Linux Kernel Coalescing Settings Vulnerability in bnxt_en Driver Could Lead to Null Pointer Dereference

A vulnerability in the Linux kernel's bnxt_en Ethernet driver could cause a system crash by dereferencing a null pointer. This issue arises during the error recovery process when the rtnl_lock is not consistently maintained, potentially allowing certain data structures to be prematurely freed. The vulnerability can be triggered by reconfiguring coalescing settings on a device that is not fully operational. The problem has been addressed by modifying the driver to check the BNXT_STATE_OPEN flag, ensuring the device is ready before making changes to the coalescing parameters.

Impact

Exploitation of this vulnerability can lead to a kernel crash, causing a denial of service by interrupting normal system operations.

Reproduction

The vulnerability can be reproduced by initiating a coalescing settings change on a bnxt_en managed device that is in the process of error recovery. This can be done using the ethtool command, which interacts with the network interface's coalescing parameters. The absence of the rtnl_lock during the recovery phase allows the operation to proceed even if the device is not fully ready, leading to a null pointer dereference and a subsequent kernel crash.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for updating the kernel can be found in the official documentation for the specific Linux distribution in use.