Linux Kernel mlx5e Driver Race Condition Vulnerability Leading to Crash

A race condition vulnerability has been identified in the Linux kernel's mlx5e network driver. This issue arises because the driver checks the NOT_READY flag state before acquiring the necessary lock, creating a potential race condition. When a flow is concurrently removed from the unready_flows list by a workqueue task, it can lead to a double-removal from the list, causing a crash. The vulnerability has been observed in Linux kernel version 6.4.0-rc4.

Impact

Exploitation of this vulnerability causes a general protection fault, likely due to a non-canonical address, leading to a system crash.

Reproduction

The vulnerability can be reproduced by using the mlx5e driver in a Linux kernel environment. When a flow is offloaded and the NOT_READY flag is set, the driver can remove the flow from the unready_flows list. If this removal occurs simultaneously with another operation that checks the NOT_READY flag, it can result in a double-removal and a crash.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the patched version are available on the official Linux kernel website.