2298411 – (CVE-2024-41010) CVE-2024-41010 kernel: bpf: Fix too early release of tcx_entry

Bug 2298411 (CVE-2024-41010) - CVE-2024-41010 kernel: bpf: Fix too early release of tcx_entry

Summary: CVE-2024-41010 kernel: bpf: Fix too early release of tcx_entry

Keywords:
Status:	NEW
Alias:	CVE-2024-41010
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2314657
Blocks:
TreeView+	depends on / blocked

Reported:	2024-07-17 07:10 UTC by Mauro Matteo Cascella
Modified:	2025-05-13 08:24 UTC (History)
CC List:	7 users (show)
Fixed In Version:	kernel 6.10
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2025:6966	0	None	None	None	2025-05-13 08:24:49 UTC

Description Mauro Matteo Cascella 2024-07-17 07:10:03 UTC

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix too early release of tcx_entry

The Linux kernel CVE team has assigned CVE-2024-41010 to this issue.

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024071718-CVE-2024-41010-9042@gregkh/T

Comment 7 mchtech 2025-02-10 12:08:39 UTC

I've encountered this problem on 5.14.0-427.42.1.el9_4.x86_64. The details are as follows:


[3968751.616952] BUG: unable to handle page fault for address: 0000051400000129
[3968751.617131] #PF: supervisor write access in kernel mode
[3968751.617263] #PF: error_code(0x0002) - not-present page
[3968751.617391] PGD 0 P4D 0
[3968751.617508] Oops: 0002 [#1] PREEMPT SMP NOPTI
[3968751.617651] CPU: 4 PID: 3011509 Comm: terway Kdump: loaded Tainted: G        W      X  -------  ---  5.14.0-427.42.1.el9_4.x86_64 #1
[3968751.617972] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 2221b89 04/01/2014
[3968751.618154] RIP: 0010:mini_qdisc_pair_swap+0x4b/0x70
[3968751.618325] Code: 48 89 f5 4c 0f 45 e7 49 8b 7c 24 20 e8 7e 80 74 ff 84 c0 74 24 49 89 2c 24 48 8b 43 50 4c 89 20 4d 85 ed 74 09 e8 e5 91 74 ff <49> 89 45 20 5b 5d 41 5c 41 5d c3 cc cc cc cc e8 d1 03 75 ff eb d5
[3968751.618747] RSP: 0018:ffffada3497676c0 EFLAGS: 00010202
[3968751.618939] RAX: 0000000021285f34 RBX: ffff926ac0c9a588 RCX: ffff926ac0c9a5a8
[3968751.619147] RDX: 000000002127de4d RSI: 0000000000000246 RDI: ffffffffa7be9e00
[3968751.619358] RBP: ffff926a02158380 R08: 0000000000000000 R09: ffffffffa7be9fc8
[3968751.619576] R10: 0000000000000001 R11: 0000000000000000 R12: ffff926a4c2ce000
[3968751.619790] R13: 0000051400000109 R14: ffff926ac0c9a588 R15: ffffada3497677e8
[3968751.620007] FS:  000000c000082490(0000) GS:ffff9270a0b00000(0000) knlGS:0000000000000000
[3968751.620238] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[3968751.620453] CR2: 0000051400000129 CR3: 0000000178840002 CR4: 00000000007706e0
[3968751.620688] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[3968751.620918] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[3968751.621151] PKRU: 55555554
[3968751.621354] Call Trace:
[3968751.621559]  <TASK>
[3968751.621760]  ? show_trace_log_lvl+0x1c4/0x2df
[3968751.621978]  ? show_trace_log_lvl+0x1c4/0x2df
[3968751.622196]  ? tcf_chain0_head_change_cb_del+0x6e/0xe0
[3968751.622420]  ? __die_body.cold+0x8/0xd
[3968751.622640]  ? page_fault_oops+0x134/0x170
[3968751.622861]  ? psi_group_change+0x47/0x300
[3968751.623083]  ? exc_page_fault+0x62/0x150
[3968751.623306]  ? asm_exc_page_fault+0x22/0x30
[3968751.623532]  ? mini_qdisc_pair_swap+0x4b/0x70
[3968751.623756]  tcf_chain0_head_change_cb_del+0x6e/0xe0
[3968751.623988]  tcf_block_put_ext.part.0+0x1d/0xa0
[3968751.624224]  ingress_destroy+0x36/0x160 [sch_ingress]
[3968751.624463]  __qdisc_destroy+0x3b/0xc0
[3968751.624695]  dev_shutdown+0x7a/0xb0
[3968751.624924]  unregister_netdevice_many+0x1e5/0x670
[3968751.625166]  rtnl_dellink+0x13e/0x370
[3968751.625405]  ? __kmem_cache_alloc_node+0x1c7/0x2d0
[3968751.625664]  ? __alloc_skb+0x8e/0x1d0
[3968751.625906]  ? __alloc_skb+0x8e/0x1d0
[3968751.626146]  ? security_capable+0x33/0x60
[3968751.626392]  rtnetlink_rcv_msg+0x159/0x3d0
[3968751.626644]  ? skb_queue_tail+0x1b/0x50
[3968751.626892]  ? sock_def_readable+0x10/0xc0
[3968751.627138]  ? __netlink_sendskb+0x64/0x90
[3968751.627381]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[3968751.627631]  netlink_rcv_skb+0x54/0x100
[3968751.627871]  netlink_unicast+0x23b/0x360
[3968751.628109]  netlink_sendmsg+0x24c/0x4c0
[3968751.628340]  __sys_sendto+0x1dc/0x1f0
[3968751.628569]  ? sock_set_timeout+0x2f/0xf0
[3968751.628789]  ? release_sock+0x19/0x90
[3968751.629001]  __x64_sys_sendto+0x20/0x30
[3968751.629210]  do_syscall_64+0x59/0x90
[3968751.629409]  ? __fget_light+0x9f/0x130
[3968751.629607]  ? __sys_setsockopt+0x112/0x1d0
[3968751.629803]  ? syscall_exit_work+0x103/0x130
[3968751.629997]  ? syscall_exit_to_user_mode+0x19/0x40
[3968751.630195]  ? do_syscall_64+0x69/0x90
[3968751.630384]  ? syscall_exit_work+0x103/0x130
[3968751.630580]  ? syscall_exit_to_user_mode+0x19/0x40
[3968751.630772]  ? do_syscall_64+0x69/0x90
[3968751.630952]  ? exc_page_fault+0x62/0x150
[3968751.631131]  entry_SYSCALL_64_after_hwframe+0x77/0xe1
[3968751.631320] RIP: 0033:0x40720e
[3968751.631524] Code: 48 83 ec 38 e8 13 00 00 00 48 83 c4 38 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 49 89 f2 48 89 fa 48 89 ce 48 89 df 0f 05 <48> 3d 01 f0 ff ff 76 15 48 f7 d8 48 89 c1 48 c7 c0 ff ff ff ff 48
[3968751.631979] RSP: 002b:000000c0004e9818 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
[3968751.632208] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 000000000040720e
[3968751.632434] RDX: 0000000000000020 RSI: 000000c00033a800 RDI: 000000000000000c
[3968751.632669] RBP: 000000c0004e9858 R08: 000000c00033f150 R09: 000000000000000c
[3968751.632898] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
[3968751.633125] R13: 000000c000082400 R14: 000000c000102340 R15: 000000000000000e
[3968751.633354]  </TASK>
[3968751.633552] Modules linked in: vhost_net tap tun vhost_vsock vmw_vsock_virtio_transport_common vhost vhost_iotlb vsock dm_crypt dm_mod rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace sunrpc fscache netfs loop tls xt_CT act_mirred act_skbedit act_tunnel_key ipvlan cls_u32 sch_prio cls_bpf sch_ingress veth xt_socket nf_socket_ipv4 nf_socket_ipv6 ip6table_filter ip6table_raw ip6table_mangle ip6_tables iptable_filter iptable_raw iptable_mangle iptable_nat ip_tables ip6t_REJECT nf_reject_ipv6 nf_conntrack_netlink ipt_REJECT nf_reject_ipv4 xt_MASQUERADE xt_mark xt_addrtype xt_set ip_set_hash_ip ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_hash_ipport ip_set_bitmap_port nft_chain_nat nf_nat ip_vs_rr ip_set sch_htb xt_conntrack xt_comment nft_compat nft_counter ip_vs nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables sch_fq dummy nfnetlink binfmt_misc rfkill vfat fat ext4 mbcache jbd2 intel_rapl_msr intel_rapl_common intel_uncore_frequency_common nfit libnvdimm cirrus
[3968751.633600]  intel_powerclamp drm_shmem_helper rapl drm_kms_helper syscopyarea sysfillrect pcspkr sysimgblt virtio_console virtio_balloon i2c_piix4 fb_sys_fops pvpanic_mmio pvpanic overlay drm xfs libcrc32c crct10dif_pclmul crc32_pclmul virtio_net crc32c_intel net_failover ghash_clmulni_intel virtio_blk failover serio_raw fuse [last unloaded: nf_tables]
[3968751.636935] CR2: 0000051400000129

Comment 8 errata-xmlrpc 2025-05-13 08:24:47 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:6966 https://access.redhat.com/errata/RHSA-2025:6966

Note You need to log in before you can comment on or make changes to this bug.