CVE-2024-27014

CVE Details

Release Date:	2024-05-01
Impact:	Moderate	What is this?

Description

In the Linux kernel, the following vulnerability has been resolved:\nnet/mlx5e: Prevent deadlock while disabling aRFS\nWhen disabling aRFS under the `priv->state_lock`, any scheduled\naRFS works are canceled using the `cancel_work_sync` function,\nwhich waits for the work to end if it has already started.\nHowever, while waiting for the work handler, the handler will\ntry to acquire the `state_lock` which is already acquired.\nThe worker acquires the lock to delete the rules if the state\nis down, which is not the worker's responsibility since\ndisabling aRFS deletes the rules.\nAdd an aRFS state variable, which indicates whether the aRFS is\nenabled and prevent adding rules when the aRFS is disabled.\nKernel log:\n======================================================\nWARNING: possible circular locking dependency detected\n6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G I\n------------------------------------------------------\nethtool/386089 is trying to acquire lock:\nffff88810f21ce68 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0\nbut task is already holding lock:\nffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\nwhich lock already depends on the new lock.\nthe existing dependency chain (in reverse order) is:\n-> #1 (&priv->state_lock){+.+.}-{3:3}:\n__mutex_lock+0x80/0xc90\narfs_handle_work+0x4b/0x3b0 [mlx5_core]\nprocess_one_work+0x1dc/0x4a0\nworker_thread+0x1bf/0x3c0\nkthread+0xd7/0x100\nret_from_fork+0x2d/0x50\nret_from_fork_asm+0x11/0x20\n-> #0 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}:\n__lock_acquire+0x17b4/0x2c80\nlock_acquire+0xd0/0x2b0\n__flush_work+0x7a/0x4e0\n__cancel_work_timer+0x131/0x1c0\narfs_del_rules+0x143/0x1e0 [mlx5_core]\nmlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\nmlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\nethnl_set_channels+0x28f/0x3b0\nethnl_default_set_doit+0xec/0x240\ngenl_family_rcv_msg_doit+0xd0/0x120\ngenl_rcv_msg+0x188/0x2c0\nnetlink_rcv_skb+0x54/0x100\ngenl_rcv+0x24/0x40\nnetlink_unicast+0x1a1/0x270\nnetlink_sendmsg+0x214/0x460\n__sock_sendmsg+0x38/0x60\n__sys_sendto+0x113/0x170\n__x64_sys_sendto+0x20/0x30\ndo_syscall_64+0x40/0xe0\nentry_SYSCALL_64_after_hwframe+0x46/0x4e\nother info that might help us debug this:\nPossible unsafe locking scenario:\nCPU0 CPU1\n---- ----\nlock(&priv->state_lock);\nlock((work_completion)(&rule->arfs_work));\nlock(&priv->state_lock);\nlock((work_completion)(&rule->arfs_work));\n*** DEADLOCK ***\n3 locks held by ethtool/386089:\n#0: ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40\n#1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240\n#2: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\nstack backtrace:\nCPU: 15 PID: 386089 Comm: ethtool Tainted: G I 6.7.0-rc4_net_next_mlx5_5483eb2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n\ndump_stack_lvl+0x60/0xa0\ncheck_noncircular+0x144/0x160\n__lock_acquire+0x17b4/0x2c80\nlock_acquire+0xd0/0x2b0\n? __flush_work+0x74/0x4e0\n? save_trace+0x3e/0x360\n? __flush_work+0x74/0x4e0\n__flush_work+0x7a/0x4e0\n? __flush_work+0x74/0x4e0\n? __lock_acquire+0xa78/0x2c80\n? lock_acquire+0xd0/0x2b0\n? mark_held_locks+0x49/0x70\n__cancel_work_timer+0x131/0x1c0\n? mark_held_locks+0x49/0x70\narfs_del_rules+0x143/0x1e0 [mlx5_core]\nmlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\nmlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\nethnl_set_channels+0x28f/0x3b0\nethnl_default_set_doit+0xec/0x240\ngenl_family_rcv_msg_doit+0xd0/0x120\ngenl_rcv_msg+0x188/0x2c0\n? ethn\n---truncated---

See more information about CVE-2024-27014 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	5.5
Vector String:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Version:	3.1
Attack Vector:	Local
Attack Complexity:	Low
Privileges Required:	Low
User Interaction:	None
Scope:	Unchanged
Confidentiality Impact:	None
Integrity Impact:	None
Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 8 (kernel)	ELSA-2024-3618	2024-06-05
Oracle Linux version 9 (kernel)	ELSA-2024-9315	2024-11-14