Linux Kernel RDMA/mlx5 NULL Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's RDMA mlx5 component can lead to a NULL pointer dereference. This issue arises because the current queue pair (QP) update flow in the mlx5_poll_one() function incorrectly matches QP numbers from the completion queue entry (CQE) with those in the mlx5_ib_qp structure. The mismatch occurs because the CQE QP number is derived from the firmware, and should be compared to the mlx5_core_qp QP number instead. This flaw can cause the kernel to use an incorrect QP when processing a CQE, leading to a crash. The vulnerability is primarily observed with QPs 0 and 1, the only QPs currently managed by the driver, where the QP numbers do not align correctly between the mlx5_ib_qp and mlx5_core_qp structures.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, leading to a crash. The error occurs while processing completion queue entries, disrupting normal operations and potentially causing denial of service.