| The CVE-2021-47199 vulnerability affects the Linux kernel's mlx5e driver, specifically in the CT (Connection Tracking) clear action offload feature. This feature adds mod hdr actions to a flow's original mod actions to reset the connection tracking state. |
| |
| The issue arises when a neigh update event occurs, causing the driver to unoffload and reoffload the flow multiple times. Each time this happens, the CT clear handling allocates additional mod hdr actions to reset the connection tracking state, leading to: |
| |
| 1. **Multiple allocations**: The same set of mod hdr actions is added repeatedly until the maximum number of mod hdr actions is reached. |
| 2. **Memory leak**: The allocated mod hdr actions are never released, causing a memory leak. |
| |
| To fix these issues, the patch moves the CT clear mod acts allocation into the parsing actions phase and only uses it when offloading the rule. Additionally, the release of mod acts is done in the normal `flow_put()` function. |
| |
| The vulnerability was introduced in kernel version 5.7 with commit 1ef3018f5af3 and fixed in versions 5.15.5 with commit 486e8de6e233 and 5.16 with commit 806401c20a0f. The affected files are `drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c`, `drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.h`, and `drivers/net/ethernet/mellanox/mlx5/core/en_tc.c`. |
| |
| The recommended mitigation is to update to the latest stable kernel version. If updating is not possible, individual changes can be cherry-picked from the provided commits, but this is not recommended or supported by the Linux kernel community. |
| |
