CVE-2024-26859

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-26859
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26859.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-26859
Downstream
Related
Published
2024-04-17T10:27:23.709Z
Modified
2026-03-14T12:27:42.306918Z
Summary
net/bnx2x: Prevent access to a freed page in page_pool
Details

In the Linux kernel, the following vulnerability has been resolved:

net/bnx2x: Prevent access to a freed page in page_pool

Fix race condition leading to system crash during EEH error handling

During EEH error recovery, the bnx2x driver's transmit timeout logic could cause a race condition when handling reset tasks. The bnx2xtxtimeout() schedules reset tasks via bnx2xsprtnltask(), which ultimately leads to bnx2xnicunload(). In bnx2xnicunload() SGEs are freed using bnx2xfreerxsgerange(). However, this could overlap with the EEH driver's attempt to reset the device using bnx2xioslotreset(), which also tries to free SGEs. This race condition can result in system crashes due to accessing freed memory locations in bnx2xfreerx_sge()

799 static inline void bnx2xfreerxsge(struct bnx2x *bp, 800 struct bnx2xfastpath *fp, u16 index) 801 { 802 struct swrxpage *swbuf = &fp->rxpagering[index]; 803 struct page *page = swbuf->page; .... where swbuf was set to NULL after the call to dmaunmap_page() by the preceding thread.

EEH: Beginning: 'slot_reset'
PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset()
bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing...
bnx2x 0011:01:00.0: enabling device (0140 -> 0142)
bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload
Kernel attempted to read user page (0) - exploit attempt? (uid: 0)
BUG: Kernel NULL pointer dereference on read at 0x00000000
Faulting instruction address: 0xc0080000025065fc
Oops: Kernel access of bad area, sig: 11 [#1]
.....
Call Trace:
[c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable)
[c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0
[c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550
[c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60
[c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170
[c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0
[c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64

To solve this issue, we need to verify page pool allocations before freeing.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26859.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4cace675d687ebd2d813e90af80ff87ee85202f9
Fixed
7bcc090c81116c66936a7415f2c6b1483a4bcfd9
Fixed
4f37d3a7e004bbf560c21441ca9c022168017ec4
Fixed
8eebff95ce9558be66a36aa7cfb43223f3ab4699
Fixed
8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598
Fixed
cf7d8cba639ae792a42c2a137b495eac262ac36c
Fixed
3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb
Fixed
c51f8b6930db3f259b8820b589f2459d2df3fc68
Fixed
44f9f1abb0ecc43023225ab9539167facbabf0ec
Fixed
d27e2da94a42655861ca4baea30c8cd65546f25d

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26859.json"