CVE-2022-49333

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: E-Switch, pair only capable devices<br /> <br /> OFFLOADS paring using devcom is possible only on devices<br /> that support LAG. Filter based on lag capabilities.<br /> <br /> This fixes an issue where mlx5_get_next_phys_dev() was<br /> called without holding the interface lock.<br /> <br /> This issue was found when commit<br /> bc4c2f2e0179 ("net/mlx5: Lag, filter non compatible devices")<br /> added an assert that verifies the interface lock is held.<br /> <br /> WARNING: CPU: 9 PID: 1706 at drivers/net/ethernet/mellanox/mlx5/core/dev.c:642 mlx5_get_next_phys_dev+0xd2/0x100 [mlx5_core]<br /> Modules linked in: mlx5_vdpa vringh vhost_iotlb vdpa mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_umad ib_ipoib ib_cm ib_uverbs ib_core overlay fuse [last unloaded: mlx5_core]<br /> CPU: 9 PID: 1706 Comm: devlink Not tainted 5.18.0-rc7+ #11<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:mlx5_get_next_phys_dev+0xd2/0x100 [mlx5_core]<br /> Code: 02 00 75 48 48 8b 85 80 04 00 00 5d c3 31 c0 5d c3 be ff ff ff ff 48 c7 c7 08 41 5b a0 e8 36 87 28 e3 85 c0 0f 85 6f ff ff ff 0b e9 68 ff ff ff 48 c7 c7 0c 91 cc 84 e8 cb 36 6f e1 e9 4d ff<br /> RSP: 0018:ffff88811bf47458 EFLAGS: 00010246<br /> RAX: 0000000000000000 RBX: ffff88811b398000 RCX: 0000000000000001<br /> RDX: 0000000080000000 RSI: ffffffffa05b4108 RDI: ffff88812daaaa78<br /> RBP: ffff88812d050380 R08: 0000000000000001 R09: ffff88811d6b3437<br /> R10: 0000000000000001 R11: 00000000fddd3581 R12: ffff88815238c000<br /> R13: ffff88812d050380 R14: ffff8881018aa7e0 R15: ffff88811d6b3428<br /> FS: 00007fc82e18ae80(0000) GS:ffff88842e080000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f9630d1b421 CR3: 0000000149802004 CR4: 0000000000370ea0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> mlx5_esw_offloads_devcom_event+0x99/0x3b0 [mlx5_core]<br /> mlx5_devcom_send_event+0x167/0x1d0 [mlx5_core]<br /> esw_offloads_enable+0x1153/0x1500 [mlx5_core]<br /> ? mlx5_esw_offloads_controller_valid+0x170/0x170 [mlx5_core]<br /> ? wait_for_completion_io_timeout+0x20/0x20<br /> ? mlx5_rescan_drivers_locked+0x318/0x810 [mlx5_core]<br /> mlx5_eswitch_enable_locked+0x586/0xc50 [mlx5_core]<br /> ? mlx5_eswitch_disable_pf_vf_vports+0x1d0/0x1d0 [mlx5_core]<br /> ? mlx5_esw_try_lock+0x1b/0xb0 [mlx5_core]<br /> ? mlx5_eswitch_enable+0x270/0x270 [mlx5_core]<br /> ? __debugfs_create_file+0x260/0x3e0<br /> mlx5_devlink_eswitch_mode_set+0x27e/0x870 [mlx5_core]<br /> ? mutex_lock_io_nested+0x12c0/0x12c0<br /> ? esw_offloads_disable+0x250/0x250 [mlx5_core]<br /> ? devlink_nl_cmd_trap_get_dumpit+0x470/0x470<br /> ? rcu_read_lock_sched_held+0x3f/0x70<br /> devlink_nl_cmd_eswitch_set_doit+0x217/0x620