CVE-2024-35907

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mlxbf_gige: call request_irq() after NAPI initialized<br /> <br /> The mlxbf_gige driver encounters a NULL pointer exception in<br /> mlxbf_gige_open() when kdump is enabled. The sequence to reproduce<br /> the exception is as follows:<br /> a) enable kdump<br /> b) trigger kdump via "echo c &gt; /proc/sysrq-trigger"<br /> c) kdump kernel executes<br /> d) kdump kernel loads mlxbf_gige module<br /> e) the mlxbf_gige module runs its open() as the<br /> the "oob_net0" interface is brought up<br /> f) mlxbf_gige module will experience an exception<br /> during its open(), something like:<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000<br /> Mem abort info:<br /> ESR = 0x0000000086000004<br /> EC = 0x21: IABT (current EL), IL = 32 bits<br /> SET = 0, FnV = 0<br /> EA = 0, S1PTW = 0<br /> FSC = 0x04: level 0 translation fault<br /> user pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000<br /> [0000000000000000] pgd=0000000000000000, p4d=0000000000000000<br /> Internal error: Oops: 0000000086000004 [#1] SMP<br /> CPU: 0 PID: 812 Comm: NetworkManager Tainted: G OE 5.15.0-1035-bluefield #37-Ubuntu<br /> Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024<br /> pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : 0x0<br /> lr : __napi_poll+0x40/0x230<br /> sp : ffff800008003e00<br /> x29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff<br /> x26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8<br /> x23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000<br /> x20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000<br /> x17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0<br /> x14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c<br /> x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398<br /> x8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2<br /> x5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100<br /> x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238<br /> Call trace:<br /> 0x0<br /> net_rx_action+0x178/0x360<br /> __do_softirq+0x15c/0x428<br /> __irq_exit_rcu+0xac/0xec<br /> irq_exit+0x18/0x2c<br /> handle_domain_irq+0x6c/0xa0<br /> gic_handle_irq+0xec/0x1b0<br /> call_on_irq_stack+0x20/0x2c<br /> do_interrupt_handler+0x5c/0x70<br /> el1_interrupt+0x30/0x50<br /> el1h_64_irq_handler+0x18/0x2c<br /> el1h_64_irq+0x7c/0x80<br /> __setup_irq+0x4c0/0x950<br /> request_threaded_irq+0xf4/0x1bc<br /> mlxbf_gige_request_irqs+0x68/0x110 [mlxbf_gige]<br /> mlxbf_gige_open+0x5c/0x170 [mlxbf_gige]<br /> __dev_open+0x100/0x220<br /> __dev_change_flags+0x16c/0x1f0<br /> dev_change_flags+0x2c/0x70<br /> do_setlink+0x220/0xa40<br /> __rtnl_newlink+0x56c/0x8a0<br /> rtnl_newlink+0x58/0x84<br /> rtnetlink_rcv_msg+0x138/0x3c4<br /> netlink_rcv_skb+0x64/0x130<br /> rtnetlink_rcv+0x20/0x30<br /> netlink_unicast+0x2ec/0x360<br /> netlink_sendmsg+0x278/0x490<br /> __sock_sendmsg+0x5c/0x6c<br /> ____sys_sendmsg+0x290/0x2d4<br /> ___sys_sendmsg+0x84/0xd0<br /> __sys_sendmsg+0x70/0xd0<br /> __arm64_sys_sendmsg+0x2c/0x40<br /> invoke_syscall+0x78/0x100<br /> el0_svc_common.constprop.0+0x54/0x184<br /> do_el0_svc+0x30/0xac<br /> el0_svc+0x48/0x160<br /> el0t_64_sync_handler+0xa4/0x12c<br /> el0t_64_sync+0x1a4/0x1a8<br /> Code: bad PC value<br /> ---[ end trace 7d1c3f3bf9d81885 ]---<br /> Kernel panic - not syncing: Oops: Fatal exception in interrupt<br /> Kernel Offset: 0x2870a7a00000 from 0xffff800008000000<br /> PHYS_OFFSET: 0x80000000<br /> CPU features: 0x0,000005c1,a3332a5a<br /> Memory Limit: none<br /> ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---<br /> <br /> The exception happens because there is a pending RX interrupt before the<br /> call to request_irq(RX IRQ) executes. Then, the RX IRQ handler fires<br /> immediately after this request_irq() completes. The<br /> ---truncated---