CVE-2024-50296 | THREATINT

Description

In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix kernel crash when uninstalling driver When the driver is uninstalled and the VF is disabled concurrently, a kernel crash occurs. The reason is that the two actions call function pci_disable_sriov(). The num_VFs is checked to determine whether to release the corresponding resources. During the second calling, num_VFs is not 0 and the resource release function is called. However, the corresponding resource has been released during the first invoking. Therefore, the problem occurs: [15277.839633][T50670] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 ... [15278.131557][T50670] Call trace: [15278.134686][T50670] klist_put+0x28/0x12c [15278.138682][T50670] klist_del+0x14/0x20 [15278.142592][T50670] device_del+0xbc/0x3c0 [15278.146676][T50670] pci_remove_bus_device+0x84/0x120 [15278.151714][T50670] pci_stop_and_remove_bus_device+0x6c/0x80 [15278.157447][T50670] pci_iov_remove_virtfn+0xb4/0x12c [15278.162485][T50670] sriov_disable+0x50/0x11c [15278.166829][T50670] pci_disable_sriov+0x24/0x30 [15278.171433][T50670] hnae3_unregister_ae_algo_prepare+0x60/0x90 [hnae3] [15278.178039][T50670] hclge_exit+0x28/0xd0 [hclge] [15278.182730][T50670] __se_sys_delete_module.isra.0+0x164/0x230 [15278.188550][T50670] __arm64_sys_delete_module+0x1c/0x30 [15278.193848][T50670] invoke_syscall+0x50/0x11c [15278.198278][T50670] el0_svc_common.constprop.0+0x158/0x164 [15278.203837][T50670] do_el0_svc+0x34/0xcc [15278.207834][T50670] el0_svc+0x20/0x30 For details, see the following figure. rmmod hclge disable VFs ---------------------------------------------------- hclge_exit() sriov_numvfs_store() ... device_lock() pci_disable_sriov() hns3_pci_sriov_configure() pci_disable_sriov() sriov_disable() sriov_disable() if !num_VFs : if !num_VFs : return; return; sriov_del_vfs() sriov_del_vfs() ... ... klist_put() klist_put() ... ... num_VFs = 0; num_VFs = 0; device_unlock(); In this patch, when driver is removing, we get the device_lock() to protect num_VFs, just like sriov_numvfs_store().

Reserved 2024-10-21 | Published 2024-11-19 | Updated 2025-05-04 | Assigner Linux

Product status

Default status

unaffected

b06ad258e01389ca3ff13bc180f3fcd6a608f1cd before a0df055775f30850c0da8f7dab40d67c0fd63908

affected

c4b64011e458aa2b246cd4e42012cfd83d2d9a5c before 7ae4e56de7dbd0999578246a536cf52a63f4056d

affected

d36b15e3e7b5937cb1f6ac590a85facc3a320642 before 590a4b2d4e0b73586e88bce9b8135b593355ec09

affected

0dd8a25f355b4df2d41c08df1716340854c7d4c5 before e36482b222e00cc7aeeea772fc0cf2943590bc4d

affected

0dd8a25f355b4df2d41c08df1716340854c7d4c5 before 76b155e14d9b182ce83d32ada2d0d7219ea8c8dd

affected

0dd8a25f355b4df2d41c08df1716340854c7d4c5 before 719edd9f3372ce7fb3b157647c6658672946874b

affected

0dd8a25f355b4df2d41c08df1716340854c7d4c5 before b5c94e4d947d15d521e935ff10c5a22a7883dea5

affected

0dd8a25f355b4df2d41c08df1716340854c7d4c5 before df3dff8ab6d79edc942464999d06fbaedf8cdd18

affected

9b5a29f0acefa3eb1dbe2fa302b393eeff64d933

affected

Default status

affected

5.15

affected

Any version before 5.15

unaffected

4.19.324

unaffected

5.4.286

unaffected

5.10.230

unaffected

5.15.172

unaffected

6.1.117

unaffected

6.6.61

unaffected

6.11.8

unaffected

6.12

unaffected

References

git.kernel.org/...c/a0df055775f30850c0da8f7dab40d67c0fd63908

git.kernel.org/...c/7ae4e56de7dbd0999578246a536cf52a63f4056d

git.kernel.org/...c/590a4b2d4e0b73586e88bce9b8135b593355ec09

git.kernel.org/...c/e36482b222e00cc7aeeea772fc0cf2943590bc4d

git.kernel.org/...c/76b155e14d9b182ce83d32ada2d0d7219ea8c8dd

git.kernel.org/...c/719edd9f3372ce7fb3b157647c6658672946874b

git.kernel.org/...c/b5c94e4d947d15d521e935ff10c5a22a7883dea5

git.kernel.org/...c/df3dff8ab6d79edc942464999d06fbaedf8cdd18

cve.org (CVE-2024-50296)

nvd.nist.gov (CVE-2024-50296)

Download JSON