CVE-2024-26838 RDMA/irdma: Fix KASAN issue with tasklet

2024-04-1710:10:04

Linux

github.com

linux kernel

vulnerability

rdma

irdma

kasan

irq

tasklet

core racing

fix

AI Score

6.6

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

In the Linux kernel, the following vulnerability has been resolved:

RDMA/irdma: Fix KASAN issue with tasklet

KASAN testing revealed the following issue assocated with freeing an IRQ.

[50006.466686] Call Trace:
[50006.466691] <IRQ>
[50006.489538] dump_stack+0x5c/0x80
[50006.493475] print_address_description.constprop.6+0x1a/0x150
[50006.499872] ? irdma_sc_process_ceq+0x483/0x790 [irdma]
[50006.505742] ? irdma_sc_process_ceq+0x483/0x790 [irdma]
[50006.511644] kasan_report.cold.11+0x7f/0x118
[50006.516572] ? irdma_sc_process_ceq+0x483/0x790 [irdma]
[50006.522473] irdma_sc_process_ceq+0x483/0x790 [irdma]
[50006.528232] irdma_process_ceq+0xb2/0x400 [irdma]
[50006.533601] ? irdma_hw_flush_wqes_callback+0x370/0x370 [irdma]
[50006.540298] irdma_ceq_dpc+0x44/0x100 [irdma]
[50006.545306] tasklet_action_common.isra.14+0x148/0x2c0
[50006.551096] __do_softirq+0x1d0/0xaf8
[50006.555396] irq_exit_rcu+0x219/0x260
[50006.559670] irq_exit+0xa/0x20
[50006.563320] smp_apic_timer_interrupt+0x1bf/0x690
[50006.568645] apic_timer_interrupt+0xf/0x20
[50006.573341] </IRQ>

The issue is that a tasklet could be pending on another core racing
the delete of the irq.

Fix by insuring any scheduled tasklet is killed after deleting the
irq.

CNA Affected

[
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "44d9e52977a1",
        "lessThan": "635d79aa477f",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "44d9e52977a1",
        "lessThan": "b2e4a5266e3d",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "44d9e52977a1",
        "lessThan": "c6f1ca235f68",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "44d9e52977a1",
        "lessThan": "0ae8ad001397",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "44d9e52977a1",
        "lessThan": "bd97cea7b18a",
        "versionType": "git"
      }
    ],
    "programFiles": [
      "drivers/infiniband/hw/irdma/hw.c"
    ],
    "defaultStatus": "unaffected"
  },
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "5.14"
      },
      {
        "status": "unaffected",
        "version": "0",
        "lessThan": "5.14",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": "5.15.150",
        "versionType": "custom",
        "lessThanOrEqual": "5.15.*"
      },
      {
        "status": "unaffected",
        "version": "6.1.80",
        "versionType": "custom",
        "lessThanOrEqual": "6.1.*"
      },
      {
        "status": "unaffected",
        "version": "6.6.19",
        "versionType": "custom",
        "lessThanOrEqual": "6.6.*"
      },
      {
        "status": "unaffected",
        "version": "6.7.7",
        "versionType": "custom",
        "lessThanOrEqual": "6.7.*"
      },
      {
        "status": "unaffected",
        "version": "6.8",
        "versionType": "original_commit_for_fix",
        "lessThanOrEqual": "*"
      }
    ],
    "programFiles": [
      "drivers/infiniband/hw/irdma/hw.c"
    ],
    "defaultStatus": "affected"
  }
]