In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix use-after-free of encap entry in neigh update handler
Function mlx5e_rep_neigh_update() wasn’t updated to accommodate rtnl lock
removal from TC filter update path and properly handle concurrent encap
entry insertion/deletion which can lead to following use-after-free:
[23827.464923]

[23827.469446] BUG: KASAN: use-after-free in mlx5e_encap_take+0x72/0x140
[mlx5_core] [23827.470971] Read of size 4 at addr ffff8881d132228c by task
kworker/u20:6/21635 [23827.472251] [23827.472615] CPU: 9 PID: 21635 Comm:
kworker/u20:6 Not tainted 5.13.0-rc3+ #5 [23827.473788] Hardware name: QEMU
Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [23827.475639]
Workqueue: mlx5e mlx5e_rep_neigh_update [mlx5_core] [23827.476731] Call
Trace: [23827.477260] dump_stack+0xbb/0x107 [23827.477906]
print_address_description.constprop.0+0x18/0x140 [23827.478896] ?
mlx5e_encap_take+0x72/0x140 [mlx5_core] [23827.479879] ?
mlx5e_encap_take+0x72/0x140 [mlx5_core] [23827.480905]
kasan_report.cold+0x7c/0xd8 [23827.481701] ? mlx5e_encap_take+0x72/0x140
[mlx5_core] [23827.482744] kasan_check_range+0x145/0x1a0 [23827.493112]
mlx5e_encap_take+0x72/0x140 [mlx5_core] [23827.494054] ?
mlx5e_tc_tun_encap_info_equal_generic+0x140/0x140 [mlx5_core]
[23827.495296] mlx5e_rep_neigh_update+0x41e/0x5e0 [mlx5_core]
[23827.496338] ? mlx5e_rep_neigh_entry_release+0xb80/0xb80 [mlx5_core]
[23827.497486] ? read_word_at_a_time+0xe/0x20 [23827.498250] ?
strscpy+0xa0/0x2a0 [23827.498889] process_one_work+0x8ac/0x14e0
[23827.499638] ? lockdep_hardirqs_on_prepare+0x400/0x400 [23827.500537] ?
pwq_dec_nr_in_flight+0x2c0/0x2c0 [23827.501359] ?
rwlock_bug.part.0+0x90/0x90 [23827.502116] worker_thread+0x53b/0x1220
[23827.502831] ? process_one_work+0x14e0/0x14e0 [23827.503627]
kthread+0x328/0x3f0 [23827.504254] ? _raw_spin_unlock_irq+0x24/0x40
[23827.505065] ? __kthread_bind_mask+0x90/0x90 [23827.505912]
ret_from_fork+0x1f/0x30 [23827.506621] [23827.506987] Allocated by task
28248: [23827.507694] kasan_save_stack+0x1b/0x40 [23827.508476]
__kasan_kmalloc+0x7c/0x90 [23827.509197] mlx5e_attach_encap+0xde1/0x1d40
[mlx5_core] [23827.510194] mlx5e_tc_add_fdb_flow+0x397/0xc40 [mlx5_core]
[23827.511218] __mlx5e_add_fdb_flow+0x519/0xb30 [mlx5_core] [23827.512234]
mlx5e_configure_flower+0x191c/0x4870 [mlx5_core] [23827.513298]
tc_setup_cb_add+0x1d5/0x420 [23827.514023] fl_hw_replace_filter+0x382/0x6a0
[cls_flower] [23827.514975] fl_change+0x2ceb/0x4a51 [cls_flower]
[23827.515821] tc_new_tfilter+0x89a/0x2070 [23827.516548]
rtnetlink_rcv_msg+0x644/0x8c0 [23827.517300] netlink_rcv_skb+0x11d/0x340
[23827.518021] netlink_unicast+0x42b/0x700 [23827.518742]
netlink_sendmsg+0x743/0xc20 [23827.519467] sock_sendmsg+0xb2/0xe0
[23827.520131] ____sys_sendmsg+0x590/0x770 [23827.520851]
___sys_sendmsg+0xd8/0x160 [23827.521552] __sys_sendmsg+0xb7/0x140
[23827.522238] do_syscall_64+0x3a/0x70 [23827.522907]
entry_SYSCALL_64_after_hwframe+0x44/0xae [23827.523797] [23827.524163]
Freed by task 25948: [23827.524780] kasan_save_stack+0x1b/0x40
[23827.525488] kasan_set_track+0x1c/0x30 [23827.526187]
kasan_set_free_info+0x20/0x30 [23827.526968] __kasan_slab_free+0xed/0x130
[23827.527709] slab_free_freelist_hook+0xcf/0x1d0 [23827.528528]
kmem_cache_free_bulk+0x33a/0x6e0 [23827.529317] kfree_rcu_work+0x55f/0xb70
[23827.530024] process_one_work+0x8ac/0x14e0 [23827.530770]
worker_thread+0x53b/0x1220 [23827.531480] kthread+0x328/0x3f0
[23827.532114] ret_from_fork+0x1f/0x30 [23827.532785] [23827.533147] Last
potentially related work creation: [23827.534007]
kasan_save_stack+0x1b/0x40 [23827.534710] kasan_record_aux_stack+0xab/0xc0
[23827.535492] kvfree_call_rcu+0x31/0x7b0 [23827.536206] mlx5e_tc_del
—truncated—