CVE-2024-50146

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Don't call cleanup on profile rollback failure

When profile rollback fails in mlx5enetdevchange_profile, the netdev profile var is left set to NULL. Avoid a crash when unloading the driver by not calling profile->cleanup in such a case.

This was encountered while testing, with the original trigger that the wq rescuer thread creation got interrupted (presumably due to Ctrl+C-ing modprobe), which gets converted to ENOMEM (-12) by mlx5eprivinit, the profile rollback also fails for the same reason (signal still active) so the profile is left as NULL, leading to a crash later in mlx5eremove.

[ 732.473932] mlx5core 0000:08:00.1: E-Switch: Unload vfs: mode(OFFLOADS), nvfs(2), necvfs(0), active vports(2) [ 734.525513] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR [ 734.557372] mlx5core 0000:08:00.1: mlx5enetdevinitprofile:6235:(pid 6086): mlx5eprivinit failed, err=-12 [ 734.559187] mlx5core 0000:08:00.1 eth3: mlx5enetdevchangeprofile: new profile init failed, -12 [ 734.560153] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR [ 734.589378] mlx5core 0000:08:00.1: mlx5enetdevinitprofile:6235:(pid 6086): mlx5eprivinit failed, err=-12 [ 734.591136] mlx5core 0000:08:00.1 eth3: mlx5enetdevchange_profile: failed to rollback to orig profile, -12 [ 745.537492] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 745.538222] #PF: supervisor read access in kernel mode <snipped> [ 745.551290] Call Trace: [ 745.551590] <TASK> [ 745.551866] ? __die+0x20/0x60 [ 745.552218] ? pagefaultoops+0x150/0x400 [ 745.555307] ? excpagefault+0x79/0x240 [ 745.555729] ? asmexcpagefault+0x22/0x30 [ 745.556166] ? mlx5eremove+0x6b/0xb0 [mlx5core] [ 745.556698] auxiliarybusremove+0x18/0x30 [ 745.557134] devicereleasedriverinternal+0x1df/0x240 [ 745.557654] busremovedevice+0xd7/0x140 [ 745.558075] devicedel+0x15b/0x3c0 [ 745.558456] mlx5rescandriverslocked.part.0+0xb1/0x2f0 [mlx5core] [ 745.559112] mlx5unregisterdevice+0x34/0x50 [mlx5core] [ 745.559686] mlx5uninitone+0x46/0xf0 [mlx5core] [ 745.560203] removeone+0x4e/0xd0 [mlx5core] [ 745.560694] pcideviceremove+0x39/0xa0 [ 745.561112] devicereleasedriverinternal+0x1df/0x240 [ 745.561631] driverdetach+0x47/0x90 [ 745.562022] busremovedriver+0x84/0x100 [ 745.562444] pciunregisterdriver+0x3b/0x90 [ 745.562890] mlx5cleanup+0xc/0x1b [mlx5_core] [ 745.563415] __x64sysdeletemodule+0x14d/0x2f0 [ 745.563886] ? kmemcachefree+0x1b0/0x460 [ 745.564313] ? lockdephardirqsonprepare+0xe2/0x190 [ 745.564825] dosyscall64+0x6d/0x140 [ 745.565223] entrySYSCALL64afterhwframe+0x4b/0x53 [ 745.565725] RIP: 0033:0x7f1579b1288b