e886a9a91982e515c539529c28acdcc2
Fixed
f278ff9db67264715d0d50e3e75044f8b78990f4
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6a5bcd84e886a9a91982e515c539529c28acdcc2
Fixed
c3198822c6cb9fb588e446540485669cc81c5d34

Affected versions

v5.*

v5.13
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.7.1
v6.7.10
v6.7.11
v6.7.2
v6.7.3
v6.7.4
v6.7.5
v6.7.6
v6.7.7
v6.7.8
v6.7.9
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.8.1
v6.8.2

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.14.0
Fixed
6.6.24
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.7.12
Type
ECOSYSTEM
Events
Introduced
6.8.0
Fixed
6.8.3