CVE-2024-39502

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ionic: fix use after netif_napi_del()<br /> <br /> When queues are started, netif_napi_add() and napi_enable() are called.<br /> If there are 4 queues and only 3 queues are used for the current<br /> configuration, only 3 queues&amp;#39; napi should be registered and enabled.<br /> The ionic_qcq_enable() checks whether the .poll pointer is not NULL for<br /> enabling only the using queue&amp;#39; napi. Unused queues&amp;#39; napi will not be<br /> registered by netif_napi_add(), so the .poll pointer indicates NULL.<br /> But it couldn&amp;#39;t distinguish whether the napi was unregistered or not<br /> because netif_napi_del() doesn&amp;#39;t reset the .poll pointer to NULL.<br /> So, ionic_qcq_enable() calls napi_enable() for the queue, which was<br /> unregistered by netif_napi_del().<br /> <br /> Reproducer:<br /> ethtool -L rx 1 tx 1 combined 0<br /> ethtool -L rx 0 tx 0 combined 1<br /> ethtool -L rx 0 tx 0 combined 4<br /> <br /> Splat looks like:<br /> kernel BUG at net/core/dev.c:6666!<br /> Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16<br /> Workqueue: events ionic_lif_deferred_work [ionic]<br /> RIP: 0010:napi_enable+0x3b/0x40<br /> Code: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f<br /> RSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246<br /> RAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029<br /> RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28<br /> RBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001<br /> R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000<br /> R13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20<br /> FS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? die+0x33/0x90<br /> ? do_trap+0xd9/0x100<br /> ? napi_enable+0x3b/0x40<br /> ? do_error_trap+0x83/0xb0<br /> ? napi_enable+0x3b/0x40<br /> ? napi_enable+0x3b/0x40<br /> ? exc_invalid_op+0x4e/0x70<br /> ? napi_enable+0x3b/0x40<br /> ? asm_exc_invalid_op+0x16/0x20<br /> ? napi_enable+0x3b/0x40<br /> ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]<br /> ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]<br /> ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]<br /> ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8]<br /> process_one_work+0x145/0x360<br /> worker_thread+0x2bb/0x3d0<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0xcc/0x100<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x2d/0x50<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30