CVE-2024-50296

In the Linux kernel, the following vulnerability has been resolved:

net: hns3: fix kernel crash when uninstalling driver

When the driver is uninstalled and the VF is disabled concurrently, a kernel crash occurs. The reason is that the two actions call function pcidisablesriov(). The numVFs is checked to determine whether to release the corresponding resources. During the second calling, numVFs is not 0 and the resource release function is called. However, the corresponding resource has been released during the first invoking. Therefore, the problem occurs:

[15277.839633][T50670] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 ... [15278.131557][T50670] Call trace: [15278.134686][T50670] klistput+0x28/0x12c [15278.138682][T50670] klistdel+0x14/0x20 [15278.142592][T50670] devicedel+0xbc/0x3c0 [15278.146676][T50670] pciremovebusdevice+0x84/0x120 [15278.151714][T50670] pcistopandremovebusdevice+0x6c/0x80 [15278.157447][T50670] pciiovremovevirtfn+0xb4/0x12c [15278.162485][T50670] sriovdisable+0x50/0x11c [15278.166829][T50670] pcidisablesriov+0x24/0x30 [15278.171433][T50670] hnae3unregisteraealgoprepare+0x60/0x90 [hnae3] [15278.178039][T50670] hclgeexit+0x28/0xd0 [hclge] [15278.182730][T50670] _sesysdeletemodule.isra.0+0x164/0x230 [15278.188550][T50670] _arm64sysdeletemodule+0x1c/0x30 [15278.193848][T50670] invokesyscall+0x50/0x11c [15278.198278][T50670] el0svccommon.constprop.0+0x158/0x164 [15278.203837][T50670] doel0svc+0x34/0xcc [15278.207834][T50670] el0svc+0x20/0x30

For details, see the following figure.

rmmod hclge disable VFs

hclgeexit() sriovnumvfsstore() ... devicelock() pcidisablesriov() hns3pcisriovconfigure() pcidisablesriov() sriovdisable() sriovdisable() if !numVFs : if !numVFs : return; return; sriovdelvfs() sriovdelvfs() ... ... klistput() klistput() ... ... numVFs = 0; numVFs = 0; deviceunlock();

In this patch, when driver is removing, we get the devicelock() to protect numVFs, just like sriovnumvfsstore().