CVE-2023-54106

Root

Cause In the Linux kernel's net/mlx5 driver, the function mlx5e_init_rep_rx allocates memory for priv->rx_res. However, in the error path, this allocated memory is not freed, unlike the cleanup function mlx5e_cleanup_rep_rx() which does free it. This discrepancy creates a potential memory leak.

Exploitation

An attacker would need to trigger an error condition within mlx5e_init_rep_rx (e.g., by inducing a failure in a subsequent allocation or setup step). No special privileges are required beyond being able to interact with the mlx5 network device driver, but the attack surface is limited to systems using this hardware. The exploit would not require user interaction; it is triggered by the kernel's internal error handling.

Impact

If triggered, each error path leak consumes kernel memory. Repeated exploitation could exhaust system memory, leading to denial of service (DoS). There is no evidence of code execution or privilege escalation from this bug alone.

Mitigation

The fix has been applied in the Linux kernel stable commit c265d8c2e255 [1]. Users should update to a kernel version containing this commit or a subsequent release that includes the backport. The fix ensures the error path frees priv->rx_res identically to the cleanup function.