In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove In commit ac5047671758 ("hv_netvsc: Disable NAPI before closing the VMBus channel"), napi_disable was getting called for all channels, including all subchannels without confirming if they are enabled or not. This caused hv_netvsc getting hung at napi_disable, when netvsc_probe() has finished running but nvdev->subchan_work has not started yet. netvsc_subchan_work() -> rndis_set_subchannel() has not created the sub-channels and because of that netvsc_sc_open() is not running. netvsc_remove() calls cancel_work_sync(&nvdev->subchan_work), for which netvsc_subchan_work did not run. netif_napi_add() sets the bit NAPI_STATE_SCHED because it ensures NAPI cannot be scheduled. Then netvsc_sc_open() -> napi_enable will clear the NAPIF_STATE_SCHED bit, so it can be scheduled. napi_disable() does the opposite. Now during netvsc_device_remove(), when napi_disable is called for those subchannels, napi_disable gets stuck on infinite msleep. This fix addresses this problem by ensuring that napi_disable() is not getting called for non-enabled NAPI struct. But netif_napi_del() is still necessary for these non-enabled NAPI struct for cleanup purpose. Call trace: [ 654.559417] task:modprobe state:D stack: 0 pid: 2321 ppid: 1091 flags:0x00004002 [ 654.568030] Call Trace: [ 654.571221] <TASK> [ 654.573790] __schedule+0x2d6/0x960 [ 654.577733] schedule+0x69/0xf0 [ 654.581214] schedule_timeout+0x87/0x140 [ 654.585463] ? __bpf_trace_tick_stop+0x20/0x20 [ 654.590291] msleep+0x2d/0x40 [ 654.593625] napi_disable+0x2b/0x80 [ 654.597437] netvsc_device_remove+0x8a/0x1f0 [hv_netvsc] [ 654.603935] rndis_filter_device_remove+0x194/0x1c0 [hv_netvsc] [ 654.611101] ? do_wait_intr+0xb0/0xb0 [ 654.615753] netvsc_remove+0x7c/0x120 [hv_netvsc] [ 654.621675] vmbus_remove+0x27/0x40 [hv_vmbus]
History

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
References

Tue, 05 Nov 2024 10:45:00 +0000

Type Values Removed Values Added
References

Tue, 24 Sep 2024 11:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:rhel_eus:8.8

Fri, 06 Sep 2024 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Tus
CPEs cpe:/o:redhat:rhel_aus:8.6
cpe:/o:redhat:rhel_e4s:8.6
cpe:/o:redhat:rhel_tus:8.6
Vendors & Products Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Tus

Thu, 08 Aug 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat enterprise Linux
CPEs cpe:/o:redhat:enterprise_linux:8
Vendors & Products Redhat enterprise Linux

cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-04-03T14:54:58.577Z

Updated: 2024-11-05T09:14:06.556Z

Reserved: 2024-02-19T14:20:24.157Z

Link: CVE-2024-26698

cve-icon Vulnrichment

Updated: 2024-08-02T00:14:12.951Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-04-03T15:15:52.933

Modified: 2024-11-21T09:02:52.217

Link: CVE-2024-26698

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-04-03T00:00:00Z

Links: CVE-2024-26698 - Bugzilla