CVE-2024-41047

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i40e: Fix XDP program unloading while removing the driver<br /> <br /> The commit 6533e558c650 ("i40e: Fix reset path while removing<br /> the driver") introduced a new PF state "__I40E_IN_REMOVE" to block<br /> modifying the XDP program while the driver is being removed.<br /> Unfortunately, such a change is useful only if the ".ndo_bpf()"<br /> callback was called out of the rmmod context because unloading the<br /> existing XDP program is also a part of driver removing procedure.<br /> In other words, from the rmmod context the driver is expected to<br /> unload the XDP program without reporting any errors. Otherwise,<br /> the kernel warning with callstack is printed out to dmesg.<br /> <br /> Example failing scenario:<br /> 1. Load the i40e driver.<br /> 2. Load the XDP program.<br /> 3. Unload the i40e driver (using "rmmod" command).<br /> <br /> The example kernel warning log:<br /> <br /> [ +0.004646] WARNING: CPU: 94 PID: 10395 at net/core/dev.c:9290 unregister_netdevice_many_notify+0x7a9/0x870<br /> [...]<br /> [ +0.010959] RIP: 0010:unregister_netdevice_many_notify+0x7a9/0x870<br /> [...]<br /> [ +0.002726] Call Trace:<br /> [ +0.002457] <br /> [ +0.002119] ? __warn+0x80/0x120<br /> [ +0.003245] ? unregister_netdevice_many_notify+0x7a9/0x870<br /> [ +0.005586] ? report_bug+0x164/0x190<br /> [ +0.003678] ? handle_bug+0x3c/0x80<br /> [ +0.003503] ? exc_invalid_op+0x17/0x70<br /> [ +0.003846] ? asm_exc_invalid_op+0x1a/0x20<br /> [ +0.004200] ? unregister_netdevice_many_notify+0x7a9/0x870<br /> [ +0.005579] ? unregister_netdevice_many_notify+0x3cc/0x870<br /> [ +0.005586] unregister_netdevice_queue+0xf7/0x140<br /> [ +0.004806] unregister_netdev+0x1c/0x30<br /> [ +0.003933] i40e_vsi_release+0x87/0x2f0 [i40e]<br /> [ +0.004604] i40e_remove+0x1a1/0x420 [i40e]<br /> [ +0.004220] pci_device_remove+0x3f/0xb0<br /> [ +0.003943] device_release_driver_internal+0x19f/0x200<br /> [ +0.005243] driver_detach+0x48/0x90<br /> [ +0.003586] bus_remove_driver+0x6d/0xf0<br /> [ +0.003939] pci_unregister_driver+0x2e/0xb0<br /> [ +0.004278] i40e_exit_module+0x10/0x5f0 [i40e]<br /> [ +0.004570] __do_sys_delete_module.isra.0+0x197/0x310<br /> [ +0.005153] do_syscall_64+0x85/0x170<br /> [ +0.003684] ? syscall_exit_to_user_mode+0x69/0x220<br /> [ +0.004886] ? do_syscall_64+0x95/0x170<br /> [ +0.003851] ? exc_page_fault+0x7e/0x180<br /> [ +0.003932] entry_SYSCALL_64_after_hwframe+0x71/0x79<br /> [ +0.005064] RIP: 0033:0x7f59dc9347cb<br /> [ +0.003648] Code: 73 01 c3 48 8b 0d 65 16 0c 00 f7 d8 64 89 01 48 83<br /> c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f<br /> 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 16 0c 00 f7 d8 64 89 01 48<br /> [ +0.018753] RSP: 002b:00007ffffac99048 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0<br /> [ +0.007577] RAX: ffffffffffffffda RBX: 0000559b9bb2f6e0 RCX: 00007f59dc9347cb<br /> [ +0.007140] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000559b9bb2f748<br /> [ +0.007146] RBP: 00007ffffac99070 R08: 1999999999999999 R09: 0000000000000000<br /> [ +0.007133] R10: 00007f59dc9a5ac0 R11: 0000000000000206 R12: 0000000000000000<br /> [ +0.007141] R13: 00007ffffac992d8 R14: 0000559b9bb2f6e0 R15: 0000000000000000<br /> [ +0.007151] <br /> [ +0.002204] ---[ end trace 0000000000000000 ]---<br /> <br /> Fix this by checking if the XDP program is being loaded or unloaded.<br /> Then, block only loading a new program while "__I40E_IN_REMOVE" is set.<br /> Also, move testing "__I40E_IN_REMOVE" flag to the beginning of XDP_SETUP<br /> callback to avoid unnecessary operations and checks.