CVE-2024-50296

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-50296
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50296.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-50296
Downstream
Related
Published
2024-11-19T02:16:31Z
Modified
2025-08-09T20:01:26Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

net: hns3: fix kernel crash when uninstalling driver

When the driver is uninstalled and the VF is disabled concurrently, a kernel crash occurs. The reason is that the two actions call function pcidisablesriov(). The numVFs is checked to determine whether to release the corresponding resources. During the second calling, numVFs is not 0 and the resource release function is called. However, the corresponding resource has been released during the first invoking. Therefore, the problem occurs:

[15277.839633][T50670] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 ... [15278.131557][T50670] Call trace: [15278.134686][T50670] klistput+0x28/0x12c [15278.138682][T50670] klistdel+0x14/0x20 [15278.142592][T50670] devicedel+0xbc/0x3c0 [15278.146676][T50670] pciremovebusdevice+0x84/0x120 [15278.151714][T50670] pcistopandremovebusdevice+0x6c/0x80 [15278.157447][T50670] pciiovremovevirtfn+0xb4/0x12c [15278.162485][T50670] sriovdisable+0x50/0x11c [15278.166829][T50670] pcidisablesriov+0x24/0x30 [15278.171433][T50670] hnae3unregisteraealgoprepare+0x60/0x90 [hnae3] [15278.178039][T50670] hclgeexit+0x28/0xd0 [hclge] [15278.182730][T50670] _sesysdeletemodule.isra.0+0x164/0x230 [15278.188550][T50670] _arm64sysdeletemodule+0x1c/0x30 [15278.193848][T50670] invokesyscall+0x50/0x11c [15278.198278][T50670] el0svccommon.constprop.0+0x158/0x164 [15278.203837][T50670] doel0svc+0x34/0xcc [15278.207834][T50670] el0svc+0x20/0x30

For details, see the following figure.

rmmod hclge disable VFs

hclgeexit() sriovnumvfsstore() ... devicelock() pcidisablesriov() hns3pcisriovconfigure() pcidisablesriov() sriovdisable() sriovdisable() if !numVFs : if !numVFs : return; return; sriovdelvfs() sriovdelvfs() ... ... klistput() klistput() ... ... numVFs = 0; numVFs = 0; deviceunlock();

In this patch, when driver is removing, we get the devicelock() to protect numVFs, just like sriovnumvfsstore().

References

Affected packages