CVE-2024-26698: hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove
First published: Wed Apr 03 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove In commit ac5047671758 ("hv_netvsc: Disable NAPI before closing the VMBus channel"), napi_disable was getting called for all channels, including all subchannels without confirming if they are enabled or not. This caused hv_netvsc getting hung at napi_disable, when netvsc_probe() has finished running but nvdev->subchan_work has not started yet. netvsc_subchan_work() -> rndis_set_subchannel() has not created the sub-channels and because of that netvsc_sc_open() is not running. netvsc_remove() calls cancel_work_sync(&nvdev->subchan_work), for which netvsc_subchan_work did not run. netif_napi_add() sets the bit NAPI_STATE_SCHED because it ensures NAPI cannot be scheduled. Then netvsc_sc_open() -> napi_enable will clear the NAPIF_STATE_SCHED bit, so it can be scheduled. napi_disable() does the opposite. Now during netvsc_device_remove(), when napi_disable is called for those subchannels, napi_disable gets stuck on infinite msleep. This fix addresses this problem by ensuring that napi_disable() is not getting called for non-enabled NAPI struct. But netif_napi_del() is still necessary for these non-enabled NAPI struct for cleanup purpose. Call trace: [ 654.559417] task:modprobe state:D stack: 0 pid: 2321 ppid: 1091 flags:0x00004002 [ 654.568030] Call Trace: [ 654.571221] <TASK> [ 654.573790] __schedule+0x2d6/0x960 [ 654.577733] schedule+0x69/0xf0 [ 654.581214] schedule_timeout+0x87/0x140 [ 654.585463] ? __bpf_trace_tick_stop+0x20/0x20 [ 654.590291] msleep+0x2d/0x40 [ 654.593625] napi_disable+0x2b/0x80 [ 654.597437] netvsc_device_remove+0x8a/0x1f0 [hv_netvsc] [ 654.603935] rndis_filter_device_remove+0x194/0x1c0 [hv_netvsc] [ 654.611101] ? do_wait_intr+0xb0/0xb0 [ 654.615753] netvsc_remove+0x7c/0x120 [hv_netvsc] [ 654.621675] vmbus_remove+0x27/0x40 [hv_vmbus]
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel | <5.10.210 | 5.10.210 |
| redhat/kernel | <5.15.149 | 5.15.149 |
| redhat/kernel | <6.1.79 | 6.1.79 |
| redhat/kernel | <6.6.18 | 6.6.18 |
| redhat/kernel | <6.7.6 | 6.7.6 |
| redhat/kernel | <6.8 | 6.8 |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.123-1 6.1.119-1 6.12.11-1 6.12.12-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/0e8875de9dad12805ff66e92cd5edea6a421f1cd
- https://git.kernel.org/stable/c/22a77c0f5b8233237731df3288d067af51a2fd7b
- https://git.kernel.org/stable/c/48a8ccccffbae10c91d31fc872db5c31aba07518
- https://git.kernel.org/stable/c/7656372ae190e54e8c8cf1039725a5ea59fdf84a
- https://git.kernel.org/stable/c/9ec807e7b6f5fcf9499f3baa69f254bb239a847f
- https://git.kernel.org/stable/c/e0526ec5360a48ad3ab2e26e802b0532302a7e11
- https://launchpad.net/bugs/cve/CVE-2024-26698
- https://access.redhat.com/security/cve/CVE-2024-26698
- https://lore.kernel.org/linux-cve-announce/2024040338-CVE-2024-26698-36ac@gregkh/T
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2273118
- https://access.redhat.com/errata/RHSA-2024:4823
- https://access.redhat.com/errata/RHSA-2024:4831
- https://access.redhat.com/errata/RHSA-2024:5101
- https://access.redhat.com/errata/RHSA-2024:6297
- https://access.redhat.com/errata/RHSA-2024:6993
- https://bugzilla.redhat.com/show_bug.cgi?id=2273117
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26698
- https://nvd.nist.gov/vuln/detail/CVE-2024-26698
- https://security-tracker.debian.org/tracker/CVE-2024-26698
- https://ubuntu.com/security/CVE-2024-26698
- https://git.kernel.org/linus/e0526ec5360a48ad3ab2e26e802b0532302a7e11
Frequently Asked Questions
What is the severity of CVE-2024-26698?
CVE-2024-26698 has a moderate severity level due to the potential for race conditions impacting kernel module stability.
How do I fix CVE-2024-26698?
To address CVE-2024-26698, update the Linux kernel to one of the patched versions provided by your distribution, such as Red Hat kernel version 5.10.210 or newer.
Which Linux kernel versions are affected by CVE-2024-26698?
CVE-2024-26698 affects several Linux kernel versions prior to 5.10.210, 5.15.149, 6.1.79, and 6.6.18, among others.
Is CVE-2024-26698 specific to any Linux distributions?
Yes, CVE-2024-26698 primarily affects Red Hat and Debian distributions, as indicated by the specific kernel versions mentioned.
What components are involved in CVE-2024-26698?
CVE-2024-26698 involves the hv_netvsc component of the Linux kernel, specifically regarding the netvsc_probe and netvsc_remove functions.
- agent/title
- agent/weakness
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/remedy
- agent/first-publish-date
- agent/author
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-26698
- agent/software-canonical-lookup
- collector/nvd-api
- source/NVD
- agent/references
- collector/usn-cve
- source/Ubuntu
- agent/description
- collector/nvd-cve
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/source
- package-manager/redhat
- package-manager/debian