CVE-2024-26698
Vulnerability from cvelistv5
Published
2024-04-03 14:54
Modified
2024-11-05 09:14
Severity ?
Summary
hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove
Impacted products
LinuxLinux
LinuxLinux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26698",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-03T18:03:45.740958Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:49:08.824Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:12.951Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9ec807e7b6f5fcf9499f3baa69f254bb239a847f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7656372ae190e54e8c8cf1039725a5ea59fdf84a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/48a8ccccffbae10c91d31fc872db5c31aba07518"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/22a77c0f5b8233237731df3288d067af51a2fd7b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0e8875de9dad12805ff66e92cd5edea6a421f1cd"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e0526ec5360a48ad3ab2e26e802b0532302a7e11"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/hyperv/netvsc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9ec807e7b6f5",
              "status": "affected",
              "version": "ac5047671758",
              "versionType": "git"
            },
            {
              "lessThan": "7656372ae190",
              "status": "affected",
              "version": "ac5047671758",
              "versionType": "git"
            },
            {
              "lessThan": "48a8ccccffba",
              "status": "affected",
              "version": "ac5047671758",
              "versionType": "git"
            },
            {
              "lessThan": "22a77c0f5b82",
              "status": "affected",
              "version": "ac5047671758",
              "versionType": "git"
            },
            {
              "lessThan": "0e8875de9dad",
              "status": "affected",
              "version": "ac5047671758",
              "versionType": "git"
            },
            {
              "lessThan": "e0526ec5360a",
              "status": "affected",
              "version": "ac5047671758",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/hyperv/netvsc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.210",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: Fix race condition between netvsc_probe and netvsc_remove\n\nIn commit ac5047671758 (\"hv_netvsc: Disable NAPI before closing the\nVMBus channel\"), napi_disable was getting called for all channels,\nincluding all subchannels without confirming if they are enabled or not.\n\nThis caused hv_netvsc getting hung at napi_disable, when netvsc_probe()\nhas finished running but nvdev-\u003esubchan_work has not started yet.\nnetvsc_subchan_work() -\u003e rndis_set_subchannel() has not created the\nsub-channels and because of that netvsc_sc_open() is not running.\nnetvsc_remove() calls cancel_work_sync(\u0026nvdev-\u003esubchan_work), for which\nnetvsc_subchan_work did not run.\n\nnetif_napi_add() sets the bit NAPI_STATE_SCHED because it ensures NAPI\ncannot be scheduled. Then netvsc_sc_open() -\u003e napi_enable will clear the\nNAPIF_STATE_SCHED bit, so it can be scheduled. napi_disable() does the\nopposite.\n\nNow during netvsc_device_remove(), when napi_disable is called for those\nsubchannels, napi_disable gets stuck on infinite msleep.\n\nThis fix addresses this problem by ensuring that napi_disable() is not\ngetting called for non-enabled NAPI struct.\nBut netif_napi_del() is still necessary for these non-enabled NAPI struct\nfor cleanup purpose.\n\nCall trace:\n[  654.559417] task:modprobe        state:D stack:    0 pid: 2321 ppid:  1091 flags:0x00004002\n[  654.568030] Call Trace:\n[  654.571221]  \u003cTASK\u003e\n[  654.573790]  __schedule+0x2d6/0x960\n[  654.577733]  schedule+0x69/0xf0\n[  654.581214]  schedule_timeout+0x87/0x140\n[  654.585463]  ? __bpf_trace_tick_stop+0x20/0x20\n[  654.590291]  msleep+0x2d/0x40\n[  654.593625]  napi_disable+0x2b/0x80\n[  654.597437]  netvsc_device_remove+0x8a/0x1f0 [hv_netvsc]\n[  654.603935]  rndis_filter_device_remove+0x194/0x1c0 [hv_netvsc]\n[  654.611101]  ? do_wait_intr+0xb0/0xb0\n[  654.615753]  netvsc_remove+0x7c/0x120 [hv_netvsc]\n[  654.621675]  vmbus_remove+0x27/0x40 [hv_vmbus]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-05T09:14:06.556Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9ec807e7b6f5fcf9499f3baa69f254bb239a847f"
        },
        {
          "url": "https://git.kernel.org/stable/c/7656372ae190e54e8c8cf1039725a5ea59fdf84a"
        },
        {
          "url": "https://git.kernel.org/stable/c/48a8ccccffbae10c91d31fc872db5c31aba07518"
        },
        {
          "url": "https://git.kernel.org/stable/c/22a77c0f5b8233237731df3288d067af51a2fd7b"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e8875de9dad12805ff66e92cd5edea6a421f1cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0526ec5360a48ad3ab2e26e802b0532302a7e11"
        }
      ],
      "title": "hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26698",
    "datePublished": "2024-04-03T14:54:58.577Z",
    "dateReserved": "2024-02-19T14:20:24.157Z",
    "dateUpdated": "2024-11-05T09:14:06.556Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26698\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-03T15:15:52.933\",\"lastModified\":\"2024-11-05T10:15:42.387\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nhv_netvsc: Fix race condition between netvsc_probe and netvsc_remove\\n\\nIn commit ac5047671758 (\\\"hv_netvsc: Disable NAPI before closing the\\nVMBus channel\\\"), napi_disable was getting called for all channels,\\nincluding all subchannels without confirming if they are enabled or not.\\n\\nThis caused hv_netvsc getting hung at napi_disable, when netvsc_probe()\\nhas finished running but nvdev-\u003esubchan_work has not started yet.\\nnetvsc_subchan_work() -\u003e rndis_set_subchannel() has not created the\\nsub-channels and because of that netvsc_sc_open() is not running.\\nnetvsc_remove() calls cancel_work_sync(\u0026nvdev-\u003esubchan_work), for which\\nnetvsc_subchan_work did not run.\\n\\nnetif_napi_add() sets the bit NAPI_STATE_SCHED because it ensures NAPI\\ncannot be scheduled. Then netvsc_sc_open() -\u003e napi_enable will clear the\\nNAPIF_STATE_SCHED bit, so it can be scheduled. napi_disable() does the\\nopposite.\\n\\nNow during netvsc_device_remove(), when napi_disable is called for those\\nsubchannels, napi_disable gets stuck on infinite msleep.\\n\\nThis fix addresses this problem by ensuring that napi_disable() is not\\ngetting called for non-enabled NAPI struct.\\nBut netif_napi_del() is still necessary for these non-enabled NAPI struct\\nfor cleanup purpose.\\n\\nCall trace:\\n[  654.559417] task:modprobe        state:D stack:    0 pid: 2321 ppid:  1091 flags:0x00004002\\n[  654.568030] Call Trace:\\n[  654.571221]  \u003cTASK\u003e\\n[  654.573790]  __schedule+0x2d6/0x960\\n[  654.577733]  schedule+0x69/0xf0\\n[  654.581214]  schedule_timeout+0x87/0x140\\n[  654.585463]  ? __bpf_trace_tick_stop+0x20/0x20\\n[  654.590291]  msleep+0x2d/0x40\\n[  654.593625]  napi_disable+0x2b/0x80\\n[  654.597437]  netvsc_device_remove+0x8a/0x1f0 [hv_netvsc]\\n[  654.603935]  rndis_filter_device_remove+0x194/0x1c0 [hv_netvsc]\\n[  654.611101]  ? do_wait_intr+0xb0/0xb0\\n[  654.615753]  netvsc_remove+0x7c/0x120 [hv_netvsc]\\n[  654.621675]  vmbus_remove+0x27/0x40 [hv_vmbus]\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: hv_netvsc: corrige la condici\u00f3n de ejecuci\u00f3n entre netvsc_probe y netvsc_remove En el commit ac5047671758 (\\\"hv_netvsc: deshabilite NAPI antes de cerrar el canal VMBus\\\"), se llamaba a napi_disable para todos los canales, incluidos todos los subcanales sin confirmando si est\u00e1n habilitados o no. Esto provoc\u00f3 que hv_netvsc se colgara en napi_disable, cuando netvsc_probe() termin\u00f3 de ejecutarse pero nvdev-\u0026gt;subchan_work a\u00fan no se inici\u00f3. netvsc_subchan_work() -\u0026gt; rndis_set_subchannel() no ha creado los subcanales y por eso netvsc_sc_open() no se est\u00e1 ejecutando. netvsc_remove() llama a cancel_work_sync(\u0026amp;nvdev-\u0026gt;subchan_work), para lo cual netvsc_subchan_work no se ejecut\u00f3. netif_napi_add() establece el bit NAPI_STATE_SCHED porque garantiza que NAPI no se pueda programar. Luego netvsc_sc_open() -\u0026gt; napi_enable borrar\u00e1 el bit NAPIF_STATE_SCHED, para que pueda programarse. napi_disable() hace lo contrario. Ahora, durante netvsc_device_remove(), cuando se llama a napi_disable para esos subcanales, napi_disable se atasca en msleep infinito. Esta soluci\u00f3n soluciona este problema garantizando que no se llame a napi_disable() para una estructura NAPI no habilitada. Pero netif_napi_del() sigue siendo necesario para estas estructuras NAPI no habilitadas con fines de limpieza. Rastreo de llamadas: [654.559417] tarea:modprobe estado:D pila: 0 pid: 2321 ppid: 1091 banderas:0x00004002 [654.568030] Rastreo de llamadas: [654.571221]  [654.573790] __schedule+0x2d6/0x960 [ 65 4.577733] horario+0x69 /0xf0 [654.581214] Schedule_timeout+0x87/0x140 [654.585463]? __bpf_trace_tick_stop+0x20/0x20 [ 654.590291] msleep+0x2d/0x40 [ 654.593625] napi_disable+0x2b/0x80 [ 654.597437] netvsc_device_remove+0x8a/0x1f0 [hv_netvsc] [ 6 54.603935] rndis_filter_device_remove+0x194/0x1c0 [hv_netvsc] [654.611101]? do_wait_intr+0xb0/0xb0 [ 654.615753] netvsc_remove+0x7c/0x120 [hv_netvsc] [ 654.621675] vmbus_remove+0x27/0x40 [hv_vmbus]\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0e8875de9dad12805ff66e92cd5edea6a421f1cd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/22a77c0f5b8233237731df3288d067af51a2fd7b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/48a8ccccffbae10c91d31fc872db5c31aba07518\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7656372ae190e54e8c8cf1039725a5ea59fdf84a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9ec807e7b6f5fcf9499f3baa69f254bb239a847f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e0526ec5360a48ad3ab2e26e802b0532302a7e11\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.