CVE-2024-40906

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: Always stop health timer during driver removal<br /> <br /> Currently, if teardown_hca fails to execute during driver removal, mlx5<br /> does not stop the health timer. Afterwards, mlx5 continue with driver<br /> teardown. This may lead to a UAF bug, which results in page fault<br /> Oops[1], since the health timer invokes after resources were freed.<br /> <br /> Hence, stop the health monitor even if teardown_hca fails.<br /> <br /> [1]<br /> mlx5_core 0000:18:00.0: E-Switch: Unload vfs: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)<br /> mlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)<br /> mlx5_core 0000:18:00.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)<br /> mlx5_core 0000:18:00.0: E-Switch: cleanup<br /> mlx5_core 0000:18:00.0: wait_func:1155:(pid 1967079): TEARDOWN_HCA(0x103) timeout. Will cause a leak of a command resource<br /> mlx5_core 0000:18:00.0: mlx5_function_close:1288:(pid 1967079): tear_down_hca failed, skip cleanup<br /> BUG: unable to handle page fault for address: ffffa26487064230<br /> PGD 100c00067 P4D 100c00067 PUD 100e5a067 PMD 105ed7067 PTE 0<br /> Oops: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 0 PID: 0 Comm: swapper/0 Tainted: G OE ------- --- 6.7.0-68.fc38.x86_64 #1<br /> Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0013.121520200651 12/15/2020<br /> RIP: 0010:ioread32be+0x34/0x60<br /> RSP: 0018:ffffa26480003e58 EFLAGS: 00010292<br /> RAX: ffffa26487064200 RBX: ffff9042d08161a0 RCX: ffff904c108222c0<br /> RDX: 000000010bbf1b80 RSI: ffffffffc055ddb0 RDI: ffffa26487064230<br /> RBP: ffff9042d08161a0 R08: 0000000000000022 R09: ffff904c108222e8<br /> R10: 0000000000000004 R11: 0000000000000441 R12: ffffffffc055ddb0<br /> R13: ffffa26487064200 R14: ffffa26480003f00 R15: ffff904c108222c0<br /> FS: 0000000000000000(0000) GS:ffff904c10800000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ffffa26487064230 CR3: 00000002c4420006 CR4: 00000000007706f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? __die+0x23/0x70<br /> ? page_fault_oops+0x171/0x4e0<br /> ? exc_page_fault+0x175/0x180<br /> ? asm_exc_page_fault+0x26/0x30<br /> ? __pfx_poll_health+0x10/0x10 [mlx5_core]<br /> ? __pfx_poll_health+0x10/0x10 [mlx5_core]<br /> ? ioread32be+0x34/0x60<br /> mlx5_health_check_fatal_sensors+0x20/0x100 [mlx5_core]<br /> ? __pfx_poll_health+0x10/0x10 [mlx5_core]<br /> poll_health+0x42/0x230 [mlx5_core]<br /> ? __next_timer_interrupt+0xbc/0x110<br /> ? __pfx_poll_health+0x10/0x10 [mlx5_core]<br /> call_timer_fn+0x21/0x130<br /> ? __pfx_poll_health+0x10/0x10 [mlx5_core]<br /> __run_timers+0x222/0x2c0<br /> run_timer_softirq+0x1d/0x40<br /> __do_softirq+0xc9/0x2c8<br /> __irq_exit_rcu+0xa6/0xc0<br /> sysvec_apic_timer_interrupt+0x72/0x90<br /> <br /> <br /> asm_sysvec_apic_timer_interrupt+0x1a/0x20<br /> RIP: 0010:cpuidle_enter_state+0xcc/0x440<br /> ? cpuidle_enter_state+0xbd/0x440<br /> cpuidle_enter+0x2d/0x40<br /> do_idle+0x20d/0x270<br /> cpu_startup_entry+0x2a/0x30<br /> rest_init+0xd0/0xd0<br /> arch_call_rest_init+0xe/0x30<br /> start_kernel+0x709/0xa90<br /> x86_64_start_reservations+0x18/0x30<br /> x86_64_start_kernel+0x96/0xa0<br /> secondary_startup_64_no_verify+0x18f/0x19b<br /> ---[ end trace 0000000000000000 ]---