{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-53121", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-11-19T17:17:24.994Z", "datePublished": "2024-12-02T13:44:51.864Z", "dateUpdated": "2024-12-19T09:39:44.677Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T09:39:44.677Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: fs, lock FTE when checking if active\n\nThe referenced commits introduced a two-step process for deleting FTEs:\n\n- Lock the FTE, delete it from hardware, set the hardware deletion function\n to NULL and unlock the FTE.\n- Lock the parent flow group, delete the software copy of the FTE, and\n remove it from the xarray.\n\nHowever, this approach encounters a race condition if a rule with the same\nmatch value is added simultaneously. In this scenario, fs_core may set the\nhardware deletion function to NULL prematurely, causing a panic during\nsubsequent rule deletions.\n\nTo prevent this, ensure the active flag of the FTE is checked under a lock,\nwhich will prevent the fs_core layer from attaching a new steering rule to\nan FTE that is in the process of deletion.\n\n[ 438.967589] MOSHE: 2496 mlx5_del_flow_rules del_hw_func\n[ 438.968205] ------------[ cut here ]------------\n[ 438.968654] refcount_t: decrement hit 0; leaking memory.\n[ 438.969249] WARNING: CPU: 0 PID: 8957 at lib/refcount.c:31 refcount_warn_saturate+0xfb/0x110\n[ 438.970054] Modules linked in: act_mirred cls_flower act_gact sch_ingress openvswitch nsh mlx5_vdpa vringh vhost_iotlb vdpa mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core zram zsmalloc fuse [last unloaded: cls_flower]\n[ 438.973288] CPU: 0 UID: 0 PID: 8957 Comm: tc Not tainted 6.12.0-rc1+ #8\n[ 438.973888] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 438.974874] RIP: 0010:refcount_warn_saturate+0xfb/0x110\n[ 438.975363] Code: 40 66 3b 82 c6 05 16 e9 4d 01 01 e8 1f 7c a0 ff 0f 0b c3 cc cc cc cc 48 c7 c7 10 66 3b 82 c6 05 fd e8 4d 01 01 e8 05 7c a0 ff <0f> 0b c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 90\n[ 438.976947] RSP: 0018:ffff888124a53610 EFLAGS: 00010286\n[ 438.977446] RAX: 0000000000000000 RBX: ffff888119d56de0 RCX: 0000000000000000\n[ 438.978090] RDX: ffff88852c828700 RSI: ffff88852c81b3c0 RDI: ffff88852c81b3c0\n[ 438.978721] RBP: ffff888120fa0e88 R08: 0000000000000000 R09: ffff888124a534b0\n[ 438.979353] R10: 0000000000000001 R11: 0000000000000001 R12: ffff888119d56de0\n[ 438.979979] R13: ffff888120fa0ec0 R14: ffff888120fa0ee8 R15: ffff888119d56de0\n[ 438.980607] FS: 00007fe6dcc0f800(0000) GS:ffff88852c800000(0000) knlGS:0000000000000000\n[ 438.983984] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 438.984544] CR2: 00000000004275e0 CR3: 0000000186982001 CR4: 0000000000372eb0\n[ 438.985205] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 438.985842] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 438.986507] Call Trace:\n[ 438.986799] <TASK>\n[ 438.987070] ? __warn+0x7d/0x110\n[ 438.987426] ? refcount_warn_saturate+0xfb/0x110\n[ 438.987877] ? report_bug+0x17d/0x190\n[ 438.988261] ? prb_read_valid+0x17/0x20\n[ 438.988659] ? handle_bug+0x53/0x90\n[ 438.989054] ? exc_invalid_op+0x14/0x70\n[ 438.989458] ? asm_exc_invalid_op+0x16/0x20\n[ 438.989883] ? refcount_warn_saturate+0xfb/0x110\n[ 438.990348] mlx5_del_flow_rules+0x2f7/0x340 [mlx5_core]\n[ 438.990932] __mlx5_eswitch_del_rule+0x49/0x170 [mlx5_core]\n[ 438.991519] ? mlx5_lag_is_sriov+0x3c/0x50 [mlx5_core]\n[ 438.992054] ? xas_load+0x9/0xb0\n[ 438.992407] mlx5e_tc_rule_unoffload+0x45/0xe0 [mlx5_core]\n[ 438.993037] mlx5e_tc_del_fdb_flow+0x2a6/0x2e0 [mlx5_core]\n[ 438.993623] mlx5e_flow_put+0x29/0x60 [mlx5_core]\n[ 438.994161] mlx5e_delete_flower+0x261/0x390 [mlx5_core]\n[ 438.994728] tc_setup_cb_destroy+0xb9/0x190\n[ 438.995150] fl_hw_destroy_filter+0x94/0xc0 [cls_flower]\n[ 438.995650] fl_change+0x11a4/0x13c0 [cls_flower]\n[ 438.996105] tc_new_tfilter+0x347/0xbc0\n[ 438.996503] ? __\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/mellanox/mlx5/core/fs_core.c"], "versions": [{"version": "718ce4d601dbf73b5dbe024a88c9e34168fe87f2", "lessThan": "0d568258f99f2076ab02e9234cbabbd43e12f30e", "status": "affected", "versionType": "git"}, {"version": "718ce4d601dbf73b5dbe024a88c9e34168fe87f2", "lessThan": "a508c74ceae2f5a4647f67c362126516d6404ed9", "status": "affected", "versionType": "git"}, {"version": "718ce4d601dbf73b5dbe024a88c9e34168fe87f2", "lessThan": "5b47c2f47c2fe921681f4a4fe2790375e6c04cdd", "status": "affected", "versionType": "git"}, {"version": "718ce4d601dbf73b5dbe024a88c9e34168fe87f2", "lessThan": "bfba288f53192db08c68d4c568db9783fb9cb838", "status": "affected", "versionType": "git"}, {"version": "718ce4d601dbf73b5dbe024a88c9e34168fe87f2", "lessThan": "094d1a2121cee1e85ab07d74388f94809dcfb5b9", "status": "affected", "versionType": "git"}, {"version": "718ce4d601dbf73b5dbe024a88c9e34168fe87f2", "lessThan": "933ef0d17f012b653e9e6006e3f50c8d0238b5ed", "status": "affected", "versionType": "git"}, {"version": "718ce4d601dbf73b5dbe024a88c9e34168fe87f2", "lessThan": "9ca314419930f9135727e39d77e66262d5f7bef6", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/mellanox/mlx5/core/fs_core.c"], "versions": [{"version": "5.1", "status": "affected"}, {"version": "0", "lessThan": "5.1", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.287", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.231", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.174", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.119", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.63", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.11.10", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/0d568258f99f2076ab02e9234cbabbd43e12f30e"}, {"url": "https://git.kernel.org/stable/c/a508c74ceae2f5a4647f67c362126516d6404ed9"}, {"url": "https://git.kernel.org/stable/c/5b47c2f47c2fe921681f4a4fe2790375e6c04cdd"}, {"url": "https://git.kernel.org/stable/c/bfba288f53192db08c68d4c568db9783fb9cb838"}, {"url": "https://git.kernel.org/stable/c/094d1a2121cee1e85ab07d74388f94809dcfb5b9"}, {"url": "https://git.kernel.org/stable/c/933ef0d17f012b653e9e6006e3f50c8d0238b5ed"}, {"url": "https://git.kernel.org/stable/c/9ca314419930f9135727e39d77e66262d5f7bef6"}], "title": "net/mlx5: fs, lock FTE when checking if active", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DE71E822-45A0-4A8A-96CD-35A5E7AFD5D2", "versionEndExcluding": "6.1.119", "versionStartIncluding": "5.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8800BB45-48BC-4B52-BDA5-B1E4633F42E5", "versionEndExcluding": "6.6.63", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C256F46A-AFDD-4B99-AA4F-67D9D9D2C55A", "versionEndExcluding": "6.11.10", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*", "matchCriteriaId": "7F361E1D-580F-4A2D-A509-7615F73167A1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*", "matchCriteriaId": "925478D0-3E3D-4E6F-ACD5-09F28D5DF82C", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*", "matchCriteriaId": "3C95E234-D335-4B6C-96BF-E2CEBD8654ED", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*", "matchCriteriaId": "E0F717D8-3014-4F84-8086-0124B2111379", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:*", "matchCriteriaId": "24DBE6C7-2AAE-4818-AED2-E131F153D2FA", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc6:*:*:*:*:*:*", "matchCriteriaId": "24B88717-53F5-42AA-9B72-14C707639E3F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc7:*:*:*:*:*:*", "matchCriteriaId": "1EF8CD82-1EAE-4254-9545-F85AB94CF90F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: fs, lock FTE when checking if active\n\nThe referenced commits introduced a two-step process for deleting FTEs:\n\n- Lock the FTE, delete it from hardware, set the hardware deletion function\n to NULL and unlock the FTE.\n- Lock the parent flow group, delete the software copy of the FTE, and\n remove it from the xarray.\n\nHowever, this approach encounters a race condition if a rule with the same\nmatch value is added simultaneously. In this scenario, fs_core may set the\nhardware deletion function to NULL prematurely, causing a panic during\nsubsequent rule deletions.\n\nTo prevent this, ensure the active flag of the FTE is checked under a lock,\nwhich will prevent the fs_core layer from attaching a new steering rule to\nan FTE that is in the process of deletion.\n\n[ 438.967589] MOSHE: 2496 mlx5_del_flow_rules del_hw_func\n[ 438.968205] ------------[ cut here ]------------\n[ 438.968654] refcount_t: decrement hit 0; leaking memory.\n[ 438.969249] WARNING: CPU: 0 PID: 8957 at lib/refcount.c:31 refcount_warn_saturate+0xfb/0x110\n[ 438.970054] Modules linked in: act_mirred cls_flower act_gact sch_ingress openvswitch nsh mlx5_vdpa vringh vhost_iotlb vdpa mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core zram zsmalloc fuse [last unloaded: cls_flower]\n[ 438.973288] CPU: 0 UID: 0 PID: 8957 Comm: tc Not tainted 6.12.0-rc1+ #8\n[ 438.973888] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 438.974874] RIP: 0010:refcount_warn_saturate+0xfb/0x110\n[ 438.975363] Code: 40 66 3b 82 c6 05 16 e9 4d 01 01 e8 1f 7c a0 ff 0f 0b c3 cc cc cc cc 48 c7 c7 10 66 3b 82 c6 05 fd e8 4d 01 01 e8 05 7c a0 ff <0f> 0b c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 90\n[ 438.976947] RSP: 0018:ffff888124a53610 EFLAGS: 00010286\n[ 438.977446] RAX: 0000000000000000 RBX: ffff888119d56de0 RCX: 0000000000000000\n[ 438.978090] RDX: ffff88852c828700 RSI: ffff88852c81b3c0 RDI: ffff88852c81b3c0\n[ 438.978721] RBP: ffff888120fa0e88 R08: 0000000000000000 R09: ffff888124a534b0\n[ 438.979353] R10: 0000000000000001 R11: 0000000000000001 R12: ffff888119d56de0\n[ 438.979979] R13: ffff888120fa0ec0 R14: ffff888120fa0ee8 R15: ffff888119d56de0\n[ 438.980607] FS: 00007fe6dcc0f800(0000) GS:ffff88852c800000(0000) knlGS:0000000000000000\n[ 438.983984] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 438.984544] CR2: 00000000004275e0 CR3: 0000000186982001 CR4: 0000000000372eb0\n[ 438.985205] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 438.985842] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 438.986507] Call Trace:\n[ 438.986799] <TASK>\n[ 438.987070] ? __warn+0x7d/0x110\n[ 438.987426] ? refcount_warn_saturate+0xfb/0x110\n[ 438.987877] ? report_bug+0x17d/0x190\n[ 438.988261] ? prb_read_valid+0x17/0x20\n[ 438.988659] ? handle_bug+0x53/0x90\n[ 438.989054] ? exc_invalid_op+0x14/0x70\n[ 438.989458] ? asm_exc_invalid_op+0x16/0x20\n[ 438.989883] ? refcount_warn_saturate+0xfb/0x110\n[ 438.990348] mlx5_del_flow_rules+0x2f7/0x340 [mlx5_core]\n[ 438.990932] __mlx5_eswitch_del_rule+0x49/0x170 [mlx5_core]\n[ 438.991519] ? mlx5_lag_is_sriov+0x3c/0x50 [mlx5_core]\n[ 438.992054] ? xas_load+0x9/0xb0\n[ 438.992407] mlx5e_tc_rule_unoffload+0x45/0xe0 [mlx5_core]\n[ 438.993037] mlx5e_tc_del_fdb_flow+0x2a6/0x2e0 [mlx5_core]\n[ 438.993623] mlx5e_flow_put+0x29/0x60 [mlx5_core]\n[ 438.994161] mlx5e_delete_flower+0x261/0x390 [mlx5_core]\n[ 438.994728] tc_setup_cb_destroy+0xb9/0x190\n[ 438.995150] fl_hw_destroy_filter+0x94/0xc0 [cls_flower]\n[ 438.995650] fl_change+0x11a4/0x13c0 [cls_flower]\n[ 438.996105] tc_new_tfilter+0x347/0xbc0\n[ 438.996503] ? __\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx5: fs, bloquear FTE al verificar si est\u00e1 activo Las confirmaciones a las que se hace referencia introdujeron un proceso de dos pasos para eliminar FTE: - Bloquear el FTE, eliminarlo del hardware, establecer la funci\u00f3n de eliminaci\u00f3n de hardware en NULL y desbloquear el FTE. - Bloquear el grupo de flujo principal, eliminar la copia de software del FTE y eliminarlo de la matriz x. Sin embargo, este enfoque encuentra una condici\u00f3n de carrera si se agrega simult\u00e1neamente una regla con el mismo valor de coincidencia. En este escenario, fs_core puede establecer la funci\u00f3n de eliminaci\u00f3n de hardware en NULL de forma prematura, lo que provoca un p\u00e1nico durante las eliminaciones de reglas posteriores. Para evitar esto, aseg\u00farese de que el indicador activo del FTE est\u00e9 marcado bajo un bloqueo, lo que evitar\u00e1 que la capa fs_core adjunte una nueva regla de direcci\u00f3n a un FTE que est\u00e9 en proceso de eliminaci\u00f3n. [ 438.967589] MOSHE: 2496 mlx5_del_flow_rules del_hw_func [ 438.968205] ------------[ cortar aqu\u00ed ]------------ [ 438.968654] refcount_t: el decremento lleg\u00f3 a 0; p\u00e9rdida de memoria. [ 438.969249] ADVERTENCIA: CPU: 0 PID: 8957 en lib/refcount.c:31 refcount_warn_saturate+0xfb/0x110 [ 438.970054] M\u00f3dulos vinculados en: act_mirred cls_flower act_gact sch_ingress openvswitch nsh mlx5_vdpa vringh vhost_iotlb vdpa mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry superposici\u00f3n rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core zram zsmalloc fuse [\u00faltima descarga: cls_flower] [ 438.973288] CPU: 0 UID: 0 PID: 8957 Comm: tc No contaminado 6.12.0-rc1+ #8 [ 438.973888] Nombre del hardware: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 438.974874] RIP: 0010:refcount_warn_saturate+0xfb/0x110 [ 438.975363] C\u00f3digo: 40 66 3b 82 c6 05 16 e9 4d 01 01 e8 1f 7c a0 ff 0f 0b c3 cc cc cc cc 48 c7 c7 10 66 3b 82 c6 05 fd e8 4d 01 01 e8 05 7c a0 ff &lt;0f&gt; 0b c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 90 [ 438.976947] RSP: 0018:ffff888124a53610 EFLAGS: 00010286 [ 438.977446] RAX: 0000000000000000 RBX: ffff888119d56de0 RCX: 0000000000000000 [ 438.978090] RDX: ffff88852c828700 RSI: ffff88852c81b3c0 RDI: ffff88852c81b3c0 [ 438.978721] RBP: ffff888120fa0e88 R08: 0000000000000000 R09: ffff888124a534b0 [ 438.979353] R10: 0000000000000001 R11: 00000000000000001 R12: ffff888119d56de0 [ 438.979979] R13: ffff888120fa0ec0 R14: ffff888120fa0ee8 R15: ffff888119d56de0 [ 438.980607] FS: 00007fe6dcc0f800(0000) GS:ffff88852c800000(0000) knlGS:0000000000000000 [ 438.983984] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 438.984544] CR2: 00000000004275e0 CR3: 0000000186982001 CR4: 0000000000372eb0 [ 438.985205] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 000000000000000 [ 438.985842] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 438.986507] Seguimiento de llamadas: [ 438.986799] [ 438.987070] ? __warn+0x7d/0x110 [ 438.987426] ? refcount_warn_saturate+0xfb/0x110 [ 438.987877] ? report_bug+0x17d/0x190 [ 438.988261] ? prb_read_valid+0x17/0x20 [ 438.988659] ? handle_bug+0x53/0x90 [ 438.989054] ? exc_invalid_op+0x14/0x70 [ 438.989458] ? asm_exc_invalid_op+0x16/0x20 [ 438.989883] ? mlx5_lag_is_sriov+0x3c/0x50 [mlx5_core] [ 438.992054] ? xas_load+0x9/0xb0 [438.992407] mlx5e_tc_rule_unoffload+0x45/0xe0 [mlx5_core] [438.993037] mlx5e_tc_del_fdb_flow+0x2a6/0x2e0 [mlx5_core] [438.993623] mlx5e_flow_put+0x29/0x60 [mlx5_core] [438.994161] mlx5e_delete_flower+0x261/0x390 [mlx5_core] [438.994728] tc_setup_cb_destroy+0xb9/0x190 [438.995150] fl_hw_destroy_filter+0x94/0xc0 [cls_flower] [ 438.995650] fl_change+0x11a4/0x13c0 [cls_flower] [ 438.996105] tc_new_tfilter+0x347/0xbc0 [ 438.996503] ? __ ---truncado---"}], "id": "CVE-2024-53121", "lastModified": "2024-12-14T21:15:36.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-12-02T14:15:12.877", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/094d1a2121cee1e85ab07d74388f94809dcfb5b9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0d568258f99f2076ab02e9234cbabbd43e12f30e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5b47c2f47c2fe921681f4a4fe2790375e6c04cdd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/933ef0d17f012b653e9e6006e3f50c8d0238b5ed"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9ca314419930f9135727e39d77e66262d5f7bef6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a508c74ceae2f5a4647f67c362126516d6404ed9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bfba288f53192db08c68d4c568db9783fb9cb838"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: net/mlx5: fs, lock FTE when checking if active", "id": "2329936", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2329936"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-362", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet/mlx5: fs, lock FTE when checking if active\nThe referenced commits introduced a two-step process for deleting FTEs:\n- Lock the FTE, delete it from hardware, set the hardware deletion function\nto NULL and unlock the FTE.\n- Lock the parent flow group, delete the software copy of the FTE, and\nremove it from the xarray.\nHowever, this approach encounters a race condition if a rule with the same\nmatch value is added simultaneously. In this scenario, fs_core may set the\nhardware deletion function to NULL prematurely, causing a panic during\nsubsequent rule deletions.\nTo prevent this, ensure the active flag of the FTE is checked under a lock,\nwhich will prevent the fs_core layer from attaching a new steering rule to\nan FTE that is in the process of deletion.\n[ 438.967589] MOSHE: 2496 mlx5_del_flow_rules del_hw_func\n[ 438.968205] ------------[ cut here ]------------\n[ 438.968654] refcount_t: decrement hit 0; leaking memory.\n[ 438.969249] WARNING: CPU: 0 PID: 8957 at lib/refcount.c:31 refcount_warn_saturate+0xfb/0x110\n[ 438.970054] Modules linked in: act_mirred cls_flower act_gact sch_ingress openvswitch nsh mlx5_vdpa vringh vhost_iotlb vdpa mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core zram zsmalloc fuse [last unloaded: cls_flower]\n[ 438.973288] CPU: 0 UID: 0 PID: 8957 Comm: tc Not tainted 6.12.0-rc1+ #8\n[ 438.973888] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 438.974874] RIP: 0010:refcount_warn_saturate+0xfb/0x110\n[ 438.975363] Code: 40 66 3b 82 c6 05 16 e9 4d 01 01 e8 1f 7c a0 ff 0f 0b c3 cc cc cc cc 48 c7 c7 10 66 3b 82 c6 05 fd e8 4d 01 01 e8 05 7c a0 ff <0f> 0b c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 90\n[ 438.976947] RSP: 0018:ffff888124a53610 EFLAGS: 00010286\n[ 438.977446] RAX: 0000000000000000 RBX: ffff888119d56de0 RCX: 0000000000000000\n[ 438.978090] RDX: ffff88852c828700 RSI: ffff88852c81b3c0 RDI: ffff88852c81b3c0\n[ 438.978721] RBP: ffff888120fa0e88 R08: 0000000000000000 R09: ffff888124a534b0\n[ 438.979353] R10: 0000000000000001 R11: 0000000000000001 R12: ffff888119d56de0\n[ 438.979979] R13: ffff888120fa0ec0 R14: ffff888120fa0ee8 R15: ffff888119d56de0\n[ 438.980607] FS: 00007fe6dcc0f800(0000) GS:ffff88852c800000(0000) knlGS:0000000000000000\n[ 438.983984] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 438.984544] CR2: 00000000004275e0 CR3: 0000000186982001 CR4: 0000000000372eb0\n[ 438.985205] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 438.985842] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 438.986507] Call Trace:\n[ 438.986799] <TASK>\n[ 438.987070] ? __warn+0x7d/0x110\n[ 438.987426] ? refcount_warn_saturate+0xfb/0x110\n[ 438.987877] ? report_bug+0x17d/0x190\n[ 438.988261] ? prb_read_valid+0x17/0x20\n[ 438.988659] ? handle_bug+0x53/0x90\n[ 438.989054] ? exc_invalid_op+0x14/0x70\n[ 438.989458] ? asm_exc_invalid_op+0x16/0x20\n[ 438.989883] ? refcount_warn_saturate+0xfb/0x110\n[ 438.990348] mlx5_del_flow_rules+0x2f7/0x340 [mlx5_core]\n[ 438.990932] __mlx5_eswitch_del_rule+0x49/0x170 [mlx5_core]\n[ 438.991519] ? mlx5_lag_is_sriov+0x3c/0x50 [mlx5_core]\n[ 438.992054] ? xas_load+0x9/0xb0\n[ 438.992407] mlx5e_tc_rule_unoffload+0x45/0xe0 [mlx5_core]\n[ 438.993037] mlx5e_tc_del_fdb_flow+0x2a6/0x2e0 [mlx5_core]\n[ 438.993623] mlx5e_flow_put+0x29/0x60 [mlx5_core]\n[ 438.994161] mlx5e_delete_flower+0x261/0x390 [mlx5_core]\n[ 438.994728] tc_setup_cb_destroy+0xb9/0x190\n[ 438.995150] fl_hw_destroy_filter+0x94/0xc0 [cls_flower]\n[ 438.995650] fl_change+0x11a4/0x13c0 [cls_flower]\n[ 438.996105] tc_new_tfilter+0x347/0xbc0\n[ 438.996503] ? __\n---truncated---"], "name": "CVE-2024-53121", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-12-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-53121\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-53121\nhttps://lore.kernel.org/linux-cve-announce/2024120252-CVE-2024-53121-34da@gregkh/T"], "threat_severity": "Moderate"}