{
  "threat_severity" : "Moderate",
  "public_date" : "2024-05-19T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: mlxbf_gige: call request_irq() after NAPI initialized",
    "id" : "2281647",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2281647"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmlxbf_gige: call request_irq() after NAPI initialized\nThe mlxbf_gige driver encounters a NULL pointer exception in\nmlxbf_gige_open() when kdump is enabled.  The sequence to reproduce\nthe exception is as follows:\na) enable kdump\nb) trigger kdump via \"echo c > /proc/sysrq-trigger\"\nc) kdump kernel executes\nd) kdump kernel loads mlxbf_gige module\ne) the mlxbf_gige module runs its open() as the\nthe \"oob_net0\" interface is brought up\nf) mlxbf_gige module will experience an exception\nduring its open(), something like:\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\nMem abort info:\nESR = 0x0000000086000004\nEC = 0x21: IABT (current EL), IL = 32 bits\nSET = 0, FnV = 0\nEA = 0, S1PTW = 0\nFSC = 0x04: level 0 translation fault\nuser pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000\n[0000000000000000] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000086000004 [#1] SMP\nCPU: 0 PID: 812 Comm: NetworkManager Tainted: G           OE     5.15.0-1035-bluefield #37-Ubuntu\nHardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024\npstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : 0x0\nlr : __napi_poll+0x40/0x230\nsp : ffff800008003e00\nx29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff\nx26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8\nx23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000\nx20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000\nx17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0\nx14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c\nx11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398\nx8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2\nx5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238\nCall trace:\n0x0\nnet_rx_action+0x178/0x360\n__do_softirq+0x15c/0x428\n__irq_exit_rcu+0xac/0xec\nirq_exit+0x18/0x2c\nhandle_domain_irq+0x6c/0xa0\ngic_handle_irq+0xec/0x1b0\ncall_on_irq_stack+0x20/0x2c\ndo_interrupt_handler+0x5c/0x70\nel1_interrupt+0x30/0x50\nel1h_64_irq_handler+0x18/0x2c\nel1h_64_irq+0x7c/0x80\n__setup_irq+0x4c0/0x950\nrequest_threaded_irq+0xf4/0x1bc\nmlxbf_gige_request_irqs+0x68/0x110 [mlxbf_gige]\nmlxbf_gige_open+0x5c/0x170 [mlxbf_gige]\n__dev_open+0x100/0x220\n__dev_change_flags+0x16c/0x1f0\ndev_change_flags+0x2c/0x70\ndo_setlink+0x220/0xa40\n__rtnl_newlink+0x56c/0x8a0\nrtnl_newlink+0x58/0x84\nrtnetlink_rcv_msg+0x138/0x3c4\nnetlink_rcv_skb+0x64/0x130\nrtnetlink_rcv+0x20/0x30\nnetlink_unicast+0x2ec/0x360\nnetlink_sendmsg+0x278/0x490\n__sock_sendmsg+0x5c/0x6c\n____sys_sendmsg+0x290/0x2d4\n___sys_sendmsg+0x84/0xd0\n__sys_sendmsg+0x70/0xd0\n__arm64_sys_sendmsg+0x2c/0x40\ninvoke_syscall+0x78/0x100\nel0_svc_common.constprop.0+0x54/0x184\ndo_el0_svc+0x30/0xac\nel0_svc+0x48/0x160\nel0t_64_sync_handler+0xa4/0x12c\nel0t_64_sync+0x1a4/0x1a8\nCode: bad PC value\n---[ end trace 7d1c3f3bf9d81885 ]---\nKernel panic - not syncing: Oops: Fatal exception in interrupt\nKernel Offset: 0x2870a7a00000 from 0xffff800008000000\nPHYS_OFFSET: 0x80000000\nCPU features: 0x0,000005c1,a3332a5a\nMemory Limit: none\n---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\nThe exception happens because there is a pending RX interrupt before the\ncall to request_irq(RX IRQ) executes.  Then, the RX IRQ handler fires\nimmediately after this request_irq() completes. The\n---truncated---", "CVE-2024-35907 is a vulnerability in the Linux kernel's mlxbf_gige driver, which supports Mellanox BlueField devices. The issue occurs during kdump operations when a receive (RX) interrupt is triggered before the driver fully initializes. This leads to a race condition that can result in a NULL pointer dereference, causing the system to crash.\nA pending RX interrupt before the driver requests the IRQ can lead to an improper sequence of operations, resulting in the crash.\nThis flaw affects system stability during kdump operations, potentially causing kernel panics." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-07-31T00:00:00Z",
    "advisory" : "RHSA-2024:4928",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.28.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-07-31T00:00:00Z",
    "advisory" : "RHSA-2024:4928",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.28.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-08-14T00:00:00Z",
    "advisory" : "RHSA-2024:5364",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "kernel-0:5.14.0-284.79.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-08-14T00:00:00Z",
    "advisory" : "RHSA-2024:5365",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.79.1.rt14.364.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-35907\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-35907\nhttps://lore.kernel.org/linux-cve-announce/2024051954-CVE-2024-35907-32f9@gregkh/T" ],
  "name" : "CVE-2024-35907",
  "csaw" : false
}