CVE-2023-54216 (GCVE-0-2023-54216)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
Title
net/mlx5e: TC, Fix using eswitch mapping in nic mode
Summary
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: TC, Fix using eswitch mapping in nic mode Cited patch is using the eswitch object mapping pool while in nic mode where it isn't initialized. This results in the trace below [0]. Fix that by using either nic or eswitch object mapping pool depending if eswitch is enabled or not. [0]: [ 826.446057] ================================================================== [ 826.446729] BUG: KASAN: slab-use-after-free in mlx5_add_flow_rules+0x30/0x490 [mlx5_core] [ 826.447515] Read of size 8 at addr ffff888194485830 by task tc/6233 [ 826.448243] CPU: 16 PID: 6233 Comm: tc Tainted: G W 6.3.0-rc6+ #1 [ 826.448890] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 826.449785] Call Trace: [ 826.450052] <TASK> [ 826.450302] dump_stack_lvl+0x33/0x50 [ 826.450650] print_report+0xc2/0x610 [ 826.450998] ? __virt_addr_valid+0xb1/0x130 [ 826.451385] ? mlx5_add_flow_rules+0x30/0x490 [mlx5_core] [ 826.451935] kasan_report+0xae/0xe0 [ 826.452276] ? mlx5_add_flow_rules+0x30/0x490 [mlx5_core] [ 826.452829] mlx5_add_flow_rules+0x30/0x490 [mlx5_core] [ 826.453368] ? __kmalloc_node+0x5a/0x120 [ 826.453733] esw_add_restore_rule+0x20f/0x270 [mlx5_core] [ 826.454288] ? mlx5_eswitch_add_send_to_vport_meta_rule+0x260/0x260 [mlx5_core] [ 826.455011] ? mutex_unlock+0x80/0xd0 [ 826.455361] ? __mutex_unlock_slowpath.constprop.0+0x210/0x210 [ 826.455862] ? mapping_add+0x2cb/0x440 [mlx5_core] [ 826.456425] mlx5e_tc_action_miss_mapping_get+0x139/0x180 [mlx5_core] [ 826.457058] ? mlx5e_tc_update_skb_nic+0xb0/0xb0 [mlx5_core] [ 826.457636] ? __kasan_kmalloc+0x77/0x90 [ 826.458000] ? __kmalloc+0x57/0x120 [ 826.458336] mlx5_tc_ct_flow_offload+0x325/0xe40 [mlx5_core] [ 826.458916] ? ct_kernel_enter.constprop.0+0x48/0xa0 [ 826.459360] ? mlx5_tc_ct_parse_action+0xf0/0xf0 [mlx5_core] [ 826.459933] ? mlx5e_mod_hdr_attach+0x491/0x520 [mlx5_core] [ 826.460507] ? mlx5e_mod_hdr_get+0x12/0x20 [mlx5_core] [ 826.461046] ? mlx5e_tc_attach_mod_hdr+0x154/0x170 [mlx5_core] [ 826.461635] mlx5e_configure_flower+0x969/0x2110 [mlx5_core] [ 826.462217] ? _raw_spin_lock_bh+0x85/0xe0 [ 826.462597] ? __mlx5e_add_fdb_flow+0x750/0x750 [mlx5_core] [ 826.463163] ? kasan_save_stack+0x2e/0x40 [ 826.463534] ? down_read+0x115/0x1b0 [ 826.463878] ? down_write_killable+0x110/0x110 [ 826.464288] ? tc_setup_action.part.0+0x9f/0x3b0 [ 826.464701] ? mlx5e_is_uplink_rep+0x4c/0x90 [mlx5_core] [ 826.465253] ? mlx5e_tc_reoffload_flows_work+0x130/0x130 [mlx5_core] [ 826.465878] tc_setup_cb_add+0x112/0x250 [ 826.466247] fl_hw_replace_filter+0x230/0x310 [cls_flower] [ 826.466724] ? fl_hw_destroy_filter+0x1a0/0x1a0 [cls_flower] [ 826.467212] fl_change+0x14e1/0x2030 [cls_flower] [ 826.467636] ? sock_def_readable+0x89/0x120 [ 826.468019] ? fl_tmplt_create+0x2d0/0x2d0 [cls_flower] [ 826.468509] ? kasan_unpoison+0x23/0x50 [ 826.468873] ? get_random_u16+0x180/0x180 [ 826.469244] ? __radix_tree_lookup+0x2b/0x130 [ 826.469640] ? fl_get+0x7b/0x140 [cls_flower] [ 826.470042] ? fl_mask_put+0x200/0x200 [cls_flower] [ 826.470478] ? __mutex_unlock_slowpath.constprop.0+0x210/0x210 [ 826.470973] ? fl_tmplt_create+0x2d0/0x2d0 [cls_flower] [ 826.471427] tc_new_tfilter+0x644/0x1050 [ 826.471795] ? tc_get_tfilter+0x860/0x860 [ 826.472170] ? __thaw_task+0x130/0x130 [ 826.472525] ? arch_stack_walk+0x98/0xf0 [ 826.472892] ? cap_capable+0x9f/0xd0 [ 826.473235] ? security_capable+0x47/0x60 [ 826.473608] rtnetlink_rcv_msg+0x1d5/0x550 [ 826.473985] ? rtnl_calcit.isra.0+0x1f0/0x1f0 [ 826.474383] ? __stack_depot_save+0x35/0x4c0 [ 826.474779] ? kasan_save_stack+0x2e/0x40 [ 826.475149] ? kasan_save_stack+0x1e/0x40 [ 826.475518] ? __kasan_record_aux_stack+0x9f/0xb0 [ 826.475939] ? task_work_add+0x77/0x1c0 [ 826.476305] netlink_rcv_skb+0xe0/0x210 ---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 6702782845a5bf381a19b204c369e63420041665 , < 4150441c010dec36abc389828e2e4758bd8ad4b3 (git)
Affected: 6702782845a5bf381a19b204c369e63420041665 , < dfa1e46d6093831b9d49f0f350227a1d13644a2f (git)
Create a notification for this product.
    Linux Linux Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 6.3.6 , ≤ 6.3.* (semver)
Unaffected: 6.4 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en_tc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4150441c010dec36abc389828e2e4758bd8ad4b3",
              "status": "affected",
              "version": "6702782845a5bf381a19b204c369e63420041665",
              "versionType": "git"
            },
            {
              "lessThan": "dfa1e46d6093831b9d49f0f350227a1d13644a2f",
              "status": "affected",
              "version": "6702782845a5bf381a19b204c369e63420041665",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en_tc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.3.*",
              "status": "unaffected",
              "version": "6.3.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.4",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3.6",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: TC, Fix using eswitch mapping in nic mode\n\nCited patch is using the eswitch object mapping pool while\nin nic mode where it isn\u0027t initialized. This results in the\ntrace below [0].\n\nFix that by using either nic or eswitch object mapping pool\ndepending if eswitch is enabled or not.\n\n[0]:\n[  826.446057] ==================================================================\n[  826.446729] BUG: KASAN: slab-use-after-free in mlx5_add_flow_rules+0x30/0x490 [mlx5_core]\n[  826.447515] Read of size 8 at addr ffff888194485830 by task tc/6233\n\n[  826.448243] CPU: 16 PID: 6233 Comm: tc Tainted: G        W          6.3.0-rc6+ #1\n[  826.448890] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[  826.449785] Call Trace:\n[  826.450052]  \u003cTASK\u003e\n[  826.450302]  dump_stack_lvl+0x33/0x50\n[  826.450650]  print_report+0xc2/0x610\n[  826.450998]  ? __virt_addr_valid+0xb1/0x130\n[  826.451385]  ? mlx5_add_flow_rules+0x30/0x490 [mlx5_core]\n[  826.451935]  kasan_report+0xae/0xe0\n[  826.452276]  ? mlx5_add_flow_rules+0x30/0x490 [mlx5_core]\n[  826.452829]  mlx5_add_flow_rules+0x30/0x490 [mlx5_core]\n[  826.453368]  ? __kmalloc_node+0x5a/0x120\n[  826.453733]  esw_add_restore_rule+0x20f/0x270 [mlx5_core]\n[  826.454288]  ? mlx5_eswitch_add_send_to_vport_meta_rule+0x260/0x260 [mlx5_core]\n[  826.455011]  ? mutex_unlock+0x80/0xd0\n[  826.455361]  ? __mutex_unlock_slowpath.constprop.0+0x210/0x210\n[  826.455862]  ? mapping_add+0x2cb/0x440 [mlx5_core]\n[  826.456425]  mlx5e_tc_action_miss_mapping_get+0x139/0x180 [mlx5_core]\n[  826.457058]  ? mlx5e_tc_update_skb_nic+0xb0/0xb0 [mlx5_core]\n[  826.457636]  ? __kasan_kmalloc+0x77/0x90\n[  826.458000]  ? __kmalloc+0x57/0x120\n[  826.458336]  mlx5_tc_ct_flow_offload+0x325/0xe40 [mlx5_core]\n[  826.458916]  ? ct_kernel_enter.constprop.0+0x48/0xa0\n[  826.459360]  ? mlx5_tc_ct_parse_action+0xf0/0xf0 [mlx5_core]\n[  826.459933]  ? mlx5e_mod_hdr_attach+0x491/0x520 [mlx5_core]\n[  826.460507]  ? mlx5e_mod_hdr_get+0x12/0x20 [mlx5_core]\n[  826.461046]  ? mlx5e_tc_attach_mod_hdr+0x154/0x170 [mlx5_core]\n[  826.461635]  mlx5e_configure_flower+0x969/0x2110 [mlx5_core]\n[  826.462217]  ? _raw_spin_lock_bh+0x85/0xe0\n[  826.462597]  ? __mlx5e_add_fdb_flow+0x750/0x750 [mlx5_core]\n[  826.463163]  ? kasan_save_stack+0x2e/0x40\n[  826.463534]  ? down_read+0x115/0x1b0\n[  826.463878]  ? down_write_killable+0x110/0x110\n[  826.464288]  ? tc_setup_action.part.0+0x9f/0x3b0\n[  826.464701]  ? mlx5e_is_uplink_rep+0x4c/0x90 [mlx5_core]\n[  826.465253]  ? mlx5e_tc_reoffload_flows_work+0x130/0x130 [mlx5_core]\n[  826.465878]  tc_setup_cb_add+0x112/0x250\n[  826.466247]  fl_hw_replace_filter+0x230/0x310 [cls_flower]\n[  826.466724]  ? fl_hw_destroy_filter+0x1a0/0x1a0 [cls_flower]\n[  826.467212]  fl_change+0x14e1/0x2030 [cls_flower]\n[  826.467636]  ? sock_def_readable+0x89/0x120\n[  826.468019]  ? fl_tmplt_create+0x2d0/0x2d0 [cls_flower]\n[  826.468509]  ? kasan_unpoison+0x23/0x50\n[  826.468873]  ? get_random_u16+0x180/0x180\n[  826.469244]  ? __radix_tree_lookup+0x2b/0x130\n[  826.469640]  ? fl_get+0x7b/0x140 [cls_flower]\n[  826.470042]  ? fl_mask_put+0x200/0x200 [cls_flower]\n[  826.470478]  ? __mutex_unlock_slowpath.constprop.0+0x210/0x210\n[  826.470973]  ? fl_tmplt_create+0x2d0/0x2d0 [cls_flower]\n[  826.471427]  tc_new_tfilter+0x644/0x1050\n[  826.471795]  ? tc_get_tfilter+0x860/0x860\n[  826.472170]  ? __thaw_task+0x130/0x130\n[  826.472525]  ? arch_stack_walk+0x98/0xf0\n[  826.472892]  ? cap_capable+0x9f/0xd0\n[  826.473235]  ? security_capable+0x47/0x60\n[  826.473608]  rtnetlink_rcv_msg+0x1d5/0x550\n[  826.473985]  ? rtnl_calcit.isra.0+0x1f0/0x1f0\n[  826.474383]  ? __stack_depot_save+0x35/0x4c0\n[  826.474779]  ? kasan_save_stack+0x2e/0x40\n[  826.475149]  ? kasan_save_stack+0x1e/0x40\n[  826.475518]  ? __kasan_record_aux_stack+0x9f/0xb0\n[  826.475939]  ? task_work_add+0x77/0x1c0\n[  826.476305]  netlink_rcv_skb+0xe0/0x210\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:11:12.730Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4150441c010dec36abc389828e2e4758bd8ad4b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/dfa1e46d6093831b9d49f0f350227a1d13644a2f"
        }
      ],
      "title": "net/mlx5e: TC, Fix using eswitch mapping in nic mode",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54216",
    "datePublished": "2025-12-30T12:11:12.730Z",
    "dateReserved": "2025-12-30T12:06:44.500Z",
    "dateUpdated": "2025-12-30T12:11:12.730Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-54216\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-30T13:16:09.850\",\"lastModified\":\"2025-12-30T13:16:09.850\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5e: TC, Fix using eswitch mapping in nic mode\\n\\nCited patch is using the eswitch object mapping pool while\\nin nic mode where it isn\u0027t initialized. This results in the\\ntrace below [0].\\n\\nFix that by using either nic or eswitch object mapping pool\\ndepending if eswitch is enabled or not.\\n\\n[0]:\\n[  826.446057] ==================================================================\\n[  826.446729] BUG: KASAN: slab-use-after-free in mlx5_add_flow_rules+0x30/0x490 [mlx5_core]\\n[  826.447515] Read of size 8 at addr ffff888194485830 by task tc/6233\\n\\n[  826.448243] CPU: 16 PID: 6233 Comm: tc Tainted: G        W          6.3.0-rc6+ #1\\n[  826.448890] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\\n[  826.449785] Call Trace:\\n[  826.450052]  \u003cTASK\u003e\\n[  826.450302]  dump_stack_lvl+0x33/0x50\\n[  826.450650]  print_report+0xc2/0x610\\n[  826.450998]  ? __virt_addr_valid+0xb1/0x130\\n[  826.451385]  ? mlx5_add_flow_rules+0x30/0x490 [mlx5_core]\\n[  826.451935]  kasan_report+0xae/0xe0\\n[  826.452276]  ? mlx5_add_flow_rules+0x30/0x490 [mlx5_core]\\n[  826.452829]  mlx5_add_flow_rules+0x30/0x490 [mlx5_core]\\n[  826.453368]  ? __kmalloc_node+0x5a/0x120\\n[  826.453733]  esw_add_restore_rule+0x20f/0x270 [mlx5_core]\\n[  826.454288]  ? mlx5_eswitch_add_send_to_vport_meta_rule+0x260/0x260 [mlx5_core]\\n[  826.455011]  ? mutex_unlock+0x80/0xd0\\n[  826.455361]  ? __mutex_unlock_slowpath.constprop.0+0x210/0x210\\n[  826.455862]  ? mapping_add+0x2cb/0x440 [mlx5_core]\\n[  826.456425]  mlx5e_tc_action_miss_mapping_get+0x139/0x180 [mlx5_core]\\n[  826.457058]  ? mlx5e_tc_update_skb_nic+0xb0/0xb0 [mlx5_core]\\n[  826.457636]  ? __kasan_kmalloc+0x77/0x90\\n[  826.458000]  ? __kmalloc+0x57/0x120\\n[  826.458336]  mlx5_tc_ct_flow_offload+0x325/0xe40 [mlx5_core]\\n[  826.458916]  ? ct_kernel_enter.constprop.0+0x48/0xa0\\n[  826.459360]  ? mlx5_tc_ct_parse_action+0xf0/0xf0 [mlx5_core]\\n[  826.459933]  ? mlx5e_mod_hdr_attach+0x491/0x520 [mlx5_core]\\n[  826.460507]  ? mlx5e_mod_hdr_get+0x12/0x20 [mlx5_core]\\n[  826.461046]  ? mlx5e_tc_attach_mod_hdr+0x154/0x170 [mlx5_core]\\n[  826.461635]  mlx5e_configure_flower+0x969/0x2110 [mlx5_core]\\n[  826.462217]  ? _raw_spin_lock_bh+0x85/0xe0\\n[  826.462597]  ? __mlx5e_add_fdb_flow+0x750/0x750 [mlx5_core]\\n[  826.463163]  ? kasan_save_stack+0x2e/0x40\\n[  826.463534]  ? down_read+0x115/0x1b0\\n[  826.463878]  ? down_write_killable+0x110/0x110\\n[  826.464288]  ? tc_setup_action.part.0+0x9f/0x3b0\\n[  826.464701]  ? mlx5e_is_uplink_rep+0x4c/0x90 [mlx5_core]\\n[  826.465253]  ? mlx5e_tc_reoffload_flows_work+0x130/0x130 [mlx5_core]\\n[  826.465878]  tc_setup_cb_add+0x112/0x250\\n[  826.466247]  fl_hw_replace_filter+0x230/0x310 [cls_flower]\\n[  826.466724]  ? fl_hw_destroy_filter+0x1a0/0x1a0 [cls_flower]\\n[  826.467212]  fl_change+0x14e1/0x2030 [cls_flower]\\n[  826.467636]  ? sock_def_readable+0x89/0x120\\n[  826.468019]  ? fl_tmplt_create+0x2d0/0x2d0 [cls_flower]\\n[  826.468509]  ? kasan_unpoison+0x23/0x50\\n[  826.468873]  ? get_random_u16+0x180/0x180\\n[  826.469244]  ? __radix_tree_lookup+0x2b/0x130\\n[  826.469640]  ? fl_get+0x7b/0x140 [cls_flower]\\n[  826.470042]  ? fl_mask_put+0x200/0x200 [cls_flower]\\n[  826.470478]  ? __mutex_unlock_slowpath.constprop.0+0x210/0x210\\n[  826.470973]  ? fl_tmplt_create+0x2d0/0x2d0 [cls_flower]\\n[  826.471427]  tc_new_tfilter+0x644/0x1050\\n[  826.471795]  ? tc_get_tfilter+0x860/0x860\\n[  826.472170]  ? __thaw_task+0x130/0x130\\n[  826.472525]  ? arch_stack_walk+0x98/0xf0\\n[  826.472892]  ? cap_capable+0x9f/0xd0\\n[  826.473235]  ? security_capable+0x47/0x60\\n[  826.473608]  rtnetlink_rcv_msg+0x1d5/0x550\\n[  826.473985]  ? rtnl_calcit.isra.0+0x1f0/0x1f0\\n[  826.474383]  ? __stack_depot_save+0x35/0x4c0\\n[  826.474779]  ? kasan_save_stack+0x2e/0x40\\n[  826.475149]  ? kasan_save_stack+0x1e/0x40\\n[  826.475518]  ? __kasan_record_aux_stack+0x9f/0xb0\\n[  826.475939]  ? task_work_add+0x77/0x1c0\\n[  826.476305]  netlink_rcv_skb+0xe0/0x210\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/4150441c010dec36abc389828e2e4758bd8ad4b3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/dfa1e46d6093831b9d49f0f350227a1d13644a2f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.