We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-50296

net: hns3: fix kernel crash when uninstalling driver



Description

In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix kernel crash when uninstalling driver When the driver is uninstalled and the VF is disabled concurrently, a kernel crash occurs. The reason is that the two actions call function pci_disable_sriov(). The num_VFs is checked to determine whether to release the corresponding resources. During the second calling, num_VFs is not 0 and the resource release function is called. However, the corresponding resource has been released during the first invoking. Therefore, the problem occurs: [15277.839633][T50670] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 ... [15278.131557][T50670] Call trace: [15278.134686][T50670] klist_put+0x28/0x12c [15278.138682][T50670] klist_del+0x14/0x20 [15278.142592][T50670] device_del+0xbc/0x3c0 [15278.146676][T50670] pci_remove_bus_device+0x84/0x120 [15278.151714][T50670] pci_stop_and_remove_bus_device+0x6c/0x80 [15278.157447][T50670] pci_iov_remove_virtfn+0xb4/0x12c [15278.162485][T50670] sriov_disable+0x50/0x11c [15278.166829][T50670] pci_disable_sriov+0x24/0x30 [15278.171433][T50670] hnae3_unregister_ae_algo_prepare+0x60/0x90 [hnae3] [15278.178039][T50670] hclge_exit+0x28/0xd0 [hclge] [15278.182730][T50670] __se_sys_delete_module.isra.0+0x164/0x230 [15278.188550][T50670] __arm64_sys_delete_module+0x1c/0x30 [15278.193848][T50670] invoke_syscall+0x50/0x11c [15278.198278][T50670] el0_svc_common.constprop.0+0x158/0x164 [15278.203837][T50670] do_el0_svc+0x34/0xcc [15278.207834][T50670] el0_svc+0x20/0x30 For details, see the following figure. rmmod hclge disable VFs ---------------------------------------------------- hclge_exit() sriov_numvfs_store() ... device_lock() pci_disable_sriov() hns3_pci_sriov_configure() pci_disable_sriov() sriov_disable() sriov_disable() if !num_VFs : if !num_VFs : return; return; sriov_del_vfs() sriov_del_vfs() ... ... klist_put() klist_put() ... ... num_VFs = 0; num_VFs = 0; device_unlock(); In this patch, when driver is removing, we get the device_lock() to protect num_VFs, just like sriov_numvfs_store().

Reserved 2024-10-21 | Published 2024-11-19 | Updated 2024-11-19 | Assigner Linux

Product status

Default status
unaffected

b06ad258e013 before a0df055775f3
affected

c4b64011e458 before 7ae4e56de7db
affected

d36b15e3e7b5 before 590a4b2d4e0b
affected

0dd8a25f355b before e36482b222e0
affected

0dd8a25f355b before 76b155e14d9b
affected

0dd8a25f355b before 719edd9f3372
affected

0dd8a25f355b before b5c94e4d947d
affected

0dd8a25f355b before df3dff8ab6d7
affected

Default status
affected

5.15
affected

Any version before 5.15
unaffected

4.19.324
unaffected

5.4.286
unaffected

5.10.230
unaffected

5.15.172
unaffected

6.1.117
unaffected

6.6.61
unaffected

6.11.8
unaffected

6.12
unaffected

References

git.kernel.org/...c/a0df055775f30850c0da8f7dab40d67c0fd63908

git.kernel.org/...c/7ae4e56de7dbd0999578246a536cf52a63f4056d

git.kernel.org/...c/590a4b2d4e0b73586e88bce9b8135b593355ec09

git.kernel.org/...c/e36482b222e00cc7aeeea772fc0cf2943590bc4d

git.kernel.org/...c/76b155e14d9b182ce83d32ada2d0d7219ea8c8dd

git.kernel.org/...c/719edd9f3372ce7fb3b157647c6658672946874b

git.kernel.org/...c/b5c94e4d947d15d521e935ff10c5a22a7883dea5

git.kernel.org/...c/df3dff8ab6d79edc942464999d06fbaedf8cdd18

cve.org (CVE-2024-50296)

nvd.nist.gov (CVE-2024-50296)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-50296

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.