Linux Kernel NULL Pointer Dereference Vulnerability in mlx5 LAG Port Selection

A vulnerability in the Linux kernel's handling of the mlx5 LAG (Link Aggregation Group) port selection can lead to a NULL pointer dereference, causing a kernel crash. This issue arises when the port selection structure is not properly cleared after a failure to create LAG definers. The mlx5_lag_destroy_definers() function attempts to destroy all LAG definers, but if a failure occurs, it can result in the same definer being destroyed twice, leading to a crash. The vulnerability is present in the Linux kernel version 6.11.0+.

Impact

Exploitation of this vulnerability causes a kernel crash due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by creating a LAG port selection that fails, which leaves stale values in the port selection structure. When the mlx5_lag_destroy_definers() function is called, it double-destroys the LAG definers, causing a NULL pointer dereference and a kernel crash. This sequence of actions can be observed in the call trace included in the vulnerability description.