Dragos Tatulea

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.65 **Description** The issue is related to incorrect page refcounting in the kTLS handling code of the net/mlx5e module. The code uses a mix of `get page()` and `page ref inc()` APIs to increment the page reference, but on the release path, only `put page()` is used. This causes a problem when using pages from large folios, as the `get page()` references are stored on the folio page, while the `page ref inc()` references are stored directly in the given page. As a result, the folio page will be dereferenced too many times on release. This issue was found during kTLS testing with `sendfile()` + ZC when the served file was read from NFS on a kernel with NFS large folios support. **Recommendations** To resolve the issue, update to Linux kernel version 6.6.65 or later. As a temporary workaround, consider disabling the `mlx5e ktls tx handle resync dump comp()` function until a patch is available. Restrict access to the `net/mlx5e` module to minimize the risk of exploitation. Avoid using the `get page()` and `page ref inc()` APIs in combination until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.58 **Description** The issue concerns the Linux kernel, specifically the vhost vdpa component. It involves the incorrect assignment of the irq bypass producer token. The problem arises because the `irq bypass unregister producer()` function is called in `vhost vdpa setup vq irq()`, which can lead to issues with the token pointer's validity. The token's lifecycle should be tied to `VHOST SET VRING CALL` instead of `vhost vdpa setup vq irq()`. To fix this, the irq bypass producer's token is set up when handling `VHOST SET VRING CALL`, and the producer is unregistered before calling `vhost vring ioctl()` to prevent a possible use after free, as `eventfd` could have been released in `vhost vring ioctl()`. This registration and unregistration occur only if `DRIVER OK` is set. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.58 or later. As a temporary workaround, consider disabling the `vhost vdpa setup vq irq()` function until a patch is available. Restrict access to the `vhost vdpa` component to minimize the risk of exploitation. Avoid using the `eventfd ctx` as a token in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.14.0-496.el9.x86 64 **Description** The Linux kernel has a vulnerability in the vdpa/mlx5 module, where certain error paths from `mlx5 vdpa dev add()` can release mr resources that were never initialized. This issue is resolved by adding a missing check in `mlx5 vdpa destroy mr resources()` to block the release of non-initialized mr resources. The vulnerability can cause a kernel NULL pointer dereference. **Recommendations** To resolve this issue, update the Linux kernel to a version that includes the fix for this vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the net/mlx5e component in the Linux kernel, where the `mlx5e safe reopen channels()` function requires the state lock to be taken. A previous change removed the lock to fix another issue, but this patch adds it back at a later point to avoid a deadlock. The `mlx5e safe reopen channels()` function is called during the tx timeout reporter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue arises in the Linux kernel's net/mlx5e module, specifically with the SHAMPO (Shared Header And Memory Pool Optimization) feature. Under certain conditions, a new skb (socket buffer) is formed with a regular data page instead of a SHAMPO header page. Later, in the `mlx5e handle rx cqe mpwrq shampo()` function, a SHAMPO header page is released from the `header index`. This leads to SHAMPO header pages being released more than once, which is incorrect. The conditions for this to occur are: 1) no skb has been created yet, 2) `header size` equals 0 (indicating no SHAMPO header), and 3) `header index + 1 % MLX5E SHAMPO WQ HEADER PER PAGE` equals 0, marking the last page fragment of a SHAMPO header page. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.50 **Description** The issue arises in the net/mlx5e component of the Linux kernel, specifically with the SHAMPO feature. When all strides in a Work Queue Element (WQE) are consumed, the WQE is unlinked from the Work Queue (WQ) linked list using the `mlx5 wq ll pop()` function. However, for SHAMPO, it's possible to receive Completion Queue Entries (CQEs) with 0 consumed strides for the same WQE even after it's fully consumed and unlinked. This triggers an additional unlink for the same WQE, corrupting the linked list. The fix involves accepting 0-sized consumed strides without unlinking the WQE again. **Recommendations** To resolve the issue, update the Linux kernel to version 6.6.50 or later. As a temporary workaround, consider restricting access to the vulnerable `net/mlx5e` component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.1.0 **Description** The vulnerability is related to the IB/IPoIB component of the Linux kernel, which can cause a crash when traffic is sent over the PKEY interface due to a mismatch in the number of queues between the parent and child interfaces. This issue is caused by the creation of child PKEY interfaces over netlink with multiple tx and rx queues, while some devices only support one tx and one rx queue. The patch fixes the number of queues to 1 for legacy IPoIB at the earliest possible point in time. **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for the IB/IPoIB vulnerability. Specifically, for Linux kernel versions prior to 6.1.0, update to version 6.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.3.3 **Description** The issue allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging improper access to a certain error field in the ext4 journal stop function. **Recommendations** For versions prior to 4.3.3, update to version 4.3.3 or later to resolve the issue.