cve/published/2024/CVE-2024-50040.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50040: igb: Do not bring the device up after non-fatal error

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 igb: Do not bring the device up after non-fatal error

 Commit 004d25060c78 ("igb: Fix igb_down hung on surprise removal")
 changed igb_io_error_detected() to ignore non-fatal pcie errors in order
 to avoid hung task that can happen when igb_down() is called multiple
 times. This caused an issue when processing transient non-fatal errors.
 igb_io_resume(), which is called after igb_io_error_detected(), assumes
 that device is brought down by igb_io_error_detected() if the interface
 is up. This resulted in panic with stacktrace below.

 [ T3256] igb 0000:09:00.0 haeth0: igb: haeth0 NIC Link is Down
 [  T292] pcieport 0000:00:1c.5: AER: Uncorrected (Non-Fatal) error received: 0000:09:00.0
 [  T292] igb 0000:09:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fatal), type=Transaction Layer, (Requester ID)
 [  T292] igb 0000:09:00.0:   device [8086:1537] error status/mask=00004000/00000000
 [  T292] igb 0000:09:00.0:    [14] CmpltTO [  200.105524,009][  T292] igb 0000:09:00.0: AER:   TLP Header: 00000000 00000000 00000000 00000000
 [  T292] pcieport 0000:00:1c.5: AER: broadcast error_detected message
 [  T292] igb 0000:09:00.0: Non-correctable non-fatal error reported.
 [  T292] pcieport 0000:00:1c.5: AER: broadcast mmio_enabled message
 [  T292] pcieport 0000:00:1c.5: AER: broadcast resume message
 [  T292] ------------[ cut here ]------------
 [  T292] kernel BUG at net/core/dev.c:6539!
 [  T292] invalid opcode: 0000 [#1] PREEMPT SMP
 [  T292] RIP: 0010:napi_enable+0x37/0x40
 [  T292] Call Trace:
 [  T292]  <TASK>
 [  T292]  ? die+0x33/0x90
 [  T292]  ? do_trap+0xdc/0x110
 [  T292]  ? napi_enable+0x37/0x40
 [  T292]  ? do_error_trap+0x70/0xb0
 [  T292]  ? napi_enable+0x37/0x40
 [  T292]  ? napi_enable+0x37/0x40
 [  T292]  ? exc_invalid_op+0x4e/0x70
 [  T292]  ? napi_enable+0x37/0x40
 [  T292]  ? asm_exc_invalid_op+0x16/0x20
 [  T292]  ? napi_enable+0x37/0x40
 [  T292]  igb_up+0x41/0x150
 [  T292]  igb_io_resume+0x25/0x70
 [  T292]  report_resume+0x54/0x70
 [  T292]  ? report_frozen_detected+0x20/0x20
 [  T292]  pci_walk_bus+0x6c/0x90
 [  T292]  ? aer_print_port_info+0xa0/0xa0
 [  T292]  pcie_do_recovery+0x22f/0x380
 [  T292]  aer_process_err_devices+0x110/0x160
 [  T292]  aer_isr+0x1c1/0x1e0
 [  T292]  ? disable_irq_nosync+0x10/0x10
 [  T292]  irq_thread_fn+0x1a/0x60
 [  T292]  irq_thread+0xe3/0x1a0
 [  T292]  ? irq_set_affinity_notifier+0x120/0x120
 [  T292]  ? irq_affinity_notify+0x100/0x100
 [  T292]  kthread+0xe2/0x110
 [  T292]  ? kthread_complete_and_exit+0x20/0x20
 [  T292]  ret_from_fork+0x2d/0x50
 [  T292]  ? kthread_complete_and_exit+0x20/0x20
 [  T292]  ret_from_fork_asm+0x11/0x20
 [  T292]  </TASK>

 To fix this issue igb_io_resume() checks if the interface is running and
 the device is not down this means igb_io_error_detected() did not bring
 the device down and there is no need to bring it up.

 The Linux kernel CVE team has assigned CVE-2024-50040 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.19.291 with commit 124e39a734cb90658b8f0dc110847bbfc6e33792 and fixed in 4.19.323 with commit dca2ca65a8695d9593e2cf1b40848e073ad75413
 	Issue introduced in 5.4.251 with commit c9f56f3c7bc908caa772112d3ae71cdd5d18c257 and fixed in 5.4.285 with commit c92cbd283ddcf55fd85a9a9b0ba13298213f3dd7
 	Issue introduced in 5.10.188 with commit 994c2ceb70ea99264ccc6f09e6703ca267dad63c and fixed in 5.10.227 with commit d79af3af2f49c6aae9add3d492c04d60c1b85ce4
 	Issue introduced in 5.15.150 with commit fa92c463eba75dcedbd8d689ffdcb83293aaa0c3 and fixed in 5.15.168 with commit 0a94079e3841d00ea5abb05e3233d019a86745f6
 	Issue introduced in 6.1.42 with commit 39695e87d86f0e7d897fba1d2559f825aa20caeb and fixed in 6.1.113 with commit 6a39c8f5c8aae74c5ab2ba466791f59ffaab0178
 	Issue introduced in 6.5 with commit 004d25060c78fc31f66da0fa439c544dda1ac9d5 and fixed in 6.6.57 with commit 57c5053eaa5f9a8a99e34732e37a86615318e464
 	Issue introduced in 6.5 with commit 004d25060c78fc31f66da0fa439c544dda1ac9d5 and fixed in 6.11.4 with commit 500be93c5d53b7e2c5314292012185f0207bad0c
 	Issue introduced in 6.5 with commit 004d25060c78fc31f66da0fa439c544dda1ac9d5 and fixed in 6.12 with commit 330a699ecbfc9c26ec92c6310686da1230b4e7eb
 	Issue introduced in 4.14.322 with commit c2312e1d12b1c3ee4100c173131b102e2aed4d04
 	Issue introduced in 6.4.7 with commit 41f63b72a01c0e0ac59ab83fd2d921fcce0f602d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50040
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/intel/igb/igb_main.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/dca2ca65a8695d9593e2cf1b40848e073ad75413
 	https://git.kernel.org/stable/c/c92cbd283ddcf55fd85a9a9b0ba13298213f3dd7
 	https://git.kernel.org/stable/c/d79af3af2f49c6aae9add3d492c04d60c1b85ce4
 	https://git.kernel.org/stable/c/0a94079e3841d00ea5abb05e3233d019a86745f6
 	https://git.kernel.org/stable/c/6a39c8f5c8aae74c5ab2ba466791f59ffaab0178
 	https://git.kernel.org/stable/c/57c5053eaa5f9a8a99e34732e37a86615318e464
 	https://git.kernel.org/stable/c/500be93c5d53b7e2c5314292012185f0207bad0c
 	https://git.kernel.org/stable/c/330a699ecbfc9c26ec92c6310686da1230b4e7eb
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50040: igb: Do not bring the device up after non-fatal error

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	igb: Do not bring the device up after non-fatal error

	Commit 004d25060c78 ("igb: Fix igb_down hung on surprise removal")
	changed igb_io_error_detected() to ignore non-fatal pcie errors in order
	to avoid hung task that can happen when igb_down() is called multiple
	times. This caused an issue when processing transient non-fatal errors.
	igb_io_resume(), which is called after igb_io_error_detected(), assumes
	that device is brought down by igb_io_error_detected() if the interface
	is up. This resulted in panic with stacktrace below.

	[ T3256] igb 0000:09:00.0 haeth0: igb: haeth0 NIC Link is Down
	[ T292] pcieport 0000:00:1c.5: AER: Uncorrected (Non-Fatal) error received: 0000:09:00.0
	[ T292] igb 0000:09:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fatal), type=Transaction Layer, (Requester ID)
	[ T292] igb 0000:09:00.0: device [8086:1537] error status/mask=00004000/00000000
	[ T292] igb 0000:09:00.0: [14] CmpltTO [ 200.105524,009][ T292] igb 0000:09:00.0: AER: TLP Header: 00000000 00000000 00000000 00000000
	[ T292] pcieport 0000:00:1c.5: AER: broadcast error_detected message
	[ T292] igb 0000:09:00.0: Non-correctable non-fatal error reported.
	[ T292] pcieport 0000:00:1c.5: AER: broadcast mmio_enabled message
	[ T292] pcieport 0000:00:1c.5: AER: broadcast resume message
	[ T292] ------------[ cut here ]------------
	[ T292] kernel BUG at net/core/dev.c:6539!
	[ T292] invalid opcode: 0000 [#1] PREEMPT SMP
	[ T292] RIP: 0010:napi_enable+0x37/0x40
	[ T292] Call Trace:
	[ T292] <TASK>
	[ T292] ? die+0x33/0x90
	[ T292] ? do_trap+0xdc/0x110
	[ T292] ? napi_enable+0x37/0x40
	[ T292] ? do_error_trap+0x70/0xb0
	[ T292] ? napi_enable+0x37/0x40
	[ T292] ? napi_enable+0x37/0x40
	[ T292] ? exc_invalid_op+0x4e/0x70
	[ T292] ? napi_enable+0x37/0x40
	[ T292] ? asm_exc_invalid_op+0x16/0x20
	[ T292] ? napi_enable+0x37/0x40
	[ T292] igb_up+0x41/0x150
	[ T292] igb_io_resume+0x25/0x70
	[ T292] report_resume+0x54/0x70
	[ T292] ? report_frozen_detected+0x20/0x20
	[ T292] pci_walk_bus+0x6c/0x90
	[ T292] ? aer_print_port_info+0xa0/0xa0
	[ T292] pcie_do_recovery+0x22f/0x380
	[ T292] aer_process_err_devices+0x110/0x160
	[ T292] aer_isr+0x1c1/0x1e0
	[ T292] ? disable_irq_nosync+0x10/0x10
	[ T292] irq_thread_fn+0x1a/0x60
	[ T292] irq_thread+0xe3/0x1a0
	[ T292] ? irq_set_affinity_notifier+0x120/0x120
	[ T292] ? irq_affinity_notify+0x100/0x100
	[ T292] kthread+0xe2/0x110
	[ T292] ? kthread_complete_and_exit+0x20/0x20
	[ T292] ret_from_fork+0x2d/0x50
	[ T292] ? kthread_complete_and_exit+0x20/0x20
	[ T292] ret_from_fork_asm+0x11/0x20
	[ T292] </TASK>

	To fix this issue igb_io_resume() checks if the interface is running and
	the device is not down this means igb_io_error_detected() did not bring
	the device down and there is no need to bring it up.

	The Linux kernel CVE team has assigned CVE-2024-50040 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.19.291 with commit 124e39a734cb90658b8f0dc110847bbfc6e33792 and fixed in 4.19.323 with commit dca2ca65a8695d9593e2cf1b40848e073ad75413
	Issue introduced in 5.4.251 with commit c9f56f3c7bc908caa772112d3ae71cdd5d18c257 and fixed in 5.4.285 with commit c92cbd283ddcf55fd85a9a9b0ba13298213f3dd7
	Issue introduced in 5.10.188 with commit 994c2ceb70ea99264ccc6f09e6703ca267dad63c and fixed in 5.10.227 with commit d79af3af2f49c6aae9add3d492c04d60c1b85ce4
	Issue introduced in 5.15.150 with commit fa92c463eba75dcedbd8d689ffdcb83293aaa0c3 and fixed in 5.15.168 with commit 0a94079e3841d00ea5abb05e3233d019a86745f6
	Issue introduced in 6.1.42 with commit 39695e87d86f0e7d897fba1d2559f825aa20caeb and fixed in 6.1.113 with commit 6a39c8f5c8aae74c5ab2ba466791f59ffaab0178
	Issue introduced in 6.5 with commit 004d25060c78fc31f66da0fa439c544dda1ac9d5 and fixed in 6.6.57 with commit 57c5053eaa5f9a8a99e34732e37a86615318e464
	Issue introduced in 6.5 with commit 004d25060c78fc31f66da0fa439c544dda1ac9d5 and fixed in 6.11.4 with commit 500be93c5d53b7e2c5314292012185f0207bad0c
	Issue introduced in 6.5 with commit 004d25060c78fc31f66da0fa439c544dda1ac9d5 and fixed in 6.12 with commit 330a699ecbfc9c26ec92c6310686da1230b4e7eb
	Issue introduced in 4.14.322 with commit c2312e1d12b1c3ee4100c173131b102e2aed4d04
	Issue introduced in 6.4.7 with commit 41f63b72a01c0e0ac59ab83fd2d921fcce0f602d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50040
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/intel/igb/igb_main.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/dca2ca65a8695d9593e2cf1b40848e073ad75413
	https://git.kernel.org/stable/c/c92cbd283ddcf55fd85a9a9b0ba13298213f3dd7
	https://git.kernel.org/stable/c/d79af3af2f49c6aae9add3d492c04d60c1b85ce4
	https://git.kernel.org/stable/c/0a94079e3841d00ea5abb05e3233d019a86745f6
	https://git.kernel.org/stable/c/6a39c8f5c8aae74c5ab2ba466791f59ffaab0178
	https://git.kernel.org/stable/c/57c5053eaa5f9a8a99e34732e37a86615318e464
	https://git.kernel.org/stable/c/500be93c5d53b7e2c5314292012185f0207bad0c
	https://git.kernel.org/stable/c/330a699ecbfc9c26ec92c6310686da1230b4e7eb