Linux Kernel RoCE Driver NULL Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's RoCE (RDMA over Converged Ethernet) driver can lead to a NULL pointer dereference, causing a crash. This issue arises from a double invocation of the driver's suspend method, which is not properly synchronized. The vulnerability affects the bnxt_en component of the Linux kernel.

Impact

Exploitation of this vulnerability causes a kernel panic due to a NULL pointer dereference, leading to a system crash.

Reproduction

The vulnerability can be reproduced by invoking the bnxt_ulp_stop() and bnxt_ulp_start() methods in pairs, which is the expected behavior. However, after a specific commit, the new bnxt_ulp_restart() method can be called after bnxt_ulp_stop(), potentially leading to the aux driver's suspend() method being called twice. The second call dereferences a NULL pointer, causing a crash.

Remediation

Check the BNXT_EN_FLAG_ULP_STOPPED flag before proceeding with the bnxt_ulp_stop() and bnxt_ulp_start() methods. This will ensure that the methods are not invoked twice, preserving the original symmetrical call pattern. After updating the bnxt_ulp_start() method, clear the BNXT_EN_FLAG_ULP_STOPPED flag to avoid race conditions.