CVE-2024-26802: stmmac: Clear variable when destroying workqueue
First published: Thu Apr 04 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: stmmac: Clear variable when destroying workqueue Currently when suspending driver and stopping workqueue it is checked whether workqueue is not NULL and if so, it is destroyed. Function destroy_workqueue() does drain queue and does clear variable, but it does not set workqueue variable to NULL. This can cause kernel/module panic if code attempts to clear workqueue that was not initialized. This scenario is possible when resuming suspended driver in stmmac_resume(), because there is no handling for failed stmmac_hw_setup(), which can fail and return if DMA engine has failed to initialize, and workqueue is initialized after DMA engine. Should DMA engine fail to initialize, resume will proceed normally, but interface won't work and TX queue will eventually timeout, causing 'Reset adapter' error. This then does destroy workqueue during reset process. And since workqueue is initialized after DMA engine and can be skipped, it will cause kernel/module panic. To secure against this possible crash, set workqueue variable to NULL when destroying workqueue. Log/backtrace from crash goes as follows: [88.031977]------------[ cut here ]------------ [88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out [88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398 <Skipping backtrace for watchdog timeout> [88.032251]---[ end trace e70de432e4d5c2c0 ]--- [88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter. [88.036359]------------[ cut here ]------------ [88.036519]Call trace: [88.036523] flush_workqueue+0x3e4/0x430 [88.036528] drain_workqueue+0xc4/0x160 [88.036533] destroy_workqueue+0x40/0x270 [88.036537] stmmac_fpe_stop_wq+0x4c/0x70 [88.036541] stmmac_release+0x278/0x280 [88.036546] __dev_close_many+0xcc/0x158 [88.036551] dev_close_many+0xbc/0x190 [88.036555] dev_close.part.0+0x70/0xc0 [88.036560] dev_close+0x24/0x30 [88.036564] stmmac_service_task+0x110/0x140 [88.036569] process_one_work+0x1d8/0x4a0 [88.036573] worker_thread+0x54/0x408 [88.036578] kthread+0x164/0x170 [88.036583] ret_from_fork+0x10/0x20 [88.036588]---[ end trace e70de432e4d5c2c1 ]--- [88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel | <5.15.151 | 5.15.151 |
| redhat/kernel | <6.1.81 | 6.1.81 |
| redhat/kernel | <6.6.21 | 6.6.21 |
| redhat/kernel | <6.7.9 | 6.7.9 |
| redhat/kernel | <6.8 | 6.8 |
| Linux Kernel | >=5.13<5.15.151 | |
| Linux Kernel | >=5.16<6.1.81 | |
| Linux Kernel | >=6.2<6.6.21 | |
| Linux Kernel | >=6.7<6.7.9 | |
| Linux Kernel | =6.8-rc1 | |
| Linux Kernel | =6.8-rc2 | |
| Linux Kernel | =6.8-rc3 | |
| Linux Kernel | =6.8-rc4 | |
| Linux Kernel | =6.8-rc5 | |
| Linux Kernel | =6.8-rc6 | |
| IBM Security Verify Governance - Identity Manager | <=ISVG 10.0.2 | |
| IBM Security Verify Governance, Identity Manager Software Stack | <=ISVG 10.0.2 | |
| IBM Security Verify Governance, Identity Manager Virtual Appliance | <=ISVG 10.0.2 | |
| IBM Security Verify Governance Identity Manager Container | <=ISVG 10.0.2 | |
| debian/linux | 5.10.223-1 5.10.234-1 6.1.129-1 6.1.128-1 6.12.21-1 6.12.22-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/17ccd9798fe0beda3db212cfa3ebe373f605cbd6
- https://git.kernel.org/stable/c/699b103e48ce32d03fc86c35b37ee8ae4288c7e3
- https://git.kernel.org/stable/c/8af411bbba1f457c33734795f024d0ef26d0963f
- https://git.kernel.org/stable/c/8e99556301172465c8fe33c7f78c39a3d4ce8462
- https://git.kernel.org/stable/c/f72cf22dccc94038cbbaa1029cb575bf52e5cbc8
- https://launchpad.net/bugs/cve/CVE-2024-26802
- https://access.redhat.com/security/cve/CVE-2024-26802
- https://lore.kernel.org/linux-cve-announce/2024040403-CVE-2024-26802-b3da@gregkh/T
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2273428
- https://access.redhat.com/errata/RHSA-2024:5102
- https://access.redhat.com/errata/RHSA-2024:5101
- https://bugzilla.redhat.com/show_bug.cgi?id=2273427
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26802
- https://nvd.nist.gov/vuln/detail/CVE-2024-26802
- https://security-tracker.debian.org/tracker/CVE-2024-26802
- https://ubuntu.com/security/CVE-2024-26802
- https://git.kernel.org/linus/8af411bbba1f457c33734795f024d0ef26d0963f
- https://www.ibm.com/support/pages/node/7230443 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-26802?
CVE-2024-26802 has a medium severity rating due to its potential impact on system performance and stability.
How do I fix CVE-2024-26802?
To fix CVE-2024-26802, update to the appropriate kernel version: Red Hat kernels 5.15.151, 6.1.81, 6.6.21, 6.7.9, 6.8, or Debian Linux versions 5.10.223-1, 5.10.226-1, 6.1.123-1, 6.1.119-1, 6.12.11-1, or 6.12.12-1.
Which versions of the Linux kernel are vulnerable to CVE-2024-26802?
CVE-2024-26802 affects various Red Hat kernel versions up to 5.15.151, 6.1.81, 6.6.21, 6.7.9, 6.8 and specific Debian Linux kernel versions.
Is CVE-2024-26802 specific to a certain type of Linux distribution?
Yes, CVE-2024-26802 primarily affects Red Hat and Debian distributions of the Linux kernel.
What impact could CVE-2024-26802 have on my system?
CVE-2024-26802 could lead to performance issues or instability if the workqueue is improperly handled during driver suspension.
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-26802
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/trending
- agent/severity
- agent/remedy
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- agent/last-modified-date
- agent/references
- agent/source
- agent/description
- agent/event
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/usn-cve
- source/Ubuntu
- collector/security-tracker-debian
- source/Debian
- package-manager/redhat
- vendor/linux
- canonical/linux kernel
- version/linux kernel/5.13
- version/linux kernel/5.16
- version/linux kernel/6.2
- version/linux kernel/6.7
- version/linux kernel/6.8-rc1
- version/linux kernel/6.8-rc2
- version/linux kernel/6.8-rc3
- version/linux kernel/6.8-rc4
- version/linux kernel/6.8-rc5
- version/linux kernel/6.8-rc6
- vendor/ibm
- canonical/ibm security verify governance - identity manager
- version/ibm security verify governance - identity manager/isvg 10.0.2
- canonical/ibm security verify governance, identity manager software stack
- version/ibm security verify governance, identity manager software stack/isvg 10.0.2
- canonical/ibm security verify governance, identity manager virtual appliance
- version/ibm security verify governance, identity manager virtual appliance/isvg 10.0.2
- canonical/ibm security verify governance identity manager container
- version/ibm security verify governance identity manager container/isvg 10.0.2
- package-manager/debian