CVE-2024-41047

In the Linux kernel, the following vulnerability has been resolved:

i40e: Fix XDP program unloading while removing the driver

The commit 6533e558c650 ("i40e: Fix reset path while removing the driver") introduced a new PF state "_I40EINREMOVE" to block modifying the XDP program while the driver is being removed. Unfortunately, such a change is useful only if the ".ndobpf()" callback was called out of the rmmod context because unloading the existing XDP program is also a part of driver removing procedure. In other words, from the rmmod context the driver is expected to unload the XDP program without reporting any errors. Otherwise, the kernel warning with callstack is printed out to dmesg.

Example failing scenario: 1. Load the i40e driver. 2. Load the XDP program. 3. Unload the i40e driver (using "rmmod" command).

The example kernel warning log:

[ +0.004646] WARNING: CPU: 94 PID: 10395 at net/core/dev.c:9290 unregisternetdevicemanynotify+0x7a9/0x870 [...] [ +0.010959] RIP: 0010:unregisternetdevicemanynotify+0x7a9/0x870 [...] [ +0.002726] Call Trace: [ +0.002457] <TASK> [ +0.002119] ? _warn+0x80/0x120 [ +0.003245] ? unregisternetdevicemanynotify+0x7a9/0x870 [ +0.005586] ? reportbug+0x164/0x190 [ +0.003678] ? handlebug+0x3c/0x80 [ +0.003503] ? excinvalidop+0x17/0x70 [ +0.003846] ? asmexcinvalidop+0x1a/0x20 [ +0.004200] ? unregisternetdevicemanynotify+0x7a9/0x870 [ +0.005579] ? unregisternetdevicemanynotify+0x3cc/0x870 [ +0.005586] unregisternetdevicequeue+0xf7/0x140 [ +0.004806] unregisternetdev+0x1c/0x30 [ +0.003933] i40evsirelease+0x87/0x2f0 [i40e] [ +0.004604] i40eremove+0x1a1/0x420 [i40e] [ +0.004220] pcideviceremove+0x3f/0xb0 [ +0.003943] devicereleasedriverinternal+0x19f/0x200 [ +0.005243] driverdetach+0x48/0x90 [ +0.003586] busremovedriver+0x6d/0xf0 [ +0.003939] pciunregisterdriver+0x2e/0xb0 [ +0.004278] i40eexitmodule+0x10/0x5f0 [i40e] [ +0.004570] _dosysdeletemodule.isra.0+0x197/0x310 [ +0.005153] dosyscall64+0x85/0x170 [ +0.003684] ? syscallexittousermode+0x69/0x220 [ +0.004886] ? dosyscall64+0x95/0x170 [ +0.003851] ? excpagefault+0x7e/0x180 [ +0.003932] entrySYSCALL64afterhwframe+0x71/0x79 [ +0.005064] RIP: 0033:0x7f59dc9347cb [ +0.003648] Code: 73 01 c3 48 8b 0d 65 16 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 16 0c 00 f7 d8 64 89 01 48 [ +0.018753] RSP: 002b:00007ffffac99048 EFLAGS: 00000206 ORIGRAX: 00000000000000b0 [ +0.007577] RAX: ffffffffffffffda RBX: 0000559b9bb2f6e0 RCX: 00007f59dc9347cb [ +0.007140] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000559b9bb2f748 [ +0.007146] RBP: 00007ffffac99070 R08: 1999999999999999 R09: 0000000000000000 [ +0.007133] R10: 00007f59dc9a5ac0 R11: 0000000000000206 R12: 0000000000000000 [ +0.007141] R13: 00007ffffac992d8 R14: 0000559b9bb2f6e0 R15: 0000000000000000 [ +0.007151] </TASK> [ +0.002204] ---[ end trace 0000000000000000 ]---

Fix this by checking if the XDP program is being loaded or unloaded. Then, block only loading a new program while "I40EINREMOVE" is set. Also, move testing "I40EINREMOVE" flag to the beginning of XDP_SETUP callback to avoid unnecessary operations and checks.