In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrumacltcam: Fix possible use-after-free during rehash
The rehash delayed work migrates filters from one region to another according to the number of available credits.
The migrated from region is destroyed at the end of the work if the number of credits is non-negative as the assumption is that this is indicative of migration being complete. This assumption is incorrect as a non-negative number of credits can also be the result of a failed migration.
The destruction of a region that still has filters referencing it can result in a use-after-free [1].
Fix by not destroying the region if migration failed.
[1] BUG: KASAN: slab-use-after-free in mlxswspaclctcamregionentryremove+0x21d/0x230 Read of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858
CPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxswcore mlxswspacltcamvregionrehashwork Call Trace: <TASK> dumpstacklvl+0xc6/0x120 printreport+0xce/0x670 kasanreport+0xd7/0x110 mlxswspaclctcamregionentryremove+0x21d/0x230 mlxswspaclctcamentrydel+0x2e/0x70 mlxswspaclatcamentrydel+0x81/0x210 mlxswspacltcamvchunkmigrateall+0x3cd/0xb50 mlxswspacltcamvregionrehashwork+0x157/0x1300 processonework+0x8eb/0x19b0 workerthread+0x6c9/0xf70 kthread+0x2c9/0x3b0 retfromfork+0x4d/0x80 retfromfork_asm+0x1a/0x30 </TASK>
Allocated by task 174: kasansavestack+0x33/0x60 kasansavetrack+0x14/0x30 _kasankmalloc+0x8f/0xa0 _kmalloc+0x19c/0x360 mlxswspacltcamregioncreate+0xdf/0x9c0 mlxswspacltcamvregionrehashwork+0x954/0x1300 processonework+0x8eb/0x19b0 workerthread+0x6c9/0xf70 kthread+0x2c9/0x3b0 retfromfork+0x4d/0x80 retfromforkasm+0x1a/0x30
Freed by task 7: kasansavestack+0x33/0x60 kasansavetrack+0x14/0x30 kasansavefreeinfo+0x3b/0x60 poisonslabobject+0x102/0x170 _kasanslabfree+0x14/0x30 kfree+0xc1/0x290 mlxswspacltcamregiondestroy+0x272/0x310 mlxswspacltcamvregionrehashwork+0x731/0x1300 processonework+0x8eb/0x19b0 workerthread+0x6c9/0xf70 kthread+0x2c9/0x3b0 retfromfork+0x4d/0x80 retfromfork_asm+0x1a/0x30