CVE-2024-42268 - Linux Kernel Vulnerability Resolved: net/mlx5 Missing Lock on Sync Reset Reload

In this post, we will discuss a recently resolved vulnerability in the Linux kernel involving the net/mlx5 component. This vulnerability has been assigned the identifier CVE-2024-42268. The problem was related to a missing lock on sync reset reload, which led to triggering a lock assert warning. This has now been fixed, preventing potential security issues.

The Linux kernel, an essential part of the operating system, is responsible for controlling and managing system resources and providing an interface for software to interact with hardware. The net/mlx5 module, in particular, deals with the management of the Mellanox 5 platform in the kernel.

The issue in the net/mlx5 component was caused by the sync reset reload work. When a remote host updated devlink on reload actions performed on that host, the lock would not be taken before calling devlink_remote_reload_actions_performed(). This would result in a lock assert warning, as shown below:

WARNING: CPU: 4 PID: 1164 at net/devlink/core.c:261 devl_assert_locked+x3e/x50
…
CPU: 4 PID: 1164 Comm: kworker/u96:6 Tainted: G S      W          6.10.-rc2+ #116
Hardware name: Supermicro SYS-2028TP-DECTR/X10DRT-PT, BIOS 2. 12/18/2015
Workqueue: mlx5_fw_reset_events mlx5_sync_reset_reload_work [mlx5_core]
RIP: 001:devl_assert_locked+x3e/x50
…
Call Trace:
 <TASK>
 ? __warn+xa4/x210
 ? devl_assert_locked+x3e/x50
 ? report_bug+x160/x280
 ? handle_bug+x3f/x80
 ? exc_invalid_op+x17/x40
 ? asm_exc_invalid_op+x1a/x20
 ? devl_assert_locked+x3e/x50
 devlink_notify+x88/x2b
 ? mlx5_attach_device+x20c/x230 [mlx5_core]
 ? __pfx_devlink_notify+x10/x10
 ? process_one_work+x4b6/xbb
 process_one_work+x4b6/xbb
[…]

To address this vulnerability, a lock has been added to the sync reset reload work in the net/mlx5 component. This ensures that the lock is properly taken before calling devlink_remote_reload_actions_performed().

For more information on this vulnerability, you can check the original references and announcement

- Linux Kernel Mailing List (LKML) Patch
- Linux Kernel Git Repository Commit

In conclusion, CVE-2024-42268 demonstrates the importance of proper lock management and synchronization in the Linux kernel. By addressing this issue in the net/mlx5 component, the associated risks and potential security concerns have been mitigated. It is essential that users update their kernel to incorporate this fix and continue monitoring future security advisories to maintain the integrity and security of their systems.

Timeline

Published on: 08/17/2024 09:15:08 UTC
Last modified on: 08/19/2024 20:52:49 UTC