cve/published/2024/CVE-2024-38608.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-38608: net/mlx5e: Fix netif state handling

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net/mlx5e: Fix netif state handling

 mlx5e_suspend cleans resources only if netif_device_present() returns
 true. However, mlx5e_resume changes the state of netif, via
 mlx5e_nic_enable, only if reg_state == NETREG_REGISTERED.
 In the below case, the above leads to NULL-ptr Oops[1] and memory
 leaks:

 mlx5e_probe
  _mlx5e_resume
   mlx5e_attach_netdev
    mlx5e_nic_enable  <-- netdev not reg, not calling netif_device_attach()
   register_netdev <-- failed for some reason.
 ERROR_FLOW:
  _mlx5e_suspend <-- netif_device_present return false, resources aren't freed :(

 Hence, clean resources in this case as well.

 [1]
 BUG: kernel NULL pointer dereference, address: 0000000000000000
 PGD 0 P4D 0
 Oops: 0010 [#1] SMP
 CPU: 2 PID: 9345 Comm: test-ovs-ct-gen Not tainted 6.5.0_for_upstream_min_debug_2023_09_05_16_01 #1
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
 RIP: 0010:0x0
 Code: Unable to access opcode bytes at0xffffffffffffffd6.
 RSP: 0018:ffff888178aaf758 EFLAGS: 00010246
 Call Trace:
  <TASK>
  ? __die+0x20/0x60
  ? page_fault_oops+0x14c/0x3c0
  ? exc_page_fault+0x75/0x140
  ? asm_exc_page_fault+0x22/0x30
  notifier_call_chain+0x35/0xb0
  blocking_notifier_call_chain+0x3d/0x60
  mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core]
  mlx5_core_uplink_netdev_event_replay+0x3e/0x60 [mlx5_core]
  mlx5_mdev_netdev_track+0x53/0x60 [mlx5_ib]
  mlx5_ib_roce_init+0xc3/0x340 [mlx5_ib]
  __mlx5_ib_add+0x34/0xd0 [mlx5_ib]
  mlx5r_probe+0xe1/0x210 [mlx5_ib]
  ? auxiliary_match_id+0x6a/0x90
  auxiliary_bus_probe+0x38/0x80
  ? driver_sysfs_add+0x51/0x80
  really_probe+0xc9/0x3e0
  ? driver_probe_device+0x90/0x90
  __driver_probe_device+0x80/0x160
  driver_probe_device+0x1e/0x90
  __device_attach_driver+0x7d/0x100
  bus_for_each_drv+0x80/0xd0
  __device_attach+0xbc/0x1f0
  bus_probe_device+0x86/0xa0
  device_add+0x637/0x840
  __auxiliary_device_add+0x3b/0xa0
  add_adev+0xc9/0x140 [mlx5_core]
  mlx5_rescan_drivers_locked+0x22a/0x310 [mlx5_core]
  mlx5_register_device+0x53/0xa0 [mlx5_core]
  mlx5_init_one_devl_locked+0x5c4/0x9c0 [mlx5_core]
  mlx5_init_one+0x3b/0x60 [mlx5_core]
  probe_one+0x44c/0x730 [mlx5_core]
  local_pci_probe+0x3e/0x90
  pci_device_probe+0xbf/0x210
  ? kernfs_create_link+0x5d/0xa0
  ? sysfs_do_create_link_sd+0x60/0xc0
  really_probe+0xc9/0x3e0
  ? driver_probe_device+0x90/0x90
  __driver_probe_device+0x80/0x160
  driver_probe_device+0x1e/0x90
  __device_attach_driver+0x7d/0x100
  bus_for_each_drv+0x80/0xd0
  __device_attach+0xbc/0x1f0
  pci_bus_add_device+0x54/0x80
  pci_iov_add_virtfn+0x2e6/0x320
  sriov_enable+0x208/0x420
  mlx5_core_sriov_configure+0x9e/0x200 [mlx5_core]
  sriov_numvfs_store+0xae/0x1a0
  kernfs_fop_write_iter+0x10c/0x1a0
  vfs_write+0x291/0x3c0
  ksys_write+0x5f/0xe0
  do_syscall_64+0x3d/0x90
  entry_SYSCALL_64_after_hwframe+0x46/0xb0
  CR2: 0000000000000000
  ---[ end trace 0000000000000000  ]---

 The Linux kernel CVE team has assigned CVE-2024-38608 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.12 with commit 2c3b5beec46ab0d77c94828eb15170b333ae769a and fixed in 6.9.3 with commit f7e6cfb864a53af71c5cc904f1cc22215d68f5c6
 	Issue introduced in 4.12 with commit 2c3b5beec46ab0d77c94828eb15170b333ae769a and fixed in 6.10 with commit 3d5918477f94e4c2f064567875c475468e264644

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-38608
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/mellanox/mlx5/core/en_main.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f7e6cfb864a53af71c5cc904f1cc22215d68f5c6
 	https://git.kernel.org/stable/c/3d5918477f94e4c2f064567875c475468e264644
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-38608: net/mlx5e: Fix netif state handling

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net/mlx5e: Fix netif state handling

	mlx5e_suspend cleans resources only if netif_device_present() returns
	true. However, mlx5e_resume changes the state of netif, via
	mlx5e_nic_enable, only if reg_state == NETREG_REGISTERED.
	In the below case, the above leads to NULL-ptr Oops[1] and memory
	leaks:

	mlx5e_probe
	_mlx5e_resume
	mlx5e_attach_netdev
	mlx5e_nic_enable <-- netdev not reg, not calling netif_device_attach()
	register_netdev <-- failed for some reason.
	ERROR_FLOW:
	_mlx5e_suspend <-- netif_device_present return false, resources aren't freed :(

	Hence, clean resources in this case as well.

	[1]
	BUG: kernel NULL pointer dereference, address: 0000000000000000
	PGD 0 P4D 0
	Oops: 0010 [#1] SMP
	CPU: 2 PID: 9345 Comm: test-ovs-ct-gen Not tainted 6.5.0_for_upstream_min_debug_2023_09_05_16_01 #1
	Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
	RIP: 0010:0x0
	Code: Unable to access opcode bytes at0xffffffffffffffd6.
	RSP: 0018:ffff888178aaf758 EFLAGS: 00010246
	Call Trace:
	<TASK>
	? __die+0x20/0x60
	? page_fault_oops+0x14c/0x3c0
	? exc_page_fault+0x75/0x140
	? asm_exc_page_fault+0x22/0x30
	notifier_call_chain+0x35/0xb0
	blocking_notifier_call_chain+0x3d/0x60
	mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core]
	mlx5_core_uplink_netdev_event_replay+0x3e/0x60 [mlx5_core]
	mlx5_mdev_netdev_track+0x53/0x60 [mlx5_ib]
	mlx5_ib_roce_init+0xc3/0x340 [mlx5_ib]
	__mlx5_ib_add+0x34/0xd0 [mlx5_ib]
	mlx5r_probe+0xe1/0x210 [mlx5_ib]
	? auxiliary_match_id+0x6a/0x90
	auxiliary_bus_probe+0x38/0x80
	? driver_sysfs_add+0x51/0x80
	really_probe+0xc9/0x3e0
	? driver_probe_device+0x90/0x90
	__driver_probe_device+0x80/0x160
	driver_probe_device+0x1e/0x90
	__device_attach_driver+0x7d/0x100
	bus_for_each_drv+0x80/0xd0
	__device_attach+0xbc/0x1f0
	bus_probe_device+0x86/0xa0
	device_add+0x637/0x840
	__auxiliary_device_add+0x3b/0xa0
	add_adev+0xc9/0x140 [mlx5_core]
	mlx5_rescan_drivers_locked+0x22a/0x310 [mlx5_core]
	mlx5_register_device+0x53/0xa0 [mlx5_core]
	mlx5_init_one_devl_locked+0x5c4/0x9c0 [mlx5_core]
	mlx5_init_one+0x3b/0x60 [mlx5_core]
	probe_one+0x44c/0x730 [mlx5_core]
	local_pci_probe+0x3e/0x90
	pci_device_probe+0xbf/0x210
	? kernfs_create_link+0x5d/0xa0
	? sysfs_do_create_link_sd+0x60/0xc0
	really_probe+0xc9/0x3e0
	? driver_probe_device+0x90/0x90
	__driver_probe_device+0x80/0x160
	driver_probe_device+0x1e/0x90
	__device_attach_driver+0x7d/0x100
	bus_for_each_drv+0x80/0xd0
	__device_attach+0xbc/0x1f0
	pci_bus_add_device+0x54/0x80
	pci_iov_add_virtfn+0x2e6/0x320
	sriov_enable+0x208/0x420
	mlx5_core_sriov_configure+0x9e/0x200 [mlx5_core]
	sriov_numvfs_store+0xae/0x1a0
	kernfs_fop_write_iter+0x10c/0x1a0
	vfs_write+0x291/0x3c0
	ksys_write+0x5f/0xe0
	do_syscall_64+0x3d/0x90
	entry_SYSCALL_64_after_hwframe+0x46/0xb0
	CR2: 0000000000000000
	---[ end trace 0000000000000000 ]---

	The Linux kernel CVE team has assigned CVE-2024-38608 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.12 with commit 2c3b5beec46ab0d77c94828eb15170b333ae769a and fixed in 6.9.3 with commit f7e6cfb864a53af71c5cc904f1cc22215d68f5c6
	Issue introduced in 4.12 with commit 2c3b5beec46ab0d77c94828eb15170b333ae769a and fixed in 6.10 with commit 3d5918477f94e4c2f064567875c475468e264644

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-38608
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/mellanox/mlx5/core/en_main.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f7e6cfb864a53af71c5cc904f1cc22215d68f5c6
	https://git.kernel.org/stable/c/3d5918477f94e4c2f064567875c475468e264644