In the Linux kernel, the following vulnerability has been resolved:
net/bnx2x: Prevent access to a freed page in page_pool
Fix race condition leading to system crash during EEH error handling
During EEH error recovery, the bnx2x driver's transmit timeout logic could cause a race condition when handling reset tasks. The bnx2xtxtimeout() schedules reset tasks via bnx2xsprtnltask(), which ultimately leads to bnx2xnicunload(). In bnx2xnicunload() SGEs are freed using bnx2xfreerxsgerange(). However, this could overlap with the EEH driver's attempt to reset the device using bnx2xioslotreset(), which also tries to free SGEs. This race condition can result in system crashes due to accessing freed memory locations in bnx2xfreerx_sge()
799 static inline void bnx2xfreerxsge(struct bnx2x *bp, 800 struct bnx2xfastpath *fp, u16 index) 801 { 802 struct swrxpage *swbuf = &fp->rxpagering[index]; 803 struct page *page = swbuf->page; .... where swbuf was set to NULL after the call to dmaunmap_page() by the preceding thread.
EEH: Beginning: 'slot_reset'
PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset()
bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing...
bnx2x 0011:01:00.0: enabling device (0140 -> 0142)
bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload
Kernel attempted to read user page (0) - exploit attempt? (uid: 0)
BUG: Kernel NULL pointer dereference on read at 0x00000000
Faulting instruction address: 0xc0080000025065fc
Oops: Kernel access of bad area, sig: 11 [#1]
.....
Call Trace:
[c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable)
[c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0
[c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550
[c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60
[c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170
[c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0
[c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64
To solve this issue, we need to verify page pool allocations before freeing.
{ "vanir_signatures": [ { "deprecated": false, "signature_type": "Line", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h" }, "signature_version": "v1", "digest": { "line_hashes": [ "271292811696169901941765514774592828402", "218184443866976965727098804365104871195", "46150593797899152744730101437534500941", "126231514294266957864146878973281135856", "208612176819859183131545003297779681958", "218053638816380345424713758164526127933", "245185081416998834800658889837760254639", "225112875511208304001291930934373506333" ], "threshold": 0.9 }, "id": "CVE-2024-26859-0e63917d", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4f37d3a7e004bbf560c21441ca9c022168017ec4" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h" }, "signature_version": "v1", "digest": { "line_hashes": [ "271292811696169901941765514774592828402", "218184443866976965727098804365104871195", "46150593797899152744730101437534500941", "126231514294266957864146878973281135856", "208612176819859183131545003297779681958", "218053638816380345424713758164526127933", "245185081416998834800658889837760254639", "225112875511208304001291930934373506333" ], "threshold": 0.9 }, "id": "CVE-2024-26859-1fe917bb", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h" }, "signature_version": "v1", "digest": { "line_hashes": [ "271292811696169901941765514774592828402", "218184443866976965727098804365104871195", "46150593797899152744730101437534500941", "126231514294266957864146878973281135856", "208612176819859183131545003297779681958", "218053638816380345424713758164526127933", "245185081416998834800658889837760254639", "225112875511208304001291930934373506333" ], "threshold": 0.9 }, "id": "CVE-2024-26859-4336c128", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cf7d8cba639ae792a42c2a137b495eac262ac36c" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h", "function": "bnx2x_free_rx_sge_range" }, "signature_version": "v1", "digest": { "length": 261.0, "function_hash": "231308576930280442172576529353817828801" }, "id": "CVE-2024-26859-443af400", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h", "function": "bnx2x_free_rx_sge_range" }, "signature_version": "v1", "digest": { "length": 261.0, "function_hash": "231308576930280442172576529353817828801" }, "id": "CVE-2024-26859-5605ad89", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d27e2da94a42655861ca4baea30c8cd65546f25d" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h", "function": "bnx2x_free_rx_sge_range" }, "signature_version": "v1", "digest": { "length": 261.0, "function_hash": "231308576930280442172576529353817828801" }, "id": "CVE-2024-26859-580ecf10", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c51f8b6930db3f259b8820b589f2459d2df3fc68" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h", "function": "bnx2x_free_rx_mem_pool" }, "signature_version": "v1", "digest": { "length": 150.0, "function_hash": "272733967176514619521838186598338546658" }, "id": "CVE-2024-26859-5ba6ced8", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4f37d3a7e004bbf560c21441ca9c022168017ec4" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h", "function": "bnx2x_free_rx_mem_pool" }, "signature_version": "v1", "digest": { "length": 150.0, "function_hash": "272733967176514619521838186598338546658" }, "id": "CVE-2024-26859-5bb4a8cf", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7bcc090c81116c66936a7415f2c6b1483a4bcfd9" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h", "function": "bnx2x_free_rx_mem_pool" }, "signature_version": "v1", "digest": { "length": 150.0, "function_hash": "272733967176514619521838186598338546658" }, "id": "CVE-2024-26859-65e45ae2", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h" }, "signature_version": "v1", "digest": { "line_hashes": [ "271292811696169901941765514774592828402", "218184443866976965727098804365104871195", "46150593797899152744730101437534500941", "126231514294266957864146878973281135856", "208612176819859183131545003297779681958", "218053638816380345424713758164526127933", "245185081416998834800658889837760254639", "225112875511208304001291930934373506333" ], "threshold": 0.9 }, "id": "CVE-2024-26859-692c9048", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7bcc090c81116c66936a7415f2c6b1483a4bcfd9" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h", "function": "bnx2x_free_rx_mem_pool" }, "signature_version": "v1", "digest": { "length": 150.0, "function_hash": "272733967176514619521838186598338546658" }, "id": "CVE-2024-26859-6c140f52", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h", "function": "bnx2x_free_rx_mem_pool" }, "signature_version": "v1", "digest": { "length": 150.0, "function_hash": "272733967176514619521838186598338546658" }, "id": "CVE-2024-26859-6fef7c1a", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c51f8b6930db3f259b8820b589f2459d2df3fc68" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h", "function": "bnx2x_free_rx_sge_range" }, "signature_version": "v1", "digest": { "length": 261.0, "function_hash": "231308576930280442172576529353817828801" }, "id": "CVE-2024-26859-8a7758dd", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h", "function": "bnx2x_free_rx_mem_pool" }, "signature_version": "v1", "digest": { "length": 150.0, "function_hash": "272733967176514619521838186598338546658" }, "id": "CVE-2024-26859-901d0ad7", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d27e2da94a42655861ca4baea30c8cd65546f25d" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h" }, "signature_version": "v1", "digest": { "line_hashes": [ "271292811696169901941765514774592828402", "218184443866976965727098804365104871195", "46150593797899152744730101437534500941", "126231514294266957864146878973281135856", "208612176819859183131545003297779681958", "218053638816380345424713758164526127933", "245185081416998834800658889837760254639", "225112875511208304001291930934373506333" ], "threshold": 0.9 }, "id": "CVE-2024-26859-9ca64857", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c51f8b6930db3f259b8820b589f2459d2df3fc68" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h" }, "signature_version": "v1", "digest": { "line_hashes": [ "271292811696169901941765514774592828402", "218184443866976965727098804365104871195", "46150593797899152744730101437534500941", "126231514294266957864146878973281135856", "208612176819859183131545003297779681958", "218053638816380345424713758164526127933", "245185081416998834800658889837760254639", "225112875511208304001291930934373506333" ], "threshold": 0.9 }, "id": "CVE-2024-26859-a1ba17cb", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d27e2da94a42655861ca4baea30c8cd65546f25d" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h" }, "signature_version": "v1", "digest": { "line_hashes": [ "271292811696169901941765514774592828402", "218184443866976965727098804365104871195", "46150593797899152744730101437534500941", "126231514294266957864146878973281135856", "208612176819859183131545003297779681958", "218053638816380345424713758164526127933", "245185081416998834800658889837760254639", "225112875511208304001291930934373506333" ], "threshold": 0.9 }, "id": "CVE-2024-26859-accf364e", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@44f9f1abb0ecc43023225ab9539167facbabf0ec" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h" }, "signature_version": "v1", "digest": { "line_hashes": [ "271292811696169901941765514774592828402", "218184443866976965727098804365104871195", "46150593797899152744730101437534500941", "126231514294266957864146878973281135856", "208612176819859183131545003297779681958", "218053638816380345424713758164526127933", "245185081416998834800658889837760254639", "225112875511208304001291930934373506333" ], "threshold": 0.9 }, "id": "CVE-2024-26859-c599e707", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h", "function": "bnx2x_free_rx_mem_pool" }, "signature_version": "v1", "digest": { "length": 150.0, "function_hash": "272733967176514619521838186598338546658" }, "id": "CVE-2024-26859-dcf13c4f", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cf7d8cba639ae792a42c2a137b495eac262ac36c" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h", "function": "bnx2x_free_rx_sge_range" }, "signature_version": "v1", "digest": { "length": 261.0, "function_hash": "231308576930280442172576529353817828801" }, "id": "CVE-2024-26859-e97fcf24", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4f37d3a7e004bbf560c21441ca9c022168017ec4" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h", "function": "bnx2x_free_rx_sge_range" }, "signature_version": "v1", "digest": { "length": 261.0, "function_hash": "231308576930280442172576529353817828801" }, "id": "CVE-2024-26859-eb5cecbc", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@44f9f1abb0ecc43023225ab9539167facbabf0ec" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h", "function": "bnx2x_free_rx_sge_range" }, "signature_version": "v1", "digest": { "length": 261.0, "function_hash": "231308576930280442172576529353817828801" }, "id": "CVE-2024-26859-f81dc766", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7bcc090c81116c66936a7415f2c6b1483a4bcfd9" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h", "function": "bnx2x_free_rx_mem_pool" }, "signature_version": "v1", "digest": { "length": 150.0, "function_hash": "272733967176514619521838186598338546658" }, "id": "CVE-2024-26859-fa3e162c", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@44f9f1abb0ecc43023225ab9539167facbabf0ec" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h", "function": "bnx2x_free_rx_sge_range" }, "signature_version": "v1", "digest": { "length": 261.0, "function_hash": "231308576930280442172576529353817828801" }, "id": "CVE-2024-26859-fdc37c45", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cf7d8cba639ae792a42c2a137b495eac262ac36c" } ] }