{
"threat_severity" : "Moderate",
"public_date" : "2024-07-12T00:00:00Z",
"bugzilla" : {
"description" : "kernel: net/mlx5: Always stop health timer during driver removal",
"id" : "2297490",
"url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2297490"
},
"cvss3" : {
"cvss3_base_score" : "7.3",
"cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"status" : "verified"
},
"cwe" : "CWE-416",
"details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/mlx5: Always stop health timer during driver removal\nCurrently, if teardown_hca fails to execute during driver removal, mlx5\ndoes not stop the health timer. Afterwards, mlx5 continue with driver\nteardown. This may lead to a UAF bug, which results in page fault\nOops[1], since the health timer invokes after resources were freed.\nHence, stop the health monitor even if teardown_hca fails.\n[1]\nmlx5_core 0000:18:00.0: E-Switch: Unload vfs: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\nmlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\nmlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\nmlx5_core 0000:18:00.0: E-Switch: cleanup\nmlx5_core 0000:18:00.0: wait_func:1155:(pid 1967079): TEARDOWN_HCA(0x103) timeout. Will cause a leak of a command resource\nmlx5_core 0000:18:00.0: mlx5_function_close:1288:(pid 1967079): tear_down_hca failed, skip cleanup\nBUG: unable to handle page fault for address: ffffa26487064230\nPGD 100c00067 P4D 100c00067 PUD 100e5a067 PMD 105ed7067 PTE 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 0 PID: 0 Comm: swapper/0 Tainted: G OE ------- --- 6.7.0-68.fc38.x86_64 #1\nHardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020\nRIP: 0010:ioread32be+0x34/0x60\nRSP: 0018:ffffa26480003e58 EFLAGS: 00010292\nRAX: ffffa26487064200 RBX: ffff9042d08161a0 RCX: ffff904c108222c0\nRDX: 000000010bbf1b80 RSI: ffffffffc055ddb0 RDI: ffffa26487064230\nRBP: ffff9042d08161a0 R08: 0000000000000022 R09: ffff904c108222e8\nR10: 0000000000000004 R11: 0000000000000441 R12: ffffffffc055ddb0\nR13: ffffa26487064200 R14: ffffa26480003f00 R15: ffff904c108222c0\nFS: 0000000000000000(0000) GS:ffff904c10800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffa26487064230 CR3: 00000002c4420006 CR4: 00000000007706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n\n? __die+0x23/0x70\n? page_fault_oops+0x171/0x4e0\n? exc_page_fault+0x175/0x180\n? asm_exc_page_fault+0x26/0x30\n? __pfx_poll_health+0x10/0x10 [mlx5_core]\n? __pfx_poll_health+0x10/0x10 [mlx5_core]\n? ioread32be+0x34/0x60\nmlx5_health_check_fatal_sensors+0x20/0x100 [mlx5_core]\n? __pfx_poll_health+0x10/0x10 [mlx5_core]\npoll_health+0x42/0x230 [mlx5_core]\n? __next_timer_interrupt+0xbc/0x110\n? __pfx_poll_health+0x10/0x10 [mlx5_core]\ncall_timer_fn+0x21/0x130\n? __pfx_poll_health+0x10/0x10 [mlx5_core]\n__run_timers+0x222/0x2c0\nrun_timer_softirq+0x1d/0x40\n__do_softirq+0xc9/0x2c8\n__irq_exit_rcu+0xa6/0xc0\nsysvec_apic_timer_interrupt+0x72/0x90\n\n\nasm_sysvec_apic_timer_interrupt+0x1a/0x20\nRIP: 0010:cpuidle_enter_state+0xcc/0x440\n? cpuidle_enter_state+0xbd/0x440\ncpuidle_enter+0x2d/0x40\ndo_idle+0x20d/0x270\ncpu_startup_entry+0x2a/0x30\nrest_init+0xd0/0xd0\narch_call_rest_init+0xe/0x30\nstart_kernel+0x709/0xa90\nx86_64_start_reservations+0x18/0x30\nx86_64_start_kernel+0x96/0xa0\nsecondary_startup_64_no_verify+0x18f/0x19b\n---[ end trace 0000000000000000 ]---", "A vulnerability was found in the Linux kernel's mlx5 driver, in the driver removal process where the teardown_hca function can fail, where the health timer may continue running, leading to a use-after-free condition when the timer attempts to access freed resources." ],
"affected_release" : [ {
"product_name" : "Red Hat Enterprise Linux 8",
"release_date" : "2025-05-21T00:00:00Z",
"advisory" : "RHSA-2025:8057",
"cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
"package" : "kernel-rt-0:4.18.0-553.53.1.rt7.394.el8_10"
}, {
"product_name" : "Red Hat Enterprise Linux 8",
"release_date" : "2025-05-21T00:00:00Z",
"advisory" : "RHSA-2025:8056",
"cpe" : "cpe:/o:redhat:enterprise_linux:8",
"package" : "kernel-0:4.18.0-553.53.1.el8_10"
}, {
"product_name" : "Red Hat Enterprise Linux 9",
"release_date" : "2024-11-12T00:00:00Z",
"advisory" : "RHSA-2024:9315",
"cpe" : "cpe:/a:redhat:enterprise_linux:9",
"package" : "kernel-0:5.14.0-503.11.1.el9_5"
}, {
"product_name" : "Red Hat Enterprise Linux 9",
"release_date" : "2024-11-12T00:00:00Z",
"advisory" : "RHSA-2024:9315",
"cpe" : "cpe:/o:redhat:enterprise_linux:9",
"package" : "kernel-0:5.14.0-503.11.1.el9_5"
} ],
"package_state" : [ {
"product_name" : "Red Hat Enterprise Linux 6",
"fix_state" : "Not affected",
"package_name" : "kernel",
"cpe" : "cpe:/o:redhat:enterprise_linux:6"
}, {
"product_name" : "Red Hat Enterprise Linux 7",
"fix_state" : "Out of support scope",
"package_name" : "kernel",
"cpe" : "cpe:/o:redhat:enterprise_linux:7"
}, {
"product_name" : "Red Hat Enterprise Linux 7",
"fix_state" : "Out of support scope",
"package_name" : "kernel-rt",
"cpe" : "cpe:/o:redhat:enterprise_linux:7"
}, {
"product_name" : "Red Hat Enterprise Linux 9",
"fix_state" : "Affected",
"package_name" : "kernel-rt",
"cpe" : "cpe:/o:redhat:enterprise_linux:9"
} ],
"references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-40906\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40906\nhttps://lore.kernel.org/linux-cve-announce/2024071209-CVE-2024-40906-b9e3@gregkh/T" ],
"name" : "CVE-2024-40906",
"mitigation" : {
"value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"lang" : "en:us"
},
"csaw" : false
}