CVE-2024-38557

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: Reload only IB representors upon lag disable/enable<br /> <br /> On lag disable, the bond IB device along with all of its<br /> representors are destroyed, and then the slaves&amp;#39; representors get reloaded.<br /> <br /> In case the slave IB representor load fails, the eswitch error flow<br /> unloads all representors, including ethernet representors, where the<br /> netdevs get detached and removed from lag bond. Such flow is inaccurate<br /> as the lag driver is not responsible for loading/unloading ethernet<br /> representors. Furthermore, the flow described above begins by holding<br /> lag lock to prevent bond changes during disable flow. However, when<br /> reaching the ethernet representors detachment from lag, the lag lock is<br /> required again, triggering the following deadlock:<br /> <br /> Call trace:<br /> __switch_to+0xf4/0x148<br /> __schedule+0x2c8/0x7d0<br /> schedule+0x50/0xe0<br /> schedule_preempt_disabled+0x18/0x28<br /> __mutex_lock.isra.13+0x2b8/0x570<br /> __mutex_lock_slowpath+0x1c/0x28<br /> mutex_lock+0x4c/0x68<br /> mlx5_lag_remove_netdev+0x3c/0x1a0 [mlx5_core]<br /> mlx5e_uplink_rep_disable+0x70/0xa0 [mlx5_core]<br /> mlx5e_detach_netdev+0x6c/0xb0 [mlx5_core]<br /> mlx5e_netdev_change_profile+0x44/0x138 [mlx5_core]<br /> mlx5e_netdev_attach_nic_profile+0x28/0x38 [mlx5_core]<br /> mlx5e_vport_rep_unload+0x184/0x1b8 [mlx5_core]<br /> mlx5_esw_offloads_rep_load+0xd8/0xe0 [mlx5_core]<br /> mlx5_eswitch_reload_reps+0x74/0xd0 [mlx5_core]<br /> mlx5_disable_lag+0x130/0x138 [mlx5_core]<br /> mlx5_lag_disable_change+0x6c/0x70 [mlx5_core] // hold ldev-&gt;lock<br /> mlx5_devlink_eswitch_mode_set+0xc0/0x410 [mlx5_core]<br /> devlink_nl_cmd_eswitch_set_doit+0xdc/0x180<br /> genl_family_rcv_msg_doit.isra.17+0xe8/0x138<br /> genl_rcv_msg+0xe4/0x220<br /> netlink_rcv_skb+0x44/0x108<br /> genl_rcv+0x40/0x58<br /> netlink_unicast+0x198/0x268<br /> netlink_sendmsg+0x1d4/0x418<br /> sock_sendmsg+0x54/0x60<br /> __sys_sendto+0xf4/0x120<br /> __arm64_sys_sendto+0x30/0x40<br /> el0_svc_common+0x8c/0x120<br /> do_el0_svc+0x30/0xa0<br /> el0_svc+0x20/0x30<br /> el0_sync_handler+0x90/0xb8<br /> el0_sync+0x160/0x180<br /> <br /> Thus, upon lag enable/disable, load and unload only the IB representors<br /> of the slaves preventing the deadlock mentioned above.<br /> <br /> While at it, refactor the mlx5_esw_offloads_rep_load() function to have<br /> a static helper method for its internal logic, in symmetry with the<br /> representor unload design.