CVE-2024-35885

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mlxbf_gige: stop interface during shutdown<br /> <br /> The mlxbf_gige driver intermittantly encounters a NULL pointer<br /> exception while the system is shutting down via "reboot" command.<br /> The mlxbf_driver will experience an exception right after executing<br /> its shutdown() method. One example of this exception is:<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000070<br /> Mem abort info:<br /> ESR = 0x0000000096000004<br /> EC = 0x25: DABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> FSC = 0x04: level 0 translation fault<br /> Data abort info:<br /> ISV = 0, ISS = 0x00000004<br /> CM = 0, WnR = 0<br /> user pgtable: 4k pages, 48-bit VAs, pgdp=000000011d373000<br /> [0000000000000070] pgd=0000000000000000, p4d=0000000000000000<br /> Internal error: Oops: 96000004 [#1] SMP<br /> CPU: 0 PID: 13 Comm: ksoftirqd/0 Tainted: G S OE 5.15.0-bf.6.gef6992a #1<br /> Hardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS 4.0.2.12669 Apr 21 2023<br /> pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]<br /> lr : mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]<br /> sp : ffff8000080d3c10<br /> x29: ffff8000080d3c10 x28: ffffcce72cbb7000 x27: ffff8000080d3d58<br /> x26: ffff0000814e7340 x25: ffff331cd1a05000 x24: ffffcce72c4ea008<br /> x23: ffff0000814e4b40 x22: ffff0000814e4d10 x21: ffff0000814e4128<br /> x20: 0000000000000000 x19: ffff0000814e4a80 x18: ffffffffffffffff<br /> x17: 000000000000001c x16: ffffcce72b4553f4 x15: ffff80008805b8a7<br /> x14: 0000000000000000 x13: 0000000000000030 x12: 0101010101010101<br /> x11: 7f7f7f7f7f7f7f7f x10: c2ac898b17576267 x9 : ffffcce720fa5404<br /> x8 : ffff000080812138 x7 : 0000000000002e9a x6 : 0000000000000080<br /> x5 : ffff00008de3b000 x4 : 0000000000000000 x3 : 0000000000000001<br /> x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000<br /> Call trace:<br /> mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]<br /> mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]<br /> __napi_poll+0x40/0x1c8<br /> net_rx_action+0x314/0x3a0<br /> __do_softirq+0x128/0x334<br /> run_ksoftirqd+0x54/0x6c<br /> smpboot_thread_fn+0x14c/0x190<br /> kthread+0x10c/0x110<br /> ret_from_fork+0x10/0x20<br /> Code: 8b070000 f9000ea0 f95056c0 f86178a1 (b9407002)<br /> ---[ end trace 7cc3941aa0d8e6a4 ]---<br /> Kernel panic - not syncing: Oops: Fatal exception in interrupt<br /> Kernel Offset: 0x4ce722520000 from 0xffff800008000000<br /> PHYS_OFFSET: 0x80000000<br /> CPU features: 0x000005c1,a3330e5a<br /> Memory Limit: none<br /> ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---<br /> <br /> During system shutdown, the mlxbf_gige driver&amp;#39;s shutdown() is always executed.<br /> However, the driver&amp;#39;s stop() method will only execute if networking interface<br /> configuration logic within the Linux distribution has been setup to do so.<br /> <br /> If shutdown() executes but stop() does not execute, NAPI remains enabled<br /> and this can lead to an exception if NAPI is scheduled while the hardware<br /> interface has only been partially deinitialized.<br /> <br /> The networking interface managed by the mlxbf_gige driver must be properly<br /> stopped during system shutdown so that IFF_UP is cleared, the hardware<br /> interface is put into a clean state, and NAPI is fully deinitialized.