AZL-73138

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Fix null deref on srq->rq.queue after resize failure

A NULL pointer dereference can occur in rxesrqchkattr() when ibvmodifysrq() is invoked twice in succession under certain error conditions. The first call may fail in rxequeueresize(), which leads rxesrqfromattr() to set srq->rq.queue = NULL. The second call then triggers a crash (null deref) when accessing srq->rq.queue->buf->index_mask.

Call Trace: <TASK> rxemodifysrq+0x170/0x480 [rdma_rxe] ? __pfxrxemodifysrq+0x10/0x10 [rdmarxe] ? uverbstrylockobject+0x4f/0xa0 [ibuverbs] ? rdmalookupgetuobject+0x1f0/0x380 [ibuverbs] ibuverbsmodifysrq+0x204/0x290 [ibuverbs] ? __pfxibuverbsmodifysrq+0x10/0x10 [ibuverbs] ? tryincnodenractive+0xe6/0x150 ? uverbsfilludata+0xed/0x4f0 [ibuverbs] ibuverbshandlerUVERBSMETHODINVOKEWRITE+0x2c0/0x470 [ibuverbs] ? __pfxibuverbshandlerUVERBSMETHODINVOKEWRITE+0x10/0x10 [ibuverbs] ? uverbsfilludata+0xed/0x4f0 [ibuverbs] ibuverbsrunmethod+0x55a/0x6e0 [ib_uverbs] ? __pfxibuverbshandlerUVERBSMETHODINVOKEWRITE+0x10/0x10 [ibuverbs] ibuverbscmdverbs+0x54d/0x800 [ibuverbs] ? __pfxibuverbs_cmdverbs+0x10/0x10 [ibuverbs] ? pfxrawspinlockirqsave+0x10/0x10 ? __pfxdovfs_ioctl+0x10/0x10 ? ioctlhasperm.constprop.0.isra.0+0x2c7/0x4c0 ? __pfxioctlhasperm.constprop.0.isra.0+0x10/0x10 ibuverbsioctl+0x13e/0x220 [ibuverbs] ? __pfxibuverbsioctl+0x10/0x10 [ibuverbs] __x64sysioctl+0x138/0x1c0 dosyscall64+0x82/0x250 ? fdgetpos+0x58/0x4c0 ? ksyswrite+0xf3/0x1c0 ? __pfxksyswrite+0x10/0x10 ? dosyscall64+0xc8/0x250 ? __pfxvmmmappgoff+0x10/0x10 ? fget+0x173/0x230 ? fput+0x2a/0x80 ? ksysmmappgoff+0x224/0x4c0 ? dosyscall64+0xc8/0x250 ? douseraddrfault+0x37b/0xfe0 ? clearbhbloop+0x50/0xa0 ? clearbhbloop+0x50/0xa0 ? clearbhbloop+0x50/0xa0 entrySYSCALL64afterhwframe+0x76/0x7e