Linux Kernel NULL Pointer Dereference Vulnerability in IAVF Driver

A NULL pointer dereference vulnerability has been identified in the Linux kernel's IAVF (Intel Adaptive Virtual Function) driver. This issue arises in versions of the kernel that include a regression introduced by a previous commit. The vulnerability occurs when the 'iavf_get_vf_config' function frees the 'vf_res' resource while the netdev is still registered. This allows 'ethtool_ops' to be called, and if 'iavf_get_link_ksettings' is invoked without a valid 'vf_res', it leads to a kernel NULL pointer dereference. The vulnerability has been observed in Linux kernel version 5.18.0-04958-ga54ce3703613.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, leading to a crash of the kernel and potentially causing a denial of service.

Reproduction

The vulnerability can be reproduced by calling the 'iavf_get_link_ksettings' function without a valid 'vf_res' resource. This can be done by triggering the 'IAVF_ERR_ADMIN_QUEUE_NO_WORK' error, which prompts the 'iavf_get_vf_config' function to free the 'vf_res' resource while the netdev remains registered. Once 'ethtool_ops' is available, invoking 'iavf_get_link_ksettings' will result in a NULL pointer dereference, causing a kernel crash.