In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix handling of wrong devices during bond netevent
Current implementation of bond netevent handler only check if the handled netdev is VF representor and it missing a check if the VF representor is on the same phys device of the bond handling the netevent.
Fix by adding the missing check and optimizing the check if the netdev is VF representor so it will not access uninitialized private data and crashes.
BUG: kernel NULL pointer dereference, address: 000000000000036c PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI Workqueue: eth3bond0 bondmiimonitor [bonding] RIP: 0010:mlx5eisuplinkrep+0xc/0x50 [mlx5core] RSP: 0018:ffff88812d69fd60 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8881cf800000 RCX: 0000000000000000 RDX: ffff88812d69fe10 RSI: 000000000000001b RDI: ffff8881cf800880 RBP: ffff8881cf800000 R08: 00000445cabccf2b R09: 0000000000000008 R10: 0000000000000004 R11: 0000000000000008 R12: ffff88812d69fe10 R13: 00000000fffffffe R14: ffff88820c0f9000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88846fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000036c CR3: 0000000103d80006 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: mlx5eeswitchuplinkrep+0x31/0x40 [mlx5core] mlx5erepislagnetdev+0x94/0xc0 [mlx5core] mlx5erepeswbondnetevent+0xeb/0x3d0 [mlx5core] rawnotifiercallchain+0x41/0x60 callnetdevicenotifiersinfo+0x34/0x80 netdevlowerstatechanged+0x4e/0xa0 bondmiimonitor+0x56b/0x640 [bonding] processonework+0x1b9/0x390 workerthread+0x4d/0x3d0 ? rescuerthread+0x350/0x350 kthread+0x124/0x150 ? setkthreadstruct+0x40/0x40 retfrom_fork+0x1f/0x30