Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
0

CVE-2024-27014

Disclosure Date: May 01, 2024
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Prevent deadlock while disabling aRFS

When disabling aRFS under the priv->state_lock, any scheduled
aRFS works are canceled using the cancel_work_sync function,
which waits for the work to end if it has already started.
However, while waiting for the work handler, the handler will
try to acquire the state_lock which is already acquired.

The worker acquires the lock to delete the rules if the state
is down, which is not the worker’s responsibility since
disabling aRFS deletes the rules.

Add an aRFS state variable, which indicates whether the aRFS is
enabled and prevent adding rules when the aRFS is disabled.

Kernel log:

======================================================
WARNING: possible circular locking dependency detected

6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G I

ethtool/386089 is trying to acquire lock:
ffff88810f21ce68 ((work_completion)(&rule->arfs_work)){+.+.}–{0:0}, at: __flush_work+0x74/0x4e0

but task is already holding lock:
ffff8884a1808cc0 (&priv->state_lock){+.+.}–{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

–> #1 (&priv->state_lock){+.+.}–{3:3}:

   __mutex_lock+0x80/0xc90
   arfs_handle_work+0x4b/0x3b0 [mlx5_core]
   process_one_work+0x1dc/0x4a0
   worker_thread+0x1bf/0x3c0
   kthread+0xd7/0x100
   ret_from_fork+0x2d/0x50
   ret_from_fork_asm+0x11/0x20

–> #0 ((work_completion)(&rule->arfs_work)){+.+.}–{0:0}:

   __lock_acquire+0x17b4/0x2c80
   lock_acquire+0xd0/0x2b0
   __flush_work+0x7a/0x4e0
   __cancel_work_timer+0x131/0x1c0
   arfs_del_rules+0x143/0x1e0 [mlx5_core]
   mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]
   mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]
   ethnl_set_channels+0x28f/0x3b0
   ethnl_default_set_doit+0xec/0x240
   genl_family_rcv_msg_doit+0xd0/0x120
   genl_rcv_msg+0x188/0x2c0
   netlink_rcv_skb+0x54/0x100
   genl_rcv+0x24/0x40
   netlink_unicast+0x1a1/0x270
   netlink_sendmsg+0x214/0x460
   __sock_sendmsg+0x38/0x60
   __sys_sendto+0x113/0x170
   __x64_sys_sendto+0x20/0x30
   do_syscall_64+0x40/0xe0
   entry_SYSCALL_64_after_hwframe+0x46/0x4e

other info that might help us debug this:

Possible unsafe locking scenario:

   CPU0                    CPU1
   ----                    ----

lock(&priv->state_lock);

                           lock((work_completion)(&rule->arfs_work));
                           lock(&priv->state_lock);

lock((work_completion)(&rule->arfs_work));

*** DEADLOCK ***

3 locks held by ethtool/386089:
#0: ffffffff82ea7210 (cb_lock){++++}–{3:3}, at: genl_rcv+0x15/0x40
#1: ffffffff82e94c88 (rtnl_mutex){+.+.}–{3:3}, at: ethnl_default_set_doit+0xd3/0x240
#2: ffff8884a1808cc0 (&priv->state_lock){+.+.}–{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]

stack backtrace:
CPU: 15 PID: 386089 Comm: ethtool Tainted: G I 6.7.0-rc4_net_next_mlx5_5483eb2 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x60/0xa0
check_noncircular+0x144/0x160
__lock_acquire+0x17b4/0x2c80
lock_acquire+0xd0/0x2b0
? __flush_work+0x74/0x4e0
? save_trace+0x3e/0x360
? __flush_work+0x74/0x4e0
__flush_work+0x7a/0x4e0
? __flush_work+0x74/0x4e0
? __lock_acquire+0xa78/0x2c80
? lock_acquire+0xd0/0x2b0
? mark_held_locks+0x49/0x70
__cancel_work_timer+0x131/0x1c0
? mark_held_locks+0x49/0x70
arfs_del_rules+0x143/0x1e0 [mlx5_core]
mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]
mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]
ethnl_set_channels+0x28f/0x3b0
ethnl_default_set_doit+0xec/0x240
genl_family_rcv_msg_doit+0xd0/0x120
genl_rcv_msg+0x188/0x2c0
? ethn
—-truncated—-

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
5.5 Medium
Impact Score:
3.6
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
None
Availability (A):
High

General Information

Vendors

  • fedoraproject,
  • linux

Products

  • fedora 38,
  • fedora 39,
  • fedora 40,
  • linux kernel,
  • linux kernel 6.9
Technical Analysis