CVE-2024-47694: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: IB/mlx5: Fix UMR pd cleanup on error flow of driver init The cited commit moves the pd allocation from function mlx5r_umr_resource_cleanup() to a new function mlx5r_umr_cleanup(). So the fix in commit [1] is broken. In error flow, will hit panic [2]. Fix it by checking pd pointer to avoid panic if it is NULL; [1] RDMA/mlx5: Fix UMR cleanup on error flow of driver init [2] [ 347.567063] infiniband mlx5_0: Couldn't register device with driver model [ 347.591382] BUG: kernel NULL pointer dereference, address: 0000000000000020 [ 347.593438] #PF: supervisor read access in kernel mode [ 347.595176] #PF: error_code(0x0000) - not-present page [ 347.596962] PGD 0 P4D 0 [ 347.601361] RIP: 0010:ib_dealloc_pd_user+0x12/0xc0 [ib_core] [ 347.604171] RSP: 0018:ffff888106293b10 EFLAGS: 00010282 [ 347.604834] RAX: 0000000000000000 RBX: 000000000000000e RCX: 0000000000000000 [ 347.605672] RDX: ffff888106293ad0 RSI: 0000000000000000 RDI: 0000000000000000 [ 347.606529] RBP: 0000000000000000 R08: ffff888106293ae0 R09: ffff888106293ae0 [ 347.607379] R10: 0000000000000a06 R11: 0000000000000000 R12: 0000000000000000 [ 347.608224] R13: ffffffffa0704dc0 R14: 0000000000000001 R15: 0000000000000001 [ 347.609067] FS: 00007fdc720cd9c0(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000 [ 347.610094] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 347.610727] CR2: 0000000000000020 CR3: 0000000103012003 CR4: 0000000000370eb0 [ 347.611421] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 347.612113] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 347.612804] Call Trace: [ 347.613130] <TASK> [ 347.613417] ? __die+0x20/0x60 [ 347.613793] ? page_fault_oops+0x150/0x3e0 [ 347.614243] ? free_msg+0x68/0x80 [mlx5_core] [ 347.614840] ? cmd_exec+0x48f/0x11d0 [mlx5_core] [ 347.615359] ? exc_page_fault+0x74/0x130 [ 347.615808] ? asm_exc_page_fault+0x22/0x30 [ 347.616273] ? ib_dealloc_pd_user+0x12/0xc0 [ib_core] [ 347.616801] mlx5r_umr_cleanup+0x23/0x90 [mlx5_ib] [ 347.617365] mlx5_ib_stage_pre_ib_reg_umr_cleanup+0x36/0x40 [mlx5_ib] [ 347.618025] __mlx5_ib_add+0x96/0xd0 [mlx5_ib] [ 347.618539] mlx5r_probe+0xe9/0x310 [mlx5_ib] [ 347.619032] ? kernfs_add_one+0x107/0x150 [ 347.619478] ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib] [ 347.619984] auxiliary_bus_probe+0x3e/0x90 [ 347.620448] really_probe+0xc5/0x3a0 [ 347.620857] __driver_probe_device+0x80/0x160 [ 347.621325] driver_probe_device+0x1e/0x90 [ 347.621770] __driver_attach+0xec/0x1c0 [ 347.622213] ? __device_attach_driver+0x100/0x100 [ 347.622724] bus_for_each_dev+0x71/0xc0 [ 347.623151] bus_add_driver+0xed/0x240 [ 347.623570] driver_register+0x58/0x100 [ 347.623998] __auxiliary_driver_register+0x6a/0xc0 [ 347.624499] ? driver_register+0xae/0x100 [ 347.624940] ? 0xffffffffa0893000 [ 347.625329] mlx5_ib_init+0x16a/0x1e0 [mlx5_ib] [ 347.625845] do_one_initcall+0x4a/0x2a0 [ 347.626273] ? gcov_event+0x2e2/0x3a0 [ 347.626706] do_init_module+0x8a/0x260 [ 347.627126] init_module_from_file+0x8b/0xd0 [ 347.627596] __x64_sys_finit_module+0x1ca/0x2f0 [ 347.628089] do_syscall_64+0x4c/0x100
AI Analysis
Technical Summary
CVE-2024-47694 is a vulnerability identified in the Linux kernel, specifically within the InfiniBand (IB) mlx5 driver subsystem responsible for managing Mellanox ConnectX-5 and newer network adapters. The issue arises from improper handling of protection domain (pd) cleanup during error flows in the driver initialization process. The vulnerability is due to a NULL pointer dereference when the pd pointer is not properly checked before being accessed in the mlx5r_umr_cleanup() function. This improper check leads to a kernel panic, causing a denial of service (DoS) condition. The root cause stems from a flawed fix in a previous commit that moved pd allocation to a new cleanup function but failed to handle the NULL pointer scenario correctly. The kernel panic is triggered during the deallocation of user protection domains (ib_dealloc_pd_user) when the driver attempts to register the device but encounters an error, leading to a NULL pointer dereference and subsequent system crash. The stack trace indicates the panic occurs in kernel mode with supervisor read access violations, highlighting the severity of the fault. This vulnerability affects Linux kernel versions containing the mlx5 InfiniBand driver and is relevant for systems utilizing RDMA (Remote Direct Memory Access) over InfiniBand or RoCE (RDMA over Converged Ethernet) technologies. Although no known exploits are currently reported in the wild, the vulnerability can cause system instability and denial of service, particularly impacting high-performance computing environments, data centers, and enterprise networks relying on InfiniBand hardware for low-latency, high-throughput communications. The fix involves adding a NULL pointer check before accessing the pd pointer to prevent kernel panic during error handling in driver initialization.
Potential Impact
For European organizations, especially those operating in sectors such as telecommunications, finance, research institutions, and cloud service providers, this vulnerability poses a risk of denial of service on critical infrastructure running Linux kernels with affected mlx5 InfiniBand drivers. InfiniBand is widely used in high-performance computing clusters and data centers across Europe, including in countries with advanced research facilities and financial hubs. A successful exploitation or accidental triggering of this vulnerability could lead to unexpected system crashes, disrupting services, causing downtime, and potentially impacting data integrity if systems are abruptly halted. Although the vulnerability does not directly lead to privilege escalation or remote code execution, the denial of service impact on critical systems can have cascading effects on business continuity and operational reliability. Additionally, organizations using RDMA technologies for storage or network acceleration could experience degraded performance or outages. The lack of known exploits reduces immediate risk, but the presence of a kernel panic vulnerability in a core driver necessitates prompt attention to avoid inadvertent disruptions.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel versions to include the patch that properly checks the pd pointer before cleanup to prevent kernel panics. Since the vulnerability is in the mlx5 InfiniBand driver, organizations should: 1) Audit their infrastructure to identify systems using InfiniBand hardware with mlx5 drivers. 2) Apply vendor-provided kernel updates or patches as soon as they become available. 3) For environments where immediate patching is not feasible, consider temporarily disabling the mlx5 InfiniBand driver or restricting access to affected systems to reduce risk. 4) Implement robust monitoring for kernel panics and system crashes related to InfiniBand devices to detect potential exploitation or accidental triggers. 5) Engage with hardware vendors and Linux distribution maintainers to ensure timely receipt of fixes and advisories. 6) Test patches in staging environments to validate stability before production deployment, given the critical nature of kernel-level changes. 7) Maintain comprehensive backups and disaster recovery plans to mitigate the impact of unexpected downtime caused by this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Switzerland, Finland, Italy
CVE-2024-47694: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: IB/mlx5: Fix UMR pd cleanup on error flow of driver init The cited commit moves the pd allocation from function mlx5r_umr_resource_cleanup() to a new function mlx5r_umr_cleanup(). So the fix in commit [1] is broken. In error flow, will hit panic [2]. Fix it by checking pd pointer to avoid panic if it is NULL; [1] RDMA/mlx5: Fix UMR cleanup on error flow of driver init [2] [ 347.567063] infiniband mlx5_0: Couldn't register device with driver model [ 347.591382] BUG: kernel NULL pointer dereference, address: 0000000000000020 [ 347.593438] #PF: supervisor read access in kernel mode [ 347.595176] #PF: error_code(0x0000) - not-present page [ 347.596962] PGD 0 P4D 0 [ 347.601361] RIP: 0010:ib_dealloc_pd_user+0x12/0xc0 [ib_core] [ 347.604171] RSP: 0018:ffff888106293b10 EFLAGS: 00010282 [ 347.604834] RAX: 0000000000000000 RBX: 000000000000000e RCX: 0000000000000000 [ 347.605672] RDX: ffff888106293ad0 RSI: 0000000000000000 RDI: 0000000000000000 [ 347.606529] RBP: 0000000000000000 R08: ffff888106293ae0 R09: ffff888106293ae0 [ 347.607379] R10: 0000000000000a06 R11: 0000000000000000 R12: 0000000000000000 [ 347.608224] R13: ffffffffa0704dc0 R14: 0000000000000001 R15: 0000000000000001 [ 347.609067] FS: 00007fdc720cd9c0(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000 [ 347.610094] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 347.610727] CR2: 0000000000000020 CR3: 0000000103012003 CR4: 0000000000370eb0 [ 347.611421] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 347.612113] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 347.612804] Call Trace: [ 347.613130] <TASK> [ 347.613417] ? __die+0x20/0x60 [ 347.613793] ? page_fault_oops+0x150/0x3e0 [ 347.614243] ? free_msg+0x68/0x80 [mlx5_core] [ 347.614840] ? cmd_exec+0x48f/0x11d0 [mlx5_core] [ 347.615359] ? exc_page_fault+0x74/0x130 [ 347.615808] ? asm_exc_page_fault+0x22/0x30 [ 347.616273] ? ib_dealloc_pd_user+0x12/0xc0 [ib_core] [ 347.616801] mlx5r_umr_cleanup+0x23/0x90 [mlx5_ib] [ 347.617365] mlx5_ib_stage_pre_ib_reg_umr_cleanup+0x36/0x40 [mlx5_ib] [ 347.618025] __mlx5_ib_add+0x96/0xd0 [mlx5_ib] [ 347.618539] mlx5r_probe+0xe9/0x310 [mlx5_ib] [ 347.619032] ? kernfs_add_one+0x107/0x150 [ 347.619478] ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib] [ 347.619984] auxiliary_bus_probe+0x3e/0x90 [ 347.620448] really_probe+0xc5/0x3a0 [ 347.620857] __driver_probe_device+0x80/0x160 [ 347.621325] driver_probe_device+0x1e/0x90 [ 347.621770] __driver_attach+0xec/0x1c0 [ 347.622213] ? __device_attach_driver+0x100/0x100 [ 347.622724] bus_for_each_dev+0x71/0xc0 [ 347.623151] bus_add_driver+0xed/0x240 [ 347.623570] driver_register+0x58/0x100 [ 347.623998] __auxiliary_driver_register+0x6a/0xc0 [ 347.624499] ? driver_register+0xae/0x100 [ 347.624940] ? 0xffffffffa0893000 [ 347.625329] mlx5_ib_init+0x16a/0x1e0 [mlx5_ib] [ 347.625845] do_one_initcall+0x4a/0x2a0 [ 347.626273] ? gcov_event+0x2e2/0x3a0 [ 347.626706] do_init_module+0x8a/0x260 [ 347.627126] init_module_from_file+0x8b/0xd0 [ 347.627596] __x64_sys_finit_module+0x1ca/0x2f0 [ 347.628089] do_syscall_64+0x4c/0x100
AI-Powered Analysis
Technical Analysis
CVE-2024-47694 is a vulnerability identified in the Linux kernel, specifically within the InfiniBand (IB) mlx5 driver subsystem responsible for managing Mellanox ConnectX-5 and newer network adapters. The issue arises from improper handling of protection domain (pd) cleanup during error flows in the driver initialization process. The vulnerability is due to a NULL pointer dereference when the pd pointer is not properly checked before being accessed in the mlx5r_umr_cleanup() function. This improper check leads to a kernel panic, causing a denial of service (DoS) condition. The root cause stems from a flawed fix in a previous commit that moved pd allocation to a new cleanup function but failed to handle the NULL pointer scenario correctly. The kernel panic is triggered during the deallocation of user protection domains (ib_dealloc_pd_user) when the driver attempts to register the device but encounters an error, leading to a NULL pointer dereference and subsequent system crash. The stack trace indicates the panic occurs in kernel mode with supervisor read access violations, highlighting the severity of the fault. This vulnerability affects Linux kernel versions containing the mlx5 InfiniBand driver and is relevant for systems utilizing RDMA (Remote Direct Memory Access) over InfiniBand or RoCE (RDMA over Converged Ethernet) technologies. Although no known exploits are currently reported in the wild, the vulnerability can cause system instability and denial of service, particularly impacting high-performance computing environments, data centers, and enterprise networks relying on InfiniBand hardware for low-latency, high-throughput communications. The fix involves adding a NULL pointer check before accessing the pd pointer to prevent kernel panic during error handling in driver initialization.
Potential Impact
For European organizations, especially those operating in sectors such as telecommunications, finance, research institutions, and cloud service providers, this vulnerability poses a risk of denial of service on critical infrastructure running Linux kernels with affected mlx5 InfiniBand drivers. InfiniBand is widely used in high-performance computing clusters and data centers across Europe, including in countries with advanced research facilities and financial hubs. A successful exploitation or accidental triggering of this vulnerability could lead to unexpected system crashes, disrupting services, causing downtime, and potentially impacting data integrity if systems are abruptly halted. Although the vulnerability does not directly lead to privilege escalation or remote code execution, the denial of service impact on critical systems can have cascading effects on business continuity and operational reliability. Additionally, organizations using RDMA technologies for storage or network acceleration could experience degraded performance or outages. The lack of known exploits reduces immediate risk, but the presence of a kernel panic vulnerability in a core driver necessitates prompt attention to avoid inadvertent disruptions.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel versions to include the patch that properly checks the pd pointer before cleanup to prevent kernel panics. Since the vulnerability is in the mlx5 InfiniBand driver, organizations should: 1) Audit their infrastructure to identify systems using InfiniBand hardware with mlx5 drivers. 2) Apply vendor-provided kernel updates or patches as soon as they become available. 3) For environments where immediate patching is not feasible, consider temporarily disabling the mlx5 InfiniBand driver or restricting access to affected systems to reduce risk. 4) Implement robust monitoring for kernel panics and system crashes related to InfiniBand devices to detect potential exploitation or accidental triggers. 5) Engage with hardware vendors and Linux distribution maintainers to ensure timely receipt of fixes and advisories. 6) Test patches in staging environments to validate stability before production deployment, given the critical nature of kernel-level changes. 7) Maintain comprehensive backups and disaster recovery plans to mitigate the impact of unexpected downtime caused by this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-30T16:00:12.942Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe0515
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 7:40:31 PM
Last updated: 7/26/2025, 10:49:05 AM
Views: 12
Related Threats
CVE-2025-8285: CWE-862: Missing Authorization in Mattermost Mattermost Confluence Plugin
MediumCVE-2025-54525: CWE-1287: Improper Validation of Specified Type of Input in Mattermost Mattermost Confluence Plugin
HighCVE-2025-54478: CWE-306: Missing Authentication for Critical Function in Mattermost Mattermost Confluence Plugin
HighCVE-2025-54463: CWE-754: Improper Check for Unusual or Exceptional Conditions in Mattermost Mattermost Confluence Plugin
MediumCVE-2025-54458: CWE-862: Missing Authorization in Mattermost Mattermost Confluence Plugin
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.