CVE-2024-39502

In the Linux kernel, the following vulnerability has been resolved:

ionic: fix use after netifnapidel()

When queues are started, netifnapiadd() and napienable() are called. If there are 4 queues and only 3 queues are used for the current configuration, only 3 queues' napi should be registered and enabled. The ionicqcqenable() checks whether the .poll pointer is not NULL for enabling only the using queue' napi. Unused queues' napi will not be registered by netifnapiadd(), so the .poll pointer indicates NULL. But it couldn't distinguish whether the napi was unregistered or not because netifnapidel() doesn't reset the .poll pointer to NULL. So, ionicqcqenable() calls napienable() for the queue, which was unregistered by netifnapidel().

Reproducer: ethtool -L <interface name> rx 1 tx 1 combined 0 ethtool -L <interface name> rx 0 tx 0 combined 1 ethtool -L <interface name> rx 0 tx 0 combined 4

Splat looks like: kernel BUG at net/core/dev.c:6666! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16 Workqueue: events ioniclifdeferredwork [ionic] RIP: 0010:napienable+0x3b/0x40 Code: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f RSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029 RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28 RBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000 R13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20 FS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <TASK> ? die+0x33/0x90 ? dotrap+0xd9/0x100 ? napienable+0x3b/0x40 ? doerrortrap+0x83/0xb0 ? napienable+0x3b/0x40 ? napienable+0x3b/0x40 ? excinvalidop+0x4e/0x70 ? napienable+0x3b/0x40 ? asmexcinvalidop+0x16/0x20 ? napienable+0x3b/0x40 ionicqcqenable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ionicstartqueues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ioniclinkstatuscheck+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ioniclifdeferredwork+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] processonework+0x145/0x360 workerthread+0x2bb/0x3d0 ? _pfxworkerthread+0x10/0x10 kthread+0xcc/0x100 ? _pfxkthread+0x10/0x10 retfromfork+0x2d/0x50 ? _pfxkthread+0x10/0x10 retfromforkasm+0x1a/0x30