CVE-2023-52998

27.03.2025, 17:15

In the Linux kernel, the following vulnerability has been resolved:

net: fec: Use page_pool_put_full_page when freeing rx buffers

The page_pool_release_page was used when freeing rx buffers, and this
function just unmaps the page (if mapped) and does not recycle the page.
So after hundreds of down/up the eth0, the system will out of memory.
For more details, please refer to the following reproduce steps and
bug logs. To solve this issue and refer to the doc of page pool, the
page_pool_put_full_page should be used to replace page_pool_release_page.
Because this API will try to recycle the page if the page refcnt equal to
1. After testing 20000 times, the issue can not be reproduced anymore
(about testing 391 times the issue will occur on i.MX8MN-EVK before).

Reproduce steps:
Create the test script and run the script. The script content is as
follows:
LOOPS=20000
i=1
while [ $i -le $LOOPS ]
do
    echo "TINFO:ENET $curface up and down test $i times"
    org_macaddr=$(cat /sys/class/net/eth0/address)
    ifconfig eth0 down
    ifconfig eth0  hw ether $org_macaddr up
    i=$(expr $i + 1)
done
sleep 5
if cat /sys/class/net/eth0/operstate | grep 'up';then
    echo "TEST PASS"
else
    echo "TEST FAIL"
fi

Bug detail logs:
TINFO:ENET  up and down test 391 times
[  850.471205] Qualcomm Atheros AR8031/AR8033 30be0000.ethernet-1:00: attached PHY driver (mii_bus:phy_addr=30be0000.ethernet-1:00, irq=POLL)
[  853.535318] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[  853.541694] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx
[  870.590531] page_pool_release_retry() stalled pool shutdown 199 inflight 60 sec
[  931.006557] page_pool_release_retry() stalled pool shutdown 199 inflight 120 sec
TINFO:ENET  up and down test 392 times
[  991.426544] page_pool_release_retry() stalled pool shutdown 192 inflight 181 sec
[ 1051.838531] page_pool_release_retry() stalled pool shutdown 170 inflight 241 sec
[ 1093.751217] Qualcomm Atheros AR8031/AR8033 30be0000.ethernet-1:00: attached PHY driver (mii_bus:phy_addr=30be0000.ethernet-1:00, irq=POLL)
[ 1096.446520] page_pool_release_retry() stalled pool shutdown 308 inflight 60 sec
[ 1096.831245] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx
[ 1096.839092] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 1112.254526] page_pool_release_retry() stalled pool shutdown 103 inflight 302 sec
[ 1156.862533] page_pool_release_retry() stalled pool shutdown 308 inflight 120 sec
[ 1172.674516] page_pool_release_retry() stalled pool shutdown 103 inflight 362 sec
[ 1217.278532] page_pool_release_retry() stalled pool shutdown 308 inflight 181 sec
TINFO:ENET  up and down test 393 times
[ 1233.086535] page_pool_release_retry() stalled pool shutdown 103 inflight 422 sec
[ 1277.698513] page_pool_release_retry() stalled pool shutdown 308 inflight 241 sec
[ 1293.502525] page_pool_release_retry() stalled pool shutdown 86 inflight 483 sec
[ 1338.110518] page_pool_release_retry() stalled pool shutdown 308 inflight 302 sec
[ 1353.918540] page_pool_release_retry() stalled pool shutdown 32 inflight 543 sec
[ 1361.179205] Qualcomm Atheros AR8031/AR8033 30be0000.ethernet-1:00: attached PHY driver (mii_bus:phy_addr=30be0000.ethernet-1:00, irq=POLL)
[ 1364.255298] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx
[ 1364.263189] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 1371.998532] page_pool_release_retry() stalled pool shutdown 310 inflight 60 sec
[ 1398.530542] page_pool_release_retry() stalled pool shutdown 308 inflight 362 sec
[ 1414.334539] page_pool_release_retry() stalled pool shutdown 16 inflight 604 sec
[ 1432.414520] page_pool_release_retry() stalled pool shutdown 310 inflight 120 sec
[ 1458.942523] page_pool_release_retry() stalled pool shutdown 308 inflight 422 sec
[ 1474.750521] page_pool_release_retry() stalled pool shutdown 16 inflight 664 sec
TINFO:ENET  up and down test 394 times
[ 1492.8305
---truncated---

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
Linux	CNA	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 5%

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 not-affected
bullseye (security)	5.10.234-1 fixed
bookworm	6.1.129-1 fixed
bookworm (security)	6.1.128-1 fixed
trixie	6.12.19-1 fixed
sid	6.12.20-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	needs-triage

linux-allwinner-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-aws

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	needs-triage

linux-aws-5.0

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-aws-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-aws-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-aws-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-aws-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-aws-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-aws-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-aws-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-aws-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-aws-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-aws-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-aws-fips

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage

linux-aws-hwe

oracular	dne
noble	dne
jammy	dne
focal	dne
xenial	needs-triage

linux-azure

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	ignored
xenial	needs-triage
trusty	needs-triage

linux-azure-4.15

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-azure-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-azure-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-azure-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-azure-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-azure-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-azure-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-azure-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-azure-edge

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-azure-fde

oracular	dne
noble	dne
jammy	needs-triage
focal	ignored

linux-azure-fde-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-azure-fde-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-fde-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-fips

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage

linux-bluefield

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-fips

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

linux-gcp

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	ignored
xenial	needs-triage

linux-gcp-4.15

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-gcp-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gcp-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gcp-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-gcp-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-gcp-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gcp-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-gcp-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gcp-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-gcp-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-gcp-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-gcp-fips

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage

linux-gke

oracular	dne
noble	needs-triage
jammy	needs-triage
focal	ignored

linux-gke-4.15

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gke-5.15

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gke-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gkeop

oracular	dne
noble	needs-triage
jammy	needs-triage
focal	ignored

linux-gkeop-5.15

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gkeop-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-hwe

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	needs-triage

linux-hwe-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-hwe-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-hwe-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-hwe-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-hwe-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-hwe-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-hwe-6.11

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-hwe-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-hwe-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-hwe-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-hwe-edge

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	ignored

linux-ibm

oracular	dne
noble	needs-triage
jammy	needs-triage
focal	needs-triage

linux-ibm-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-ibm-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-intel-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-intel-iot-realtime

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-intel-iotg

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-intel-iotg-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-iot

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-kvm

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

linux-lowlatency

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	dne

linux-lowlatency-hwe-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-lowlatency-hwe-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.11

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-lowlatency-hwe-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-lts-xenial

oracular	dne
noble	dne
jammy	dne
focal	dne
trusty	needs-triage

linux-nvidia

oracular	dne
noble	needs-triage
jammy	needs-triage
focal	dne

linux-nvidia-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-nvidia-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-nvidia-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-nvidia-lowlatency

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-nvidia-tegra

oracular	dne
noble	needs-triage
jammy	needs-triage
focal	dne

linux-nvidia-tegra-igx

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-oem

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oem-5.10

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-5.14

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-5.17

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oem-5.6

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-6.0

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oem-6.1

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oem-6.11

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-oem-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oem-6.8

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-oracle

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

linux-oracle-5.0

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oracle-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oracle-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oracle-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-oracle-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oracle-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-oracle-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oracle-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oracle-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-raspi

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage

linux-raspi-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-raspi-realtime

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-raspi2

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-realtime

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	dne

linux-riscv

oracular	needs-triage
noble	needs-triage
jammy	ignored
focal	ignored

linux-riscv-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-riscv-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-riscv-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-riscv-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-riscv-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-riscv-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-starfive-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-starfive-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-starfive-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-xilinx-zynqmp

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen oder nicht spezifizierte Effekte zu erzielen.
Published: 2025-03-27T23:00:00+00:00

References

https://git.kernel.org/stable/c/554484a34e985a307756ee4794e60be31e3db2e5

https://git.kernel.org/stable/c/e38553bdc377e3e7a6caa9dd9770d8b644d8dac3