CVE-2024-50296: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix kernel crash when uninstalling driver When the driver is uninstalled and the VF is disabled concurrently, a kernel crash occurs. The reason is that the two actions call function pci_disable_sriov(). The num_VFs is checked to determine whether to release the corresponding resources. During the second calling, num_VFs is not 0 and the resource release function is called. However, the corresponding resource has been released during the first invoking. Therefore, the problem occurs: [15277.839633][T50670] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 ... [15278.131557][T50670] Call trace: [15278.134686][T50670] klist_put+0x28/0x12c [15278.138682][T50670] klist_del+0x14/0x20 [15278.142592][T50670] device_del+0xbc/0x3c0 [15278.146676][T50670] pci_remove_bus_device+0x84/0x120 [15278.151714][T50670] pci_stop_and_remove_bus_device+0x6c/0x80 [15278.157447][T50670] pci_iov_remove_virtfn+0xb4/0x12c [15278.162485][T50670] sriov_disable+0x50/0x11c [15278.166829][T50670] pci_disable_sriov+0x24/0x30 [15278.171433][T50670] hnae3_unregister_ae_algo_prepare+0x60/0x90 [hnae3] [15278.178039][T50670] hclge_exit+0x28/0xd0 [hclge] [15278.182730][T50670] __se_sys_delete_module.isra.0+0x164/0x230 [15278.188550][T50670] __arm64_sys_delete_module+0x1c/0x30 [15278.193848][T50670] invoke_syscall+0x50/0x11c [15278.198278][T50670] el0_svc_common.constprop.0+0x158/0x164 [15278.203837][T50670] do_el0_svc+0x34/0xcc [15278.207834][T50670] el0_svc+0x20/0x30 For details, see the following figure. rmmod hclge disable VFs ---------------------------------------------------- hclge_exit() sriov_numvfs_store() ... device_lock() pci_disable_sriov() hns3_pci_sriov_configure() pci_disable_sriov() sriov_disable() sriov_disable() if !num_VFs : if !num_VFs : return; return; sriov_del_vfs() sriov_del_vfs() ... ... klist_put() klist_put() ... ... num_VFs = 0; num_VFs = 0; device_unlock(); In this patch, when driver is removing, we get the device_lock() to protect num_VFs, just like sriov_numvfs_store().
AI Analysis
Technical Summary
CVE-2024-50296 is a vulnerability in the Linux kernel affecting the hns3 network driver, specifically related to the handling of Single Root I/O Virtualization (SR-IOV) Virtual Functions (VFs). The issue arises when the driver is uninstalled while VFs are being disabled concurrently. Both operations invoke the pci_disable_sriov() function, which manages the release of resources associated with VFs. The vulnerability stems from a race condition where the num_VFs counter is checked to determine if resources should be released. During the first call, resources are correctly released and num_VFs is set to zero. However, a second concurrent call sees num_VFs as non-zero and attempts to release resources that have already been freed, leading to a kernel NULL pointer dereference and subsequent crash. The crash trace shows the fault occurs in kernel functions related to device removal and SR-IOV management, such as klist_put(), device_del(), pci_remove_bus_device(), and sriov_disable(). The root cause is a lack of proper synchronization around num_VFs during driver removal and VF disabling. The patch fixes this by acquiring device_lock() during driver removal to protect num_VFs, ensuring serialized access similar to the existing sriov_numvfs_store() function. This prevents double freeing of resources and kernel crashes. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes. No known exploits are reported in the wild yet, and no CVSS score has been assigned. The issue is critical for systems using the hns3 driver with SR-IOV enabled, as it can cause kernel crashes and potential denial of service during driver uninstall or VF management operations.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to data centers, cloud providers, and enterprises using Linux servers with network interface cards (NICs) that utilize the hns3 driver and SR-IOV technology. SR-IOV is commonly used in virtualized environments to improve network performance by allowing VMs direct access to physical NIC resources. A kernel crash triggered by this vulnerability can lead to denial of service, disrupting critical services and workloads. This is particularly impactful for industries relying on high availability such as finance, telecommunications, healthcare, and public sector infrastructure. Additionally, repeated crashes could cause data corruption or complicate incident response. Although exploitation requires driver uninstall or VF disable operations, these actions may be part of routine maintenance or automated orchestration, increasing the risk of accidental triggering. The vulnerability does not appear to allow privilege escalation or remote code execution directly, but the resulting instability can be leveraged in multi-tenant environments to disrupt other tenants or services. European organizations with large-scale Linux deployments, especially those using advanced networking features, should consider this a significant operational risk.
Mitigation Recommendations
To mitigate CVE-2024-50296, organizations should: 1) Apply the official Linux kernel patch that introduces device_lock() protection around num_VFs during driver removal, ensuring serialized access and preventing double resource release. 2) Update Linux kernels to versions that include this fix as soon as they become available from trusted distributors. 3) Avoid uninstalling the hns3 driver or disabling VFs concurrently until patched kernels are deployed. 4) Implement operational controls to serialize driver removal and VF disable operations, preventing concurrent execution that triggers the race condition. 5) Monitor kernel logs for signs of NULL pointer dereferences or crashes related to pci_disable_sriov() and hns3 driver activities. 6) In virtualized environments, coordinate maintenance windows to minimize impact and ensure that orchestration tools handle driver and VF operations sequentially. 7) Engage with hardware vendors to confirm NIC firmware compatibility and driver updates. 8) Consider fallback or redundancy strategies to maintain service availability during patch deployment or if crashes occur. These steps go beyond generic advice by focusing on concurrency control, operational procedures, and proactive monitoring specific to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Italy
CVE-2024-50296: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix kernel crash when uninstalling driver When the driver is uninstalled and the VF is disabled concurrently, a kernel crash occurs. The reason is that the two actions call function pci_disable_sriov(). The num_VFs is checked to determine whether to release the corresponding resources. During the second calling, num_VFs is not 0 and the resource release function is called. However, the corresponding resource has been released during the first invoking. Therefore, the problem occurs: [15277.839633][T50670] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 ... [15278.131557][T50670] Call trace: [15278.134686][T50670] klist_put+0x28/0x12c [15278.138682][T50670] klist_del+0x14/0x20 [15278.142592][T50670] device_del+0xbc/0x3c0 [15278.146676][T50670] pci_remove_bus_device+0x84/0x120 [15278.151714][T50670] pci_stop_and_remove_bus_device+0x6c/0x80 [15278.157447][T50670] pci_iov_remove_virtfn+0xb4/0x12c [15278.162485][T50670] sriov_disable+0x50/0x11c [15278.166829][T50670] pci_disable_sriov+0x24/0x30 [15278.171433][T50670] hnae3_unregister_ae_algo_prepare+0x60/0x90 [hnae3] [15278.178039][T50670] hclge_exit+0x28/0xd0 [hclge] [15278.182730][T50670] __se_sys_delete_module.isra.0+0x164/0x230 [15278.188550][T50670] __arm64_sys_delete_module+0x1c/0x30 [15278.193848][T50670] invoke_syscall+0x50/0x11c [15278.198278][T50670] el0_svc_common.constprop.0+0x158/0x164 [15278.203837][T50670] do_el0_svc+0x34/0xcc [15278.207834][T50670] el0_svc+0x20/0x30 For details, see the following figure. rmmod hclge disable VFs ---------------------------------------------------- hclge_exit() sriov_numvfs_store() ... device_lock() pci_disable_sriov() hns3_pci_sriov_configure() pci_disable_sriov() sriov_disable() sriov_disable() if !num_VFs : if !num_VFs : return; return; sriov_del_vfs() sriov_del_vfs() ... ... klist_put() klist_put() ... ... num_VFs = 0; num_VFs = 0; device_unlock(); In this patch, when driver is removing, we get the device_lock() to protect num_VFs, just like sriov_numvfs_store().
AI-Powered Analysis
Technical Analysis
CVE-2024-50296 is a vulnerability in the Linux kernel affecting the hns3 network driver, specifically related to the handling of Single Root I/O Virtualization (SR-IOV) Virtual Functions (VFs). The issue arises when the driver is uninstalled while VFs are being disabled concurrently. Both operations invoke the pci_disable_sriov() function, which manages the release of resources associated with VFs. The vulnerability stems from a race condition where the num_VFs counter is checked to determine if resources should be released. During the first call, resources are correctly released and num_VFs is set to zero. However, a second concurrent call sees num_VFs as non-zero and attempts to release resources that have already been freed, leading to a kernel NULL pointer dereference and subsequent crash. The crash trace shows the fault occurs in kernel functions related to device removal and SR-IOV management, such as klist_put(), device_del(), pci_remove_bus_device(), and sriov_disable(). The root cause is a lack of proper synchronization around num_VFs during driver removal and VF disabling. The patch fixes this by acquiring device_lock() during driver removal to protect num_VFs, ensuring serialized access similar to the existing sriov_numvfs_store() function. This prevents double freeing of resources and kernel crashes. The vulnerability affects multiple Linux kernel versions identified by specific commit hashes. No known exploits are reported in the wild yet, and no CVSS score has been assigned. The issue is critical for systems using the hns3 driver with SR-IOV enabled, as it can cause kernel crashes and potential denial of service during driver uninstall or VF management operations.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to data centers, cloud providers, and enterprises using Linux servers with network interface cards (NICs) that utilize the hns3 driver and SR-IOV technology. SR-IOV is commonly used in virtualized environments to improve network performance by allowing VMs direct access to physical NIC resources. A kernel crash triggered by this vulnerability can lead to denial of service, disrupting critical services and workloads. This is particularly impactful for industries relying on high availability such as finance, telecommunications, healthcare, and public sector infrastructure. Additionally, repeated crashes could cause data corruption or complicate incident response. Although exploitation requires driver uninstall or VF disable operations, these actions may be part of routine maintenance or automated orchestration, increasing the risk of accidental triggering. The vulnerability does not appear to allow privilege escalation or remote code execution directly, but the resulting instability can be leveraged in multi-tenant environments to disrupt other tenants or services. European organizations with large-scale Linux deployments, especially those using advanced networking features, should consider this a significant operational risk.
Mitigation Recommendations
To mitigate CVE-2024-50296, organizations should: 1) Apply the official Linux kernel patch that introduces device_lock() protection around num_VFs during driver removal, ensuring serialized access and preventing double resource release. 2) Update Linux kernels to versions that include this fix as soon as they become available from trusted distributors. 3) Avoid uninstalling the hns3 driver or disabling VFs concurrently until patched kernels are deployed. 4) Implement operational controls to serialize driver removal and VF disable operations, preventing concurrent execution that triggers the race condition. 5) Monitor kernel logs for signs of NULL pointer dereferences or crashes related to pci_disable_sriov() and hns3 driver activities. 6) In virtualized environments, coordinate maintenance windows to minimize impact and ensure that orchestration tools handle driver and VF operations sequentially. 7) Engage with hardware vendors to confirm NIC firmware compatibility and driver updates. 8) Consider fallback or redundancy strategies to maintain service availability during patch deployment or if crashes occur. These steps go beyond generic advice by focusing on concurrency control, operational procedures, and proactive monitoring specific to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.986Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdcfc7
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 6/27/2025, 10:11:29 PM
Last updated: 8/15/2025, 6:23:39 AM
Views: 12
Related Threats
CVE-2025-38742: CWE-732: Incorrect Permission Assignment for Critical Resource in Dell iDRAC Service Module (iSM)
MediumCVE-2025-38743: CWE-805: Buffer Access with Incorrect Length Value in Dell iDRAC Service Module (iSM)
HighCVE-2025-52351: n/a
HighCVE-2025-52352: n/a
HighPre-Auth Exploit Chains Found in Commvault Could Enable Remote Code Execution Attacks
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.