CVE-2024-50146
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-50146
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-50146.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-50146
- Downstream
- Related
- Published
- 2024-11-07T09:31:23Z
- Modified
- 2025-10-22T04:48:56.414759Z
- Summary
- net/mlx5e: Don't call cleanup on profile rollback failure
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Don't call cleanup on profile rollback failure
When profile rollback fails in mlx5enetdevchange_profile, the netdev profile var is left set to NULL. Avoid a crash when unloading the driver by not calling profile->cleanup in such a case.
This was encountered while testing, with the original trigger that the wq rescuer thread creation got interrupted (presumably due to Ctrl+C-ing modprobe), which gets converted to ENOMEM (-12) by mlx5eprivinit, the profile rollback also fails for the same reason (signal still active) so the profile is left as NULL, leading to a crash later in mlx5eremove.
[ 732.473932] mlx5core 0000:08:00.1: E-Switch: Unload vfs: mode(OFFLOADS), nvfs(2), necvfs(0), active vports(2) [ 734.525513] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR [ 734.557372] mlx5core 0000:08:00.1: mlx5enetdevinitprofile:6235:(pid 6086): mlx5eprivinit failed, err=-12 [ 734.559187] mlx5core 0000:08:00.1 eth3: mlx5enetdevchangeprofile: new profile init failed, -12 [ 734.560153] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR [ 734.589378] mlx5core 0000:08:00.1: mlx5enetdevinitprofile:6235:(pid 6086): mlx5eprivinit failed, err=-12 [ 734.591136] mlx5core 0000:08:00.1 eth3: mlx5enetdevchangeprofile: failed to rollback to orig profile, -12 [ 745.537492] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 745.538222] #PF: supervisor read access in kernel mode <snipped> [ 745.551290] Call Trace: [ 745.551590] <TASK> [ 745.551866] ? _die+0x20/0x60 [ 745.552218] ? pagefaultoops+0x150/0x400 [ 745.555307] ? excpagefault+0x79/0x240 [ 745.555729] ? asmexcpagefault+0x22/0x30 [ 745.556166] ? mlx5eremove+0x6b/0xb0 [mlx5core] [ 745.556698] auxiliarybusremove+0x18/0x30 [ 745.557134] devicereleasedriverinternal+0x1df/0x240 [ 745.557654] busremovedevice+0xd7/0x140 [ 745.558075] devicedel+0x15b/0x3c0 [ 745.558456] mlx5rescandriverslocked.part.0+0xb1/0x2f0 [mlx5core] [ 745.559112] mlx5unregisterdevice+0x34/0x50 [mlx5core] [ 745.559686] mlx5uninitone+0x46/0xf0 [mlx5core] [ 745.560203] removeone+0x4e/0xd0 [mlx5core] [ 745.560694] pcideviceremove+0x39/0xa0 [ 745.561112] devicereleasedriverinternal+0x1df/0x240 [ 745.561631] driverdetach+0x47/0x90 [ 745.562022] busremovedriver+0x84/0x100 [ 745.562444] pciunregisterdriver+0x3b/0x90 [ 745.562890] mlx5cleanup+0xc/0x1b [mlx5core] [ 745.563415] _x64sysdeletemodule+0x14d/0x2f0 [ 745.563886] ? kmemcachefree+0x1b0/0x460 [ 745.564313] ? lockdephardirqsonprepare+0xe2/0x190 [ 745.564825] dosyscall64+0x6d/0x140 [ 745.565223] entrySYSCALL64afterhwframe+0x4b/0x53 [ 745.565725] RIP: 0033:0x7f1579b1288b
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/3955b77494c3c7d14873b1db67e7e00c46a714db
- https://git.kernel.org/stable/c/4dbc1d1a9f39c3711ad2a40addca04d07d9ab5d0
- https://git.kernel.org/stable/c/d6fe973c8873c998734a050f366b28facc03d32a
- https://git.kernel.org/stable/c/db84cb4c8c565e6d4de84b23c2818b63991adfdd
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3ef14e463f6ed0218710f56b97e1a7d0448784d2Fixeddb84cb4c8c565e6d4de84b23c2818b63991adfdd
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3ef14e463f6ed0218710f56b97e1a7d0448784d2Fixedd6fe973c8873c998734a050f366b28facc03d32a
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3ef14e463f6ed0218710f56b97e1a7d0448784d2Fixed3955b77494c3c7d14873b1db67e7e00c46a714db
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3ef14e463f6ed0218710f56b97e1a7d0448784d2Fixed4dbc1d1a9f39c3711ad2a40addca04d07d9ab5d0
Affected versions
v5.*
v6.*
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"329444612724767983151486152350854690956",
"186800514568057970852402443608782149924",
"263073544937814282896199899252221267125",
"147793401048090391930536221634467779799"
]
},
"signature_type": "Line",
"id": "CVE-2024-50146-1b95f9ad",
"target": {
"file": "drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d6fe973c8873c998734a050f366b28facc03d32a",
"deprecated": false
},
{
"signature_version": "v1",
"digest": {
"length": 407.0,
"function_hash": "85988802108329080007116591950584802578"
},
"signature_type": "Function",
"id": "CVE-2024-50146-47d6ee8b",
"target": {
"file": "drivers/net/ethernet/mellanox/mlx5/core/en_main.c",
"function": "_mlx5e_remove"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3955b77494c3c7d14873b1db67e7e00c46a714db",
"deprecated": false
},
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"141172318760082247196710606446866963059",
"242274988076542018185730216180186335168",
"68831565272791079146838377928603225876",
"147793401048090391930536221634467779799"
]
},
"signature_type": "Line",
"id": "CVE-2024-50146-9f082615",
"target": {
"file": "drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4dbc1d1a9f39c3711ad2a40addca04d07d9ab5d0",
"deprecated": false
},
{
"signature_version": "v1",
"digest": {
"length": 407.0,
"function_hash": "85988802108329080007116591950584802578"
},
"signature_type": "Function",
"id": "CVE-2024-50146-b7878d35",
"target": {
"file": "drivers/net/ethernet/mellanox/mlx5/core/en_main.c",
"function": "_mlx5e_remove"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4dbc1d1a9f39c3711ad2a40addca04d07d9ab5d0",
"deprecated": false
},
{
"signature_version": "v1",
"digest": {
"length": 256.0,
"function_hash": "111600545053809519086212871611223600983"
},
"signature_type": "Function",
"id": "CVE-2024-50146-bbad9020",
"target": {
"file": "drivers/net/ethernet/mellanox/mlx5/core/en_main.c",
"function": "mlx5e_remove"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@db84cb4c8c565e6d4de84b23c2818b63991adfdd",
"deprecated": false
},
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"329444612724767983151486152350854690956",
"71767725259093915316770184766240936864",
"295016023039047855892516336793928978025",
"4741812286773326798502090345165601572"
]
},
"signature_type": "Line",
"id": "CVE-2024-50146-bdd85dc7",
"target": {
"file": "drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@db84cb4c8c565e6d4de84b23c2818b63991adfdd",
"deprecated": false
},
{
"signature_version": "v1",
"digest": {
"length": 336.0,
"function_hash": "129158999701957228360200196203944497038"
},
"signature_type": "Function",
"id": "CVE-2024-50146-d1b39c02",
"target": {
"file": "drivers/net/ethernet/mellanox/mlx5/core/en_main.c",
"function": "mlx5e_remove"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d6fe973c8873c998734a050f366b28facc03d32a",
"deprecated": false
},
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"141172318760082247196710606446866963059",
"242274988076542018185730216180186335168",
"68831565272791079146838377928603225876",
"147793401048090391930536221634467779799"
]
},
"signature_type": "Line",
"id": "CVE-2024-50146-d74cea69",
"target": {
"file": "drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3955b77494c3c7d14873b1db67e7e00c46a714db",
"deprecated": false
}
]