Linux Kernel NULL Pointer Dereference Vulnerability in mlx5 Lag Handling

A vulnerability in the Linux kernel's handling of delayed bond work in the mlx5 network driver can lead to a NULL pointer dereference. This issue arises because a recent commit unintentionally removed a crucial work cancellation step, allowing delayed tasks to execute on a work queue that had already been destroyed. The vulnerability manifests as a kernel crash, with the system attempting to access a NULL memory address, a scenario that can occur when the queued delay from the bond work expires and is processed after the work queue has been dismantled.

Impact

Exploitation of this vulnerability causes a kernel panic due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by creating a network device that uses the mlx5 driver and configuring link aggregation (LAG) on it. Afterward, the network device can be freed without properly canceling the delayed bond work, allowing the work to be processed on a destroyed work queue, which triggers the NULL pointer dereference.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.