Linux Kernel mlx5e Priv Structure Handling Vulnerability

A vulnerability exists in the Linux kernel's Mellanox mlx5 Ethernet driver, specifically within the auxiliary device management of the mlx5e_dev structure. The issue arises because the mlx5e_priv structure, which is intended to hold references to the network device and associated metadata, can become unstable and reset to zero if an error occurs during profile attachment. This instability can lead to a null pointer dereference, causing a kernel oops error. The vulnerability is triggered when the devlink eswitch mode is set to switchdev, and the profile change fails, creating a scenario where the mlx5e_remove function attempts to access a cleared mlx5e_priv reference.

Impact

The vulnerability causes a kernel NULL pointer dereference, leading to a crash. This occurs when the mlx5e_remove function is called, and the associated profile change fails, causing the mlx5e_priv structure to be reset, yet the removal process still tries to access it.

Reproduction

To reproduce this vulnerability, set the devlink eswitch mode to switchdev on a device using the mlx5e driver. This will initiate a profile change that, if failed, will cause the mlx5e_priv structure to be reset. Subsequently, reload the devlink device, which will trigger the mlx5e_remove function, attempting to access the now-invalid mlx5e_priv reference, resulting in a null pointer dereference and a kernel oops error.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.