CVE-2024-53224

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/mlx5: Move events notifier registration to be after device registration<br /> <br /> Move pkey change work initialization and cleanup from device resources<br /> stage to notifier stage, since this is the stage which handles this work<br /> events.<br /> <br /> Fix a race between the device deregistration and pkey change work by moving<br /> MLX5_IB_STAGE_DEVICE_NOTIFIER to be after MLX5_IB_STAGE_IB_REG in order to<br /> ensure that the notifier is deregistered before the device during cleanup.<br /> Which ensures there are no works that are being executed after the<br /> device has already unregistered which can cause the panic below.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 1 PID: 630071 Comm: kworker/1:2 Kdump: loaded Tainted: G W OE --------- --- 5.14.0-162.6.1.el9_1.x86_64 #1<br /> Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008 02/27/2023<br /> Workqueue: events pkey_change_handler [mlx5_ib]<br /> RIP: 0010:setup_qp+0x38/0x1f0 [mlx5_ib]<br /> Code: ee 41 54 45 31 e4 55 89 f5 53 48 89 fb 48 83 ec 20 8b 77 08 65 48 8b 04 25 28 00 00 00 48 89 44 24 18 48 8b 07 48 8d 4c 24 16 8b 38 49 8b 87 80 0b 00 00 4c 89 ff 48 8b 80 08 05 00 00 8b 40<br /> RSP: 0018:ffffbcc54068be20 EFLAGS: 00010282<br /> RAX: 0000000000000000 RBX: ffff954054494128 RCX: ffffbcc54068be36<br /> RDX: ffff954004934000 RSI: 0000000000000001 RDI: ffff954054494128<br /> RBP: 0000000000000023 R08: ffff954001be2c20 R09: 0000000000000001<br /> R10: ffff954001be2c20 R11: ffff9540260133c0 R12: 0000000000000000<br /> R13: 0000000000000023 R14: 0000000000000000 R15: ffff9540ffcb0905<br /> FS: 0000000000000000(0000) GS:ffff9540ffc80000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000000 CR3: 000000010625c001 CR4: 00000000003706e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> mlx5_ib_gsi_pkey_change+0x20/0x40 [mlx5_ib]<br /> process_one_work+0x1e8/0x3c0<br /> worker_thread+0x50/0x3b0<br /> ? rescuer_thread+0x380/0x380<br /> kthread+0x149/0x170<br /> ? set_kthread_struct+0x50/0x50<br /> ret_from_fork+0x22/0x30<br /> Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) mlx5_fwctl(OE) fwctl(OE) ib_uverbs(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlx_compat(OE) psample mlxfw(OE) tls knem(OE) netconsole nfsv3 nfs_acl nfs lockd grace fscache netfs qrtr rfkill sunrpc intel_rapl_msr intel_rapl_common rapl hv_balloon hv_utils i2c_piix4 pcspkr joydev fuse ext4 mbcache jbd2 sr_mod sd_mod cdrom t10_pi sg ata_generic pci_hyperv pci_hyperv_intf hyperv_drm drm_shmem_helper drm_kms_helper hv_storvsc syscopyarea hv_netvsc sysfillrect sysimgblt hid_hyperv fb_sys_fops scsi_transport_fc hyperv_keyboard drm ata_piix crct10dif_pclmul crc32_pclmul crc32c_intel libata ghash_clmulni_intel hv_vmbus serio_raw [last unloaded: ib_core]<br /> CR2: 0000000000000000<br /> ---[ end trace f6f8be4eae12f7bc ]---