CVE-2024-53138

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.65

Description The issue is related to incorrect page refcounting in the kTLS handling code of the net/mlx5e module. The code uses a mix of get page() and page ref inc() APIs to increment the page reference, but on the release path, only put page() is used. This causes a problem when using pages from large folios, as the get page() references are stored on the folio page, while the page ref inc() references are stored directly in the given page. As a result, the folio page will be dereferenced too many times on release. This issue was found during kTLS testing with sendfile() + ZC when the served file was read from NFS on a kernel with NFS large folios support.

Recommendations To resolve the issue, update to Linux kernel version 6.6.65 or later. As a temporary workaround, consider disabling the mlx5e ktls tx handle resync dump comp() function until a patch is available. Restrict access to the net/mlx5e module to minimize the risk of exploitation. Avoid using the get page() and page ref inc() APIs in combination until the issue is resolved.