CVE-2024-49953

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Fix crash caused by calling _xfrmstate_delete() twice

The km.state is not checked in driver's delayed work. When xfrmstatecheckexpire() is called, the state can be reset to XFRMSTATEEXPIRED, even if it is XFRMSTATEDEAD already. This happens when xfrm state is deleted, but not freed yet. As _xfrmstatedelete() is called again in xfrm timer, the following crash occurs.

To fix this issue, skip xfrmstatecheckexpire() if km.state is not XFRMSTATE_VALID.

Oops: general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP CPU: 5 UID: 0 PID: 7448 Comm: kworker/u102:2 Not tainted 6.11.0-rc2+ #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5eipsec: eth%d mlx5eipsechandleswlimits [mlx5core] RIP: 0010:_xfrmstatedelete+0x3d/0x1b0 Code: 0f 84 8b 01 00 00 48 89 fd c6 87 c8 00 00 00 05 48 8d bb 40 10 00 00 e8 11 04 1a 00 48 8b 95 b8 00 00 00 48 8b 85 c0 00 00 00 <48> 89 42 08 48 89 10 48 8b 55 10 48 b8 00 01 00 00 00 00 ad de 48 RSP: 0018:ffff88885f945ec8 EFLAGS: 00010246 RAX: dead000000000122 RBX: ffffffff82afa940 RCX: 0000000000000036 RDX: dead000000000100 RSI: 0000000000000000 RDI: ffffffff82afb980 RBP: ffff888109a20340 R08: ffff88885f945ea0 R09: 0000000000000000 R10: 0000000000000000 R11: ffff88885f945ff8 R12: 0000000000000246 R13: ffff888109a20340 R14: ffff88885f95f420 R15: ffff88885f95f400 FS: 0000000000000000(0000) GS:ffff88885f940000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2163102430 CR3: 00000001128d6001 CR4: 0000000000370eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> ? dieaddr+0x33/0x90 ? excgeneralprotection+0x1a2/0x390 ? asmexcgeneralprotection+0x22/0x30 ? _xfrmstatedelete+0x3d/0x1b0 ? _xfrmstatedelete+0x2f/0x1b0 xfrmtimerhandler+0x174/0x350 ? _xfrmstatedelete+0x1b0/0x1b0 _hrtimerrunqueues+0x121/0x270 hrtimerrunsoftirq+0x88/0xd0 handlesoftirqs+0xcc/0x270 dosoftirq+0x3c/0x50 </IRQ> <TASK> _localbhenableip+0x47/0x50 mlx5eipsechandleswlimits+0x7d/0x90 [mlx5core] processonework+0x137/0x2d0 workerthread+0x28d/0x3a0 ? rescuerthread+0x480/0x480 kthread+0xb8/0xe0 ? kthreadpark+0x80/0x80 retfromfork+0x2d/0x50 ? kthreadpark+0x80/0x80 retfromfork_asm+0x11/0x20 </TASK>