CVE-2024-35934
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
19/05/2024
Last modified:
17/12/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list()<br />
<br />
Many syzbot reports show extreme rtnl pressure, and many of them hint<br />
that smc acquires rtnl in netns creation for no good reason [1]<br />
<br />
This patch returns early from smc_pnet_net_init()<br />
if there is no netdevice yet.<br />
<br />
I am not even sure why smc_pnet_create_pnetids_list() even exists,<br />
because smc_pnet_netdev_event() is also calling<br />
smc_pnet_add_base_pnetid() when handling NETDEV_UP event.<br />
<br />
[1] extract of typical syzbot reports<br />
<br />
2 locks held by syz-executor.3/12252:<br />
#0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491<br />
#1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]<br />
#1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878<br />
2 locks held by syz-executor.4/12253:<br />
#0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491<br />
#1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]<br />
#1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878<br />
2 locks held by syz-executor.1/12257:<br />
#0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491<br />
#1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]<br />
#1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878<br />
2 locks held by syz-executor.2/12261:<br />
#0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491<br />
#1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]<br />
#1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878<br />
2 locks held by syz-executor.0/12265:<br />
#0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491<br />
#1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]<br />
#1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878<br />
2 locks held by syz-executor.3/12268:<br />
#0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491<br />
#1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]<br />
#1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878<br />
2 locks held by syz-executor.4/12271:<br />
#0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491<br />
#1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]<br />
#1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878<br />
2 locks held by syz-executor.1/12274:<br />
#0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491<br />
#1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]<br />
#1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878<br />
2 locks held by syz-executor.2/12280:<br />
#0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491<br />
#1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]<br />
#1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.10.215 (excluding) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.155 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.86 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.27 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.8.6 (excluding) |
| cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/00af2aa93b76b1bade471ad0d0525d4d29ca5cc0
- https://git.kernel.org/stable/c/6e920422e7104928f760fc0e12b6d65ab097a2e7
- https://git.kernel.org/stable/c/a2e6bffc0388526ed10406040279a693d62b36ec
- https://git.kernel.org/stable/c/b9117dc783c0ab0a3866812f70e07bf2ea071ac4
- https://git.kernel.org/stable/c/bc4d1ebca11b4f194e262326bd45938e857c59d2
- https://git.kernel.org/stable/c/d7ee3bf0caf599c14db0bf4af7aacd6206ef8a23
- https://git.kernel.org/stable/c/00af2aa93b76b1bade471ad0d0525d4d29ca5cc0
- https://git.kernel.org/stable/c/6e920422e7104928f760fc0e12b6d65ab097a2e7
- https://git.kernel.org/stable/c/a2e6bffc0388526ed10406040279a693d62b36ec
- https://git.kernel.org/stable/c/b9117dc783c0ab0a3866812f70e07bf2ea071ac4
- https://git.kernel.org/stable/c/bc4d1ebca11b4f194e262326bd45938e857c59d2
- https://git.kernel.org/stable/c/d7ee3bf0caf599c14db0bf4af7aacd6206ef8a23
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html