CVE-2024-26762 (GCVE-0-2024-26762)

Vulnerability from cvelistv5 – Published: 2024-04-03 17:00 – Updated: 2025-05-04 08:55
VLAI?
Title
cxl/pci: Skip to handle RAS errors if CXL.mem device is detached
Summary
In the Linux kernel, the following vulnerability has been resolved: cxl/pci: Skip to handle RAS errors if CXL.mem device is detached The PCI AER model is an awkward fit for CXL error handling. While the expectation is that a PCI device can escalate to link reset to recover from an AER event, the same reset on CXL amounts to a surprise memory hotplug of massive amounts of memory. At present, the CXL error handler attempts some optimistic error handling to unbind the device from the cxl_mem driver after reaping some RAS register values. This results in a "hopeful" attempt to unplug the memory, but there is no guarantee that will succeed. A subsequent AER notification after the memdev unbind event can no longer assume the registers are mapped. Check for memdev bind before reaping status register values to avoid crashes of the form: BUG: unable to handle page fault for address: ffa00000195e9100 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page [...] RIP: 0010:__cxl_handle_ras+0x30/0x110 [cxl_core] [...] Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x82/0x160 ? kernelmode_fixup_or_oops+0x84/0x110 ? exc_page_fault+0x113/0x170 ? asm_exc_page_fault+0x26/0x30 ? __pfx_dpc_reset_link+0x10/0x10 ? __cxl_handle_ras+0x30/0x110 [cxl_core] ? find_cxl_port+0x59/0x80 [cxl_core] cxl_handle_rp_ras+0xbc/0xd0 [cxl_core] cxl_error_detected+0x6c/0xf0 [cxl_core] report_error_detected+0xc7/0x1c0 pci_walk_bus+0x73/0x90 pcie_do_recovery+0x23f/0x330 Longer term, the unbind and PCI_ERS_RESULT_DISCONNECT behavior might need to be replaced with a new PCI_ERS_RESULT_PANIC.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 6ac07883dbb5f60f7bc56a13b7a84a382aa9c1ab , < 21e5e84f3f63fdf44e49642a6e45cd895e921a84 (git)
Affected: 6ac07883dbb5f60f7bc56a13b7a84a382aa9c1ab , < eef5c7b28dbecd6b141987a96db6c54e49828102 (git)
Create a notification for this product.
    Linux Linux Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.7.7 , ≤ 6.7.* (semver)
Unaffected: 6.8 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26762",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-05T18:38:38.263308Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:49:18.559Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:14:13.382Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/21e5e84f3f63fdf44e49642a6e45cd895e921a84"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/eef5c7b28dbecd6b141987a96db6c54e49828102"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/cxl/core/pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "21e5e84f3f63fdf44e49642a6e45cd895e921a84",
              "status": "affected",
              "version": "6ac07883dbb5f60f7bc56a13b7a84a382aa9c1ab",
              "versionType": "git"
            },
            {
              "lessThan": "eef5c7b28dbecd6b141987a96db6c54e49828102",
              "status": "affected",
              "version": "6ac07883dbb5f60f7bc56a13b7a84a382aa9c1ab",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/cxl/core/pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.7",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/pci: Skip to handle RAS errors if CXL.mem device is detached\n\nThe PCI AER model is an awkward fit for CXL error handling. While the\nexpectation is that a PCI device can escalate to link reset to recover\nfrom an AER event, the same reset on CXL amounts to a surprise memory\nhotplug of massive amounts of memory.\n\nAt present, the CXL error handler attempts some optimistic error\nhandling to unbind the device from the cxl_mem driver after reaping some\nRAS register values. This results in a \"hopeful\" attempt to unplug the\nmemory, but there is no guarantee that will succeed.\n\nA subsequent AER notification after the memdev unbind event can no\nlonger assume the registers are mapped. Check for memdev bind before\nreaping status register values to avoid crashes of the form:\n\n BUG: unable to handle page fault for address: ffa00000195e9100\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n [...]\n RIP: 0010:__cxl_handle_ras+0x30/0x110 [cxl_core]\n [...]\n Call Trace:\n  \u003cTASK\u003e\n  ? __die+0x24/0x70\n  ? page_fault_oops+0x82/0x160\n  ? kernelmode_fixup_or_oops+0x84/0x110\n  ? exc_page_fault+0x113/0x170\n  ? asm_exc_page_fault+0x26/0x30\n  ? __pfx_dpc_reset_link+0x10/0x10\n  ? __cxl_handle_ras+0x30/0x110 [cxl_core]\n  ? find_cxl_port+0x59/0x80 [cxl_core]\n  cxl_handle_rp_ras+0xbc/0xd0 [cxl_core]\n  cxl_error_detected+0x6c/0xf0 [cxl_core]\n  report_error_detected+0xc7/0x1c0\n  pci_walk_bus+0x73/0x90\n  pcie_do_recovery+0x23f/0x330\n\nLonger term, the unbind and PCI_ERS_RESULT_DISCONNECT behavior might\nneed to be replaced with a new PCI_ERS_RESULT_PANIC."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:55:56.122Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/21e5e84f3f63fdf44e49642a6e45cd895e921a84"
        },
        {
          "url": "https://git.kernel.org/stable/c/eef5c7b28dbecd6b141987a96db6c54e49828102"
        }
      ],
      "title": "cxl/pci: Skip to handle RAS errors if CXL.mem device is detached",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26762",
    "datePublished": "2024-04-03T17:00:45.655Z",
    "dateReserved": "2024-02-19T14:20:24.172Z",
    "dateUpdated": "2025-05-04T08:55:56.122Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/21e5e84f3f63fdf44e49642a6e45cd895e921a84\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/eef5c7b28dbecd6b141987a96db6c54e49828102\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:14:13.382Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-26762\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-04-05T18:38:38.263308Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:22.318Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"cxl/pci: Skip to handle RAS errors if CXL.mem device is detached\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6ac07883dbb5f60f7bc56a13b7a84a382aa9c1ab\", \"lessThan\": \"21e5e84f3f63fdf44e49642a6e45cd895e921a84\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"6ac07883dbb5f60f7bc56a13b7a84a382aa9c1ab\", \"lessThan\": \"eef5c7b28dbecd6b141987a96db6c54e49828102\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/cxl/core/pci.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.7\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"6.7\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.7.7\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.7.*\"}, {\"status\": \"unaffected\", \"version\": \"6.8\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/cxl/core/pci.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/21e5e84f3f63fdf44e49642a6e45cd895e921a84\"}, {\"url\": \"https://git.kernel.org/stable/c/eef5c7b28dbecd6b141987a96db6c54e49828102\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncxl/pci: Skip to handle RAS errors if CXL.mem device is detached\\n\\nThe PCI AER model is an awkward fit for CXL error handling. While the\\nexpectation is that a PCI device can escalate to link reset to recover\\nfrom an AER event, the same reset on CXL amounts to a surprise memory\\nhotplug of massive amounts of memory.\\n\\nAt present, the CXL error handler attempts some optimistic error\\nhandling to unbind the device from the cxl_mem driver after reaping some\\nRAS register values. This results in a \\\"hopeful\\\" attempt to unplug the\\nmemory, but there is no guarantee that will succeed.\\n\\nA subsequent AER notification after the memdev unbind event can no\\nlonger assume the registers are mapped. Check for memdev bind before\\nreaping status register values to avoid crashes of the form:\\n\\n BUG: unable to handle page fault for address: ffa00000195e9100\\n #PF: supervisor read access in kernel mode\\n #PF: error_code(0x0000) - not-present page\\n [...]\\n RIP: 0010:__cxl_handle_ras+0x30/0x110 [cxl_core]\\n [...]\\n Call Trace:\\n  \u003cTASK\u003e\\n  ? __die+0x24/0x70\\n  ? page_fault_oops+0x82/0x160\\n  ? kernelmode_fixup_or_oops+0x84/0x110\\n  ? exc_page_fault+0x113/0x170\\n  ? asm_exc_page_fault+0x26/0x30\\n  ? __pfx_dpc_reset_link+0x10/0x10\\n  ? __cxl_handle_ras+0x30/0x110 [cxl_core]\\n  ? find_cxl_port+0x59/0x80 [cxl_core]\\n  cxl_handle_rp_ras+0xbc/0xd0 [cxl_core]\\n  cxl_error_detected+0x6c/0xf0 [cxl_core]\\n  report_error_detected+0xc7/0x1c0\\n  pci_walk_bus+0x73/0x90\\n  pcie_do_recovery+0x23f/0x330\\n\\nLonger term, the unbind and PCI_ERS_RESULT_DISCONNECT behavior might\\nneed to be replaced with a new PCI_ERS_RESULT_PANIC.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.7.7\", \"versionStartIncluding\": \"6.7\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.8\", \"versionStartIncluding\": \"6.7\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T08:55:56.122Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-26762\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T08:55:56.122Z\", \"dateReserved\": \"2024-02-19T14:20:24.172Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-04-03T17:00:45.655Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.