CVE-2024-47687

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vdpa/mlx5: Fix invalid mr resource destroy<br /> <br /> Certain error paths from mlx5_vdpa_dev_add() can end up releasing mr<br /> resources which never got initialized in the first place.<br /> <br /> This patch adds the missing check in mlx5_vdpa_destroy_mr_resources()<br /> to block releasing non-initialized mr resources.<br /> <br /> Reference trace:<br /> <br /> mlx5_core 0000:08:00.2: mlx5_vdpa_dev_add:3274:(pid 2700) warning: No mac address provisioned?<br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 140216067 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 8 PID: 2700 Comm: vdpa Kdump: loaded Not tainted 5.14.0-496.el9.x86_64 #1<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:vhost_iotlb_del_range+0xf/0xe0 [vhost_iotlb]<br /> Code: [...]<br /> RSP: 0018:ff1c823ac23077f0 EFLAGS: 00010246<br /> RAX: ffffffffc1a21a60 RBX: ffffffff899567a0 RCX: 0000000000000000<br /> RDX: ffffffffffffffff RSI: 0000000000000000 RDI: 0000000000000000<br /> RBP: ff1bda1f7c21e800 R08: 0000000000000000 R09: ff1c823ac2307670<br /> R10: ff1c823ac2307668 R11: ffffffff8a9e7b68 R12: 0000000000000000<br /> R13: 0000000000000000 R14: ff1bda1f43e341a0 R15: 00000000ffffffea<br /> FS: 00007f56eba7c740(0000) GS:ff1bda269f800000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000000 CR3: 0000000104d90001 CR4: 0000000000771ef0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? show_trace_log_lvl+0x1c4/0x2df<br /> ? show_trace_log_lvl+0x1c4/0x2df<br /> ? mlx5_vdpa_free+0x3d/0x150 [mlx5_vdpa]<br /> ? __die_body.cold+0x8/0xd<br /> ? page_fault_oops+0x134/0x170<br /> ? __irq_work_queue_local+0x2b/0xc0<br /> ? irq_work_queue+0x2c/0x50<br /> ? exc_page_fault+0x62/0x150<br /> ? asm_exc_page_fault+0x22/0x30<br /> ? __pfx_mlx5_vdpa_free+0x10/0x10 [mlx5_vdpa]<br /> ? vhost_iotlb_del_range+0xf/0xe0 [vhost_iotlb]<br /> mlx5_vdpa_free+0x3d/0x150 [mlx5_vdpa]<br /> vdpa_release_dev+0x1e/0x50 [vdpa]<br /> device_release+0x31/0x90<br /> kobject_cleanup+0x37/0x130<br /> mlx5_vdpa_dev_add+0x2d2/0x7a0 [mlx5_vdpa]<br /> vdpa_nl_cmd_dev_add_set_doit+0x277/0x4c0 [vdpa]<br /> genl_family_rcv_msg_doit+0xd9/0x130<br /> genl_family_rcv_msg+0x14d/0x220<br /> ? __pfx_vdpa_nl_cmd_dev_add_set_doit+0x10/0x10 [vdpa]<br /> ? _copy_to_user+0x1a/0x30<br /> ? move_addr_to_user+0x4b/0xe0<br /> genl_rcv_msg+0x47/0xa0<br /> ? __import_iovec+0x46/0x150<br /> ? __pfx_genl_rcv_msg+0x10/0x10<br /> netlink_rcv_skb+0x54/0x100<br /> genl_rcv+0x24/0x40<br /> netlink_unicast+0x245/0x370<br /> netlink_sendmsg+0x206/0x440<br /> __sys_sendto+0x1dc/0x1f0<br /> ? do_read_fault+0x10c/0x1d0<br /> ? do_pte_missing+0x10d/0x190<br /> __x64_sys_sendto+0x20/0x30<br /> do_syscall_64+0x5c/0xf0<br /> ? __count_memcg_events+0x4f/0xb0<br /> ? mm_account_fault+0x6c/0x100<br /> ? handle_mm_fault+0x116/0x270<br /> ? do_user_addr_fault+0x1d6/0x6a0<br /> ? do_syscall_64+0x6b/0xf0<br /> ? clear_bhb_loop+0x25/0x80<br /> ? clear_bhb_loop+0x25/0x80<br /> ? clear_bhb_loop+0x25/0x80<br /> ? clear_bhb_loop+0x25/0x80<br /> ? clear_bhb_loop+0x25/0x80<br /> entry_SYSCALL_64_after_hwframe+0x78/0x80