CVE-2024-26802

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> stmmac: Clear variable when destroying workqueue<br /> <br /> Currently when suspending driver and stopping workqueue it is checked whether<br /> workqueue is not NULL and if so, it is destroyed.<br /> Function destroy_workqueue() does drain queue and does clear variable, but<br /> it does not set workqueue variable to NULL. This can cause kernel/module<br /> panic if code attempts to clear workqueue that was not initialized.<br /> <br /> This scenario is possible when resuming suspended driver in stmmac_resume(),<br /> because there is no handling for failed stmmac_hw_setup(),<br /> which can fail and return if DMA engine has failed to initialize,<br /> and workqueue is initialized after DMA engine.<br /> Should DMA engine fail to initialize, resume will proceed normally,<br /> but interface won&amp;#39;t work and TX queue will eventually timeout,<br /> causing &amp;#39;Reset adapter&amp;#39; error.<br /> This then does destroy workqueue during reset process.<br /> And since workqueue is initialized after DMA engine and can be skipped,<br /> it will cause kernel/module panic.<br /> <br /> To secure against this possible crash, set workqueue variable to NULL when<br /> destroying workqueue.<br /> <br /> Log/backtrace from crash goes as follows:<br /> [88.031977]------------[ cut here ]------------<br /> [88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out<br /> [88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398<br /> <br /> [88.032251]---[ end trace e70de432e4d5c2c0 ]---<br /> [88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter.<br /> [88.036359]------------[ cut here ]------------<br /> [88.036519]Call trace:<br /> [88.036523] flush_workqueue+0x3e4/0x430<br /> [88.036528] drain_workqueue+0xc4/0x160<br /> [88.036533] destroy_workqueue+0x40/0x270<br /> [88.036537] stmmac_fpe_stop_wq+0x4c/0x70<br /> [88.036541] stmmac_release+0x278/0x280<br /> [88.036546] __dev_close_many+0xcc/0x158<br /> [88.036551] dev_close_many+0xbc/0x190<br /> [88.036555] dev_close.part.0+0x70/0xc0<br /> [88.036560] dev_close+0x24/0x30<br /> [88.036564] stmmac_service_task+0x110/0x140<br /> [88.036569] process_one_work+0x1d8/0x4a0<br /> [88.036573] worker_thread+0x54/0x408<br /> [88.036578] kthread+0x164/0x170<br /> [88.036583] ret_from_fork+0x10/0x20<br /> [88.036588]---[ end trace e70de432e4d5c2c1 ]---<br /> [88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004