cve/published/2024/CVE-2024-44970.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-44970: net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink

 When all the strides in a WQE have been consumed, the WQE is unlinked
 from the WQ linked list (mlx5_wq_ll_pop()). For SHAMPO, it is possible
 to receive CQEs with 0 consumed strides for the same WQE even after the
 WQE is fully consumed and unlinked. This triggers an additional unlink
 for the same wqe which corrupts the linked list.

 Fix this scenario by accepting 0 sized consumed strides without
 unlinking the WQE again.

 The Linux kernel CVE team has assigned CVE-2024-44970 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.16 with commit f97d5c2a453e26071e3b0ec12161de57c4a237c4 and fixed in 6.1.105 with commit 7b379353e9144e1f7460ff15f39862012c9d0d78
 	Issue introduced in 5.16 with commit f97d5c2a453e26071e3b0ec12161de57c4a237c4 and fixed in 6.6.46 with commit 650e24748e1e0a7ff91d5c72b72a2f2a452b5b76
 	Issue introduced in 5.16 with commit f97d5c2a453e26071e3b0ec12161de57c4a237c4 and fixed in 6.10.5 with commit 50d8009a0ac02c3311b23a0066511f8337bd88d9
 	Issue introduced in 5.16 with commit f97d5c2a453e26071e3b0ec12161de57c4a237c4 and fixed in 6.11 with commit fba8334721e266f92079632598e46e5f89082f30

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-44970
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/mellanox/mlx5/core/en_rx.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7b379353e9144e1f7460ff15f39862012c9d0d78
 	https://git.kernel.org/stable/c/650e24748e1e0a7ff91d5c72b72a2f2a452b5b76
 	https://git.kernel.org/stable/c/50d8009a0ac02c3311b23a0066511f8337bd88d9
 	https://git.kernel.org/stable/c/fba8334721e266f92079632598e46e5f89082f30
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-44970: net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink

	When all the strides in a WQE have been consumed, the WQE is unlinked
	from the WQ linked list (mlx5_wq_ll_pop()). For SHAMPO, it is possible
	to receive CQEs with 0 consumed strides for the same WQE even after the
	WQE is fully consumed and unlinked. This triggers an additional unlink
	for the same wqe which corrupts the linked list.

	Fix this scenario by accepting 0 sized consumed strides without
	unlinking the WQE again.

	The Linux kernel CVE team has assigned CVE-2024-44970 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.16 with commit f97d5c2a453e26071e3b0ec12161de57c4a237c4 and fixed in 6.1.105 with commit 7b379353e9144e1f7460ff15f39862012c9d0d78
	Issue introduced in 5.16 with commit f97d5c2a453e26071e3b0ec12161de57c4a237c4 and fixed in 6.6.46 with commit 650e24748e1e0a7ff91d5c72b72a2f2a452b5b76
	Issue introduced in 5.16 with commit f97d5c2a453e26071e3b0ec12161de57c4a237c4 and fixed in 6.10.5 with commit 50d8009a0ac02c3311b23a0066511f8337bd88d9
	Issue introduced in 5.16 with commit f97d5c2a453e26071e3b0ec12161de57c4a237c4 and fixed in 6.11 with commit fba8334721e266f92079632598e46e5f89082f30

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-44970
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/mellanox/mlx5/core/en_rx.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7b379353e9144e1f7460ff15f39862012c9d0d78
	https://git.kernel.org/stable/c/650e24748e1e0a7ff91d5c72b72a2f2a452b5b76
	https://git.kernel.org/stable/c/50d8009a0ac02c3311b23a0066511f8337bd88d9
	https://git.kernel.org/stable/c/fba8334721e266f92079632598e46e5f89082f30