DEBIAN-CVE-2024-35907

In the Linux kernel, the following vulnerability has been resolved: mlxbfgige: call requestirq() after NAPI initialized The mlxbfgige driver encounters a NULL pointer exception in mlxbfgigeopen() when kdump is enabled. The sequence to reproduce the exception is as follows: a) enable kdump b) trigger kdump via "echo c > /proc/sysrq-trigger" c) kdump kernel executes d) kdump kernel loads mlxbfgige module e) the mlxbfgige module runs its open() as the the "oobnet0" interface is brought up f) mlxbfgige module will experience an exception during its open(), something like: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000004 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000086000004 [#1] SMP CPU: 0 PID: 812 Comm: NetworkManager Tainted: G OE 5.15.0-1035-bluefield #37-Ubuntu Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024 pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : 0x0 lr : napipoll+0x40/0x230 sp : ffff800008003e00 x29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff x26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8 x23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000 x20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000 x17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0 x14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398 x8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2 x5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238 Call trace: 0x0 netrxaction+0x178/0x360 _dosoftirq+0x15c/0x428 _irqexitrcu+0xac/0xec irqexit+0x18/0x2c handledomainirq+0x6c/0xa0 gichandleirq+0xec/0x1b0 callonirqstack+0x20/0x2c dointerrupthandler+0x5c/0x70 el1interrupt+0x30/0x50 el1h64irqhandler+0x18/0x2c el1h64irq+0x7c/0x80 _setupirq+0x4c0/0x950 requestthreadedirq+0xf4/0x1bc mlxbfgigerequestirqs+0x68/0x110 [mlxbfgige] mlxbfgigeopen+0x5c/0x170 [mlxbfgige] _devopen+0x100/0x220 _devchangeflags+0x16c/0x1f0 devchangeflags+0x2c/0x70 dosetlink+0x220/0xa40 _rtnlnewlink+0x56c/0x8a0 rtnlnewlink+0x58/0x84 rtnetlinkrcvmsg+0x138/0x3c4 netlinkrcvskb+0x64/0x130 rtnetlinkrcv+0x20/0x30 netlinkunicast+0x2ec/0x360 netlinksendmsg+0x278/0x490 _socksendmsg+0x5c/0x6c syssendmsg+0x290/0x2d4 _syssendmsg+0x84/0xd0 _syssendmsg+0x70/0xd0 _arm64syssendmsg+0x2c/0x40 invokesyscall+0x78/0x100 el0svccommon.constprop.0+0x54/0x184 doel0svc+0x30/0xac el0svc+0x48/0x160 el0t64synchandler+0xa4/0x12c el0t64sync+0x1a4/0x1a8 Code: bad PC value ---[ end trace 7d1c3f3bf9d81885 ]--- Kernel panic - not syncing: Oops: Fatal exception in interrupt Kernel Offset: 0x2870a7a00000 from 0xffff800008000000 PHYSOFFSET: 0x80000000 CPU features: 0x0,000005c1,a3332a5a Memory Limit: none ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- The exception happens because there is a pending RX interrupt before the call to requestirq(RX IRQ) executes. Then, the RX IRQ handler fires immediately after this request_irq() completes. The ---truncated---