CVE-2024-50146
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Don't call cleanup on profile rollback failure When profile rollback fails in mlx5e_netdev_change_profile, the netdev profile var is left set to NULL. Avoid a crash when unloading the driver by not calling profile->cleanup in such a case. This was encountered while testing, with the original trigger that the wq rescuer thread creation got interrupted (presumably due to Ctrl+C-ing modprobe), which gets converted to ENOMEM (-12) by mlx5e_priv_init, the profile rollback also fails for the same reason (signal still active) so the profile is left as NULL, leading to a crash later in _mlx5e_remove. [ 732.473932] mlx5_core 0000:08:00.1: E-Switch: Unload vfs: mode(OFFLOADS), nvfs(2), necvfs(0), active vports(2) [ 734.525513] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR [ 734.557372] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12 [ 734.559187] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: new profile init failed, -12 [ 734.560153] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR [ 734.589378] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12 [ 734.591136] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 [ 745.537492] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 745.538222] #PF: supervisor read access in kernel mode <snipped> [ 745.551290] Call Trace: [ 745.551590] <TASK> [ 745.551866] ? __die+0x20/0x60 [ 745.552218] ? page_fault_oops+0x150/0x400 [ 745.555307] ? exc_page_fault+0x79/0x240 [ 745.555729] ? asm_exc_page_fault+0x22/0x30 [ 745.556166] ? mlx5e_remove+0x6b/0xb0 [mlx5_core] [ 745.556698] auxiliary_bus_remove+0x18/0x30 [ 745.557134] device_release_driver_internal+0x1df/0x240 [ 745.557654] bus_remove_device+0xd7/0x140 [ 745.558075] device_del+0x15b/0x3c0 [ 745.558456] mlx5_rescan_drivers_locked.part.0+0xb1/0x2f0 [mlx5_core] [ 745.559112] mlx5_unregister_device+0x34/0x50 [mlx5_core] [ 745.559686] mlx5_uninit_one+0x46/0xf0 [mlx5_core] [ 745.560203] remove_one+0x4e/0xd0 [mlx5_core] [ 745.560694] pci_device_remove+0x39/0xa0 [ 745.561112] device_release_driver_internal+0x1df/0x240 [ 745.561631] driver_detach+0x47/0x90 [ 745.562022] bus_remove_driver+0x84/0x100 [ 745.562444] pci_unregister_driver+0x3b/0x90 [ 745.562890] mlx5_cleanup+0xc/0x1b [mlx5_core] [ 745.563415] __x64_sys_delete_module+0x14d/0x2f0 [ 745.563886] ? kmem_cache_free+0x1b0/0x460 [ 745.564313] ? lockdep_hardirqs_on_prepare+0xe2/0x190 [ 745.564825] do_syscall_64+0x6d/0x140 [ 745.565223] entry_SYSCALL_64_after_hwframe+0x4b/0x53 [ 745.565725] RIP: 0033:0x7f1579b1288b
Impacted products
Vendor Product Version
Linux Linux Version: 5.12
Show details on NVD website


{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3955b77494c3c7d14873b1db67e7e00c46a714db",
              "status": "affected",
              "version": "3ef14e463f6ed0218710f56b97e1a7d0448784d2",
              "versionType": "git"
            },
            {
              "lessThan": "4dbc1d1a9f39c3711ad2a40addca04d07d9ab5d0",
              "status": "affected",
              "version": "3ef14e463f6ed0218710f56b97e1a7d0448784d2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Don\u0027t call cleanup on profile rollback failure\n\nWhen profile rollback fails in mlx5e_netdev_change_profile, the netdev\nprofile var is left set to NULL. Avoid a crash when unloading the driver\nby not calling profile-\u003ecleanup in such a case.\n\nThis was encountered while testing, with the original trigger that\nthe wq rescuer thread creation got interrupted (presumably due to\nCtrl+C-ing modprobe), which gets converted to ENOMEM (-12) by\nmlx5e_priv_init, the profile rollback also fails for the same reason\n(signal still active) so the profile is left as NULL, leading to a crash\nlater in _mlx5e_remove.\n\n [  732.473932] mlx5_core 0000:08:00.1: E-Switch: Unload vfs: mode(OFFLOADS), nvfs(2), necvfs(0), active vports(2)\n [  734.525513] workqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\n [  734.557372] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12\n [  734.559187] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: new profile init failed, -12\n [  734.560153] workqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\n [  734.589378] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12\n [  734.591136] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12\n [  745.537492] BUG: kernel NULL pointer dereference, address: 0000000000000008\n [  745.538222] #PF: supervisor read access in kernel mode\n\u003csnipped\u003e\n [  745.551290] Call Trace:\n [  745.551590]  \u003cTASK\u003e\n [  745.551866]  ? __die+0x20/0x60\n [  745.552218]  ? page_fault_oops+0x150/0x400\n [  745.555307]  ? exc_page_fault+0x79/0x240\n [  745.555729]  ? asm_exc_page_fault+0x22/0x30\n [  745.556166]  ? mlx5e_remove+0x6b/0xb0 [mlx5_core]\n [  745.556698]  auxiliary_bus_remove+0x18/0x30\n [  745.557134]  device_release_driver_internal+0x1df/0x240\n [  745.557654]  bus_remove_device+0xd7/0x140\n [  745.558075]  device_del+0x15b/0x3c0\n [  745.558456]  mlx5_rescan_drivers_locked.part.0+0xb1/0x2f0 [mlx5_core]\n [  745.559112]  mlx5_unregister_device+0x34/0x50 [mlx5_core]\n [  745.559686]  mlx5_uninit_one+0x46/0xf0 [mlx5_core]\n [  745.560203]  remove_one+0x4e/0xd0 [mlx5_core]\n [  745.560694]  pci_device_remove+0x39/0xa0\n [  745.561112]  device_release_driver_internal+0x1df/0x240\n [  745.561631]  driver_detach+0x47/0x90\n [  745.562022]  bus_remove_driver+0x84/0x100\n [  745.562444]  pci_unregister_driver+0x3b/0x90\n [  745.562890]  mlx5_cleanup+0xc/0x1b [mlx5_core]\n [  745.563415]  __x64_sys_delete_module+0x14d/0x2f0\n [  745.563886]  ? kmem_cache_free+0x1b0/0x460\n [  745.564313]  ? lockdep_hardirqs_on_prepare+0xe2/0x190\n [  745.564825]  do_syscall_64+0x6d/0x140\n [  745.565223]  entry_SYSCALL_64_after_hwframe+0x4b/0x53\n [  745.565725] RIP: 0033:0x7f1579b1288b"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T09:34:07.200Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3955b77494c3c7d14873b1db67e7e00c46a714db"
        },
        {
          "url": "https://git.kernel.org/stable/c/4dbc1d1a9f39c3711ad2a40addca04d07d9ab5d0"
        }
      ],
      "title": "net/mlx5e: Don\u0027t call cleanup on profile rollback failure",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50146",
    "datePublished": "2024-11-07T09:31:23.123Z",
    "dateReserved": "2024-10-21T19:36:19.956Z",
    "dateUpdated": "2024-12-19T09:34:07.200Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-50146\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-11-07T10:15:06.443\",\"lastModified\":\"2024-11-18T21:17:20.177\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5e: Don\u0027t call cleanup on profile rollback failure\\n\\nWhen profile rollback fails in mlx5e_netdev_change_profile, the netdev\\nprofile var is left set to NULL. Avoid a crash when unloading the driver\\nby not calling profile-\u003ecleanup in such a case.\\n\\nThis was encountered while testing, with the original trigger that\\nthe wq rescuer thread creation got interrupted (presumably due to\\nCtrl+C-ing modprobe), which gets converted to ENOMEM (-12) by\\nmlx5e_priv_init, the profile rollback also fails for the same reason\\n(signal still active) so the profile is left as NULL, leading to a crash\\nlater in _mlx5e_remove.\\n\\n [  732.473932] mlx5_core 0000:08:00.1: E-Switch: Unload vfs: mode(OFFLOADS), nvfs(2), necvfs(0), active vports(2)\\n [  734.525513] workqueue: Failed to create a rescuer kthread for wq \\\"mlx5e\\\": -EINTR\\n [  734.557372] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12\\n [  734.559187] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: new profile init failed, -12\\n [  734.560153] workqueue: Failed to create a rescuer kthread for wq \\\"mlx5e\\\": -EINTR\\n [  734.589378] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12\\n [  734.591136] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12\\n [  745.537492] BUG: kernel NULL pointer dereference, address: 0000000000000008\\n [  745.538222] #PF: supervisor read access in kernel mode\\n\u003csnipped\u003e\\n [  745.551290] Call Trace:\\n [  745.551590]  \u003cTASK\u003e\\n [  745.551866]  ? __die+0x20/0x60\\n [  745.552218]  ? page_fault_oops+0x150/0x400\\n [  745.555307]  ? exc_page_fault+0x79/0x240\\n [  745.555729]  ? asm_exc_page_fault+0x22/0x30\\n [  745.556166]  ? mlx5e_remove+0x6b/0xb0 [mlx5_core]\\n [  745.556698]  auxiliary_bus_remove+0x18/0x30\\n [  745.557134]  device_release_driver_internal+0x1df/0x240\\n [  745.557654]  bus_remove_device+0xd7/0x140\\n [  745.558075]  device_del+0x15b/0x3c0\\n [  745.558456]  mlx5_rescan_drivers_locked.part.0+0xb1/0x2f0 [mlx5_core]\\n [  745.559112]  mlx5_unregister_device+0x34/0x50 [mlx5_core]\\n [  745.559686]  mlx5_uninit_one+0x46/0xf0 [mlx5_core]\\n [  745.560203]  remove_one+0x4e/0xd0 [mlx5_core]\\n [  745.560694]  pci_device_remove+0x39/0xa0\\n [  745.561112]  device_release_driver_internal+0x1df/0x240\\n [  745.561631]  driver_detach+0x47/0x90\\n [  745.562022]  bus_remove_driver+0x84/0x100\\n [  745.562444]  pci_unregister_driver+0x3b/0x90\\n [  745.562890]  mlx5_cleanup+0xc/0x1b [mlx5_core]\\n [  745.563415]  __x64_sys_delete_module+0x14d/0x2f0\\n [  745.563886]  ? kmem_cache_free+0x1b0/0x460\\n [  745.564313]  ? lockdep_hardirqs_on_prepare+0xe2/0x190\\n [  745.564825]  do_syscall_64+0x6d/0x140\\n [  745.565223]  entry_SYSCALL_64_after_hwframe+0x4b/0x53\\n [  745.565725] RIP: 0033:0x7f1579b1288b\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx5e: No llamar a cleanup en caso de fallo en la reversi\u00f3n del perfil Cuando la reversi\u00f3n del perfil falla en mlx5e_netdev_change_profile, la variable de perfil netdev se deja establecida en NULL. Evite un bloqueo al descargar el controlador al no llamar a profile-\u0026gt;cleanup en tal caso. Esto se encontr\u00f3 durante la prueba, con el disparador original de que la creaci\u00f3n del hilo wq rescuer se interrumpi\u00f3 (presumiblemente debido a Ctrl+C-ing modprobe), que se convierte a ENOMEM (-12) por mlx5e_priv_init, la reversi\u00f3n del perfil tambi\u00e9n falla por la misma raz\u00f3n (la se\u00f1al sigue activa) por lo que el perfil se deja como NULL, lo que lleva a un bloqueo m\u00e1s adelante en _mlx5e_remove. [ 732.473932] mlx5_core 0000:08:00.1: E-Switch: Descargar vfs: modo(OFFLOADS), nvfs(2), necvfs(0), vports(2) activos [ 734.525513] cola de trabajo: Error al crear un kthread de rescate para wq \\\"mlx5e\\\": -EINTR [ 734.557372] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init fall\u00f3, err=-12 [ 734.559187] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: nuevo Error en la inicializaci\u00f3n del perfil, -12 [734.560153] workqueue: Error al crear un kthread de rescate para wq \\\"mlx5e\\\": -EINTR [734.589378] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init fall\u00f3, err=-12 [734.591136] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: error al revertir al perfil original, -12 [745.537492] ERROR: desreferencia de puntero NULL del n\u00facleo, direcci\u00f3n: 0000000000000008 [745.538222] #PF: acceso de lectura del supervisor en modo kernel  [ 745.551290] Seguimiento de llamadas: [ 745.551590]  [ 745.551866] ? __die+0x20/0x60 [ 745.552218] ? page_fault_oops+0x150/0x400 [ 745.555307] ? exc_page_fault+0x79/0x240 [ 745.555729] ? asm_exc_page_fault+0x22/0x30 [ 745.556166] ? mlx5e_remove+0x6b/0xb0 [mlx5_core] [ 745.556698] bus_auxiliar_eliminar+0x18/0x30 [ 745.557134] dispositivo_liberaci\u00f3n_controlador_interno+0x1df/0x240 [ 745.557654] bus_eliminar_dispositivo+0xd7/0x140 [ 745.558075] dispositivo_del+0x15b/0x3c0 [ 745.558456] mlx5_rescan_drivers_locked.part.0+0xb1/0x2f0 [mlx5_core] [ 745.559112] mlx5_anular_registro_dispositivo+0x34/0x50 [mlx5_core] [ 745.559686] mlx5_uninit_one+0x46/0xf0 [mlx5_core] [ 745.560203] remove_one+0x4e/0xd0 [mlx5_core] [ 745.560694] pci_device_remove+0x39/0xa0 [ 745.561112] device_release_driver_internal+0x1df/0x240 [ 745.561631] driver_detach+0x47/0x90 [ 745.562022] bus_remove_driver+0x84/0x100 [ 745.562444] pci_unregister_driver+0x3b/0x90 [ 745.562890] mlx5_cleanup+0xc/0x1b [mlx5_core] [ 745.563415] __x64_sys_delete_module+0x14d/0x2f0 [ 745.563886] ? kmem_cache_free+0x1b0/0x460 [ 745.564313] ? lockdep_hardirqs_on_prepare+0xe2/0x190 [ 745.564825] hacer_syscall_64+0x6d/0x140 [ 745.565223] entrada_SYSCALL_64_after_hwframe+0x4b/0x53 [ 745.565725] RIP: 0033:0x7f1579b1288b\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.12\",\"versionEndExcluding\":\"6.11.6\",\"matchCriteriaId\":\"57E1EEE2-5A95-4D82-A91E-E2EB6C4FAE46\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F361E1D-580F-4A2D-A509-7615F73167A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"925478D0-3E3D-4E6F-ACD5-09F28D5DF82C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"3C95E234-D335-4B6C-96BF-E2CEBD8654ED\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3955b77494c3c7d14873b1db67e7e00c46a714db\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4dbc1d1a9f39c3711ad2a40addca04d07d9ab5d0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.