Bugzilla – Bug 1226989
VUL-0: CVE-2024-39296: kernel: bonding: fix oops during rmmod
Last modified: 2024-07-08 15:16:40 UTC
In the Linux kernel, the following vulnerability has been resolved: bonding: fix oops during rmmod "rmmod bonding" causes an oops ever since commit cc317ea3d927 ("bonding: remove redundant NULL check in debugfs function"). Here are the relevant functions being called: bonding_exit() bond_destroy_debugfs() debugfs_remove_recursive(bonding_debug_root); bonding_debug_root = NULL; <--------- SET TO NULL HERE bond_netlink_fini() rtnl_link_unregister() __rtnl_link_unregister() unregister_netdevice_many_notify() bond_uninit() bond_debug_unregister() (commit removed check for bonding_debug_root == NULL) debugfs_remove() simple_recursive_removal() down_write() -> OOPS However, reverting the bad commit does not solve the problem completely because the original code contains a race that could cause the same oops, although it was much less likely to be triggered unintentionally: CPU1 rmmod bonding bonding_exit() bond_destroy_debugfs() debugfs_remove_recursive(bonding_debug_root); CPU2 echo -bond0 > /sys/class/net/bonding_masters bond_uninit() bond_debug_unregister() if (!bonding_debug_root) CPU1 bonding_debug_root = NULL; So do NOT revert the bad commit (since the removed checks were racy anyway), and instead change the order of actions taken during module removal. The same oops can also happen if there is an error during module init, so apply the same fix there. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39296 https://www.cve.org/CVERecord?id=CVE-2024-39296 https://git.kernel.org/stable/c/a45835a0bb6ef7d5ddbc0714dd760de979cb6ece https://git.kernel.org/stable/c/cf48aee81103ca06d09d73d33fb72f1191069aa6 https://git.kernel.org/stable/c/f07224c16678a8af54ddc059b3d2d51885d7f35e https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-39296.mbox https://bugzilla.redhat.com/show_bug.cgi?id=2294270
Backported fix to SLE15-SP6