CVE-2024-42124 is a vulnerability identified in the Linux kernel specifically affecting the qedf driver, which is responsible for handling Fibre Channel over Ethernet (FCoE) communications. The issue arises from the function qedf_execute_tmf() being preemptible when it should not be. More precisely, the vulnerability is due to the invocation of smp_processor_id() within preemptible code in qedf_execute_tmf(), which leads to a kernel BUG_ON() error when running a real-time (RT) kernel. The smp_processor_id() function is not safe to call from preemptible contexts because it relies on the current CPU context, which can change if the code is preempted. This results in instability and potential kernel crashes, as evidenced by the BUG messages logged in the kernel. The root cause is a concurrency and preemption control issue in the qedf_execute_tmf() function, which is part of the qedf driver handling SCSI commands over FCoE. The fix involves making qedf_execute_tmf() non-preemptible to prevent the unsafe call to smp_processor_id() and avoid kernel panics. This vulnerability primarily affects Linux kernel versions containing the specified commit hash (1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) and is relevant for systems using the qedf driver, especially those running real-time kernels or workloads requiring strict timing and stability guarantees. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.

For European organizations, the impact of CVE-2024-42124 depends largely on their use of Linux systems with the qedf driver enabled, particularly in environments utilizing Fibre Channel over Ethernet for storage networking. Organizations operating real-time Linux kernels or workloads with stringent latency and reliability requirements—such as telecommunications, industrial automation, financial trading platforms, and critical infrastructure—may experience kernel crashes or system instability due to this vulnerability. This can lead to denial of service conditions, affecting availability of critical services and potentially causing data access interruptions. While the vulnerability does not directly expose confidentiality or integrity risks, the resulting system instability can disrupt business operations and lead to downtime. Since qedf is a specialized driver, the impact is more pronounced in data centers, cloud providers, and enterprises with advanced storage networking setups. European organizations relying on Linux-based storage solutions or real-time systems should be aware of this vulnerability to prevent unexpected outages and maintain operational continuity.

To mitigate CVE-2024-42124, European organizations should: 1) Apply the official Linux kernel patches that make qedf_execute_tmf() non-preemptible as soon as they become available from trusted sources or Linux distributions. 2) For environments running real-time kernels, prioritize updating to patched kernel versions to avoid kernel panics caused by this issue. 3) Conduct thorough testing of kernel updates in staging environments to ensure compatibility and stability before deployment in production. 4) Monitor kernel logs for BUG_ON() messages related to smp_processor_id() or qedf_execute_tmf() to detect potential exploitation or manifestation of the vulnerability. 5) If immediate patching is not feasible, consider disabling the qedf driver or FCoE functionality temporarily if it does not critically impact operations, as a stopgap measure. 6) Maintain up-to-date backups and disaster recovery plans to minimize operational impact in case of system crashes. 7) Collaborate with Linux distribution vendors and storage hardware providers to receive timely updates and guidance related to this vulnerability.