CVE-2024-50146

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Don&amp;#39;t call cleanup on profile rollback failure<br /> <br /> When profile rollback fails in mlx5e_netdev_change_profile, the netdev<br /> profile var is left set to NULL. Avoid a crash when unloading the driver<br /> by not calling profile-&gt;cleanup in such a case.<br /> <br /> This was encountered while testing, with the original trigger that<br /> the wq rescuer thread creation got interrupted (presumably due to<br /> Ctrl+C-ing modprobe), which gets converted to ENOMEM (-12) by<br /> mlx5e_priv_init, the profile rollback also fails for the same reason<br /> (signal still active) so the profile is left as NULL, leading to a crash<br /> later in _mlx5e_remove.<br /> <br /> [ 732.473932] mlx5_core 0000:08:00.1: E-Switch: Unload vfs: mode(OFFLOADS), nvfs(2), necvfs(0), active vports(2)<br /> [ 734.525513] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR<br /> [ 734.557372] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12<br /> [ 734.559187] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: new profile init failed, -12<br /> [ 734.560153] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR<br /> [ 734.589378] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12<br /> [ 734.591136] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12<br /> [ 745.537492] BUG: kernel NULL pointer dereference, address: 0000000000000008<br /> [ 745.538222] #PF: supervisor read access in kernel mode<br /> <br /> [ 745.551290] Call Trace:<br /> [ 745.551590] <br /> [ 745.551866] ? __die+0x20/0x60<br /> [ 745.552218] ? page_fault_oops+0x150/0x400<br /> [ 745.555307] ? exc_page_fault+0x79/0x240<br /> [ 745.555729] ? asm_exc_page_fault+0x22/0x30<br /> [ 745.556166] ? mlx5e_remove+0x6b/0xb0 [mlx5_core]<br /> [ 745.556698] auxiliary_bus_remove+0x18/0x30<br /> [ 745.557134] device_release_driver_internal+0x1df/0x240<br /> [ 745.557654] bus_remove_device+0xd7/0x140<br /> [ 745.558075] device_del+0x15b/0x3c0<br /> [ 745.558456] mlx5_rescan_drivers_locked.part.0+0xb1/0x2f0 [mlx5_core]<br /> [ 745.559112] mlx5_unregister_device+0x34/0x50 [mlx5_core]<br /> [ 745.559686] mlx5_uninit_one+0x46/0xf0 [mlx5_core]<br /> [ 745.560203] remove_one+0x4e/0xd0 [mlx5_core]<br /> [ 745.560694] pci_device_remove+0x39/0xa0<br /> [ 745.561112] device_release_driver_internal+0x1df/0x240<br /> [ 745.561631] driver_detach+0x47/0x90<br /> [ 745.562022] bus_remove_driver+0x84/0x100<br /> [ 745.562444] pci_unregister_driver+0x3b/0x90<br /> [ 745.562890] mlx5_cleanup+0xc/0x1b [mlx5_core]<br /> [ 745.563415] __x64_sys_delete_module+0x14d/0x2f0<br /> [ 745.563886] ? kmem_cache_free+0x1b0/0x460<br /> [ 745.564313] ? lockdep_hardirqs_on_prepare+0xe2/0x190<br /> [ 745.564825] do_syscall_64+0x6d/0x140<br /> [ 745.565223] entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> [ 745.565725] RIP: 0033:0x7f1579b1288b