CVE-2024-50296

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: hns3: fix kernel crash when uninstalling driver<br /> <br /> When the driver is uninstalled and the VF is disabled concurrently, a<br /> kernel crash occurs. The reason is that the two actions call function<br /> pci_disable_sriov(). The num_VFs is checked to determine whether to<br /> release the corresponding resources. During the second calling, num_VFs<br /> is not 0 and the resource release function is called. However, the<br /> corresponding resource has been released during the first invoking.<br /> Therefore, the problem occurs:<br /> <br /> [15277.839633][T50670] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020<br /> ...<br /> [15278.131557][T50670] Call trace:<br /> [15278.134686][T50670] klist_put+0x28/0x12c<br /> [15278.138682][T50670] klist_del+0x14/0x20<br /> [15278.142592][T50670] device_del+0xbc/0x3c0<br /> [15278.146676][T50670] pci_remove_bus_device+0x84/0x120<br /> [15278.151714][T50670] pci_stop_and_remove_bus_device+0x6c/0x80<br /> [15278.157447][T50670] pci_iov_remove_virtfn+0xb4/0x12c<br /> [15278.162485][T50670] sriov_disable+0x50/0x11c<br /> [15278.166829][T50670] pci_disable_sriov+0x24/0x30<br /> [15278.171433][T50670] hnae3_unregister_ae_algo_prepare+0x60/0x90 [hnae3]<br /> [15278.178039][T50670] hclge_exit+0x28/0xd0 [hclge]<br /> [15278.182730][T50670] __se_sys_delete_module.isra.0+0x164/0x230<br /> [15278.188550][T50670] __arm64_sys_delete_module+0x1c/0x30<br /> [15278.193848][T50670] invoke_syscall+0x50/0x11c<br /> [15278.198278][T50670] el0_svc_common.constprop.0+0x158/0x164<br /> [15278.203837][T50670] do_el0_svc+0x34/0xcc<br /> [15278.207834][T50670] el0_svc+0x20/0x30<br /> <br /> For details, see the following figure.<br /> <br /> rmmod hclge disable VFs<br /> ----------------------------------------------------<br /> hclge_exit() sriov_numvfs_store()<br /> ... device_lock()<br /> pci_disable_sriov() hns3_pci_sriov_configure()<br /> pci_disable_sriov()<br /> sriov_disable()<br /> sriov_disable() if !num_VFs :<br /> if !num_VFs : return;<br /> return; sriov_del_vfs()<br /> sriov_del_vfs() ...<br /> ... klist_put()<br /> klist_put() ...<br /> ... num_VFs = 0;<br /> num_VFs = 0; device_unlock();<br /> <br /> In this patch, when driver is removing, we get the device_lock()<br /> to protect num_VFs, just like sriov_numvfs_store().