DEBIAN-CVE-2024-35907

In the Linux kernel, the following vulnerability has been resolved: mlxbfgige: call requestirq() after NAPI initialized The mlxbfgige driver encounters a NULL pointer exception in mlxbfgigeopen() when kdump is enabled. The sequence to reproduce the exception is as follows: a) enable kdump b) trigger kdump via "echo c > /proc/sysrq-trigger" c) kdump kernel executes d) kdump kernel loads mlxbfgige module e) the mlxbfgige module runs its open() as the the "oobnet0" interface is brought up f) mlxbf_gige module will experience an exception during its open(), something like: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000004 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000086000004 [#1] SMP CPU: 0 PID: 812 Comm: NetworkManager Tainted: G OE 5.15.0-1035-bluefield #37-Ubuntu Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024 pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : 0x0 lr : __napipoll+0x40/0x230 sp : ffff800008003e00 x29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff x26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8 x23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000 x20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000 x17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0 x14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398 x8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2 x5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238 Call trace: 0x0 netrx_action+0x178/0x360 __do_softirq+0x15c/0x428 __irqexitrcu+0xac/0xec irqexit+0x18/0x2c handledomainirq+0x6c/0xa0 gichandleirq+0xec/0x1b0 callonirqstack+0x20/0x2c dointerrupthandler+0x5c/0x70 el1interrupt+0x30/0x50 el1h64irqhandler+0x18/0x2c el1h64irq+0x7c/0x80 __setupirq+0x4c0/0x950 requestthreadedirq+0xf4/0x1bc mlxbfgigerequestirqs+0x68/0x110 [mlxbfgige] mlxbfgigeopen+0x5c/0x170 [mlxbfgige] __dev_open+0x100/0x220 __devchangeflags+0x16c/0x1f0 devchangeflags+0x2c/0x70 do_setlink+0x220/0xa40 __rtnlnewlink+0x56c/0x8a0 rtnlnewlink+0x58/0x84 rtnetlinkrcvmsg+0x138/0x3c4 netlinkrcvskb+0x64/0x130 rtnetlinkrcv+0x20/0x30 netlinkunicast+0x2ec/0x360 netlink_sendmsg+0x278/0x490 __sock_sendmsg+0x5c/0x6c ____sys_sendmsg+0x290/0x2d4 ___sys_sendmsg+0x84/0xd0 __sys_sendmsg+0x70/0xd0 __arm64syssendmsg+0x2c/0x40 invokesyscall+0x78/0x100 el0svccommon.constprop.0+0x54/0x184 doel0svc+0x30/0xac el0svc+0x48/0x160 el0t64synchandler+0xa4/0x12c el0t64sync+0x1a4/0x1a8 Code: bad PC value ---[ end trace 7d1c3f3bf9d81885 ]--- Kernel panic - not syncing: Oops: Fatal exception in interrupt Kernel Offset: 0x2870a7a00000 from 0xffff800008000000 PHYSOFFSET: 0x80000000 CPU features: 0x0,000005c1,a3332a5a Memory Limit: none ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- The exception happens because there is a pending RX interrupt before the call to requestirq(RX IRQ) executes. Then, the RX IRQ handler fires immediately after this requestirq() completes. The ---truncated---