Linux Kernel MLX5 LAG Logic Vulnerability Leading to Null Pointer Dereference

A vulnerability in the Linux kernel's handling of Link Aggregation Group (LAG) logic for Mellanox devices can lead to a null pointer dereference. This issue arises because the flag indicating that both network devices are ready is not set correctly, creating an asymmetry that can cause the system to attempt to access invalid memory. The problem occurs when one physical function (PF) is unloaded before its corresponding network device is cleared, leaving the LAG flag incorrectly set. Subsequent operations can then trigger a kernel crash by accessing a null pointer.

Impact

Exploitation of this vulnerability causes a kernel crash due to a null pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by loading two physical functions (PF0 and PF1) of a Mellanox device. PF0 sets its device pointer to a valid address, while PF1 sets both its device and network device pointers to valid addresses, incorrectly signaling that both devices are ready. If PF0 is then unloaded before clearing its network device pointer, the LAG flag remains set, creating a mismatch. When the 'mlx5_do_bond()' function is called, it attempts to access the LAG information, leading to a null pointer dereference and a kernel crash.