CVE-2024-35959: net/mlx5e: Fix mlx5e_priv_init() cleanup flow

Published May 20, 2024
·
Updated

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Fix mlx5eprivinit() cleanup flow

The Linux kernel CVE team has assigned CVE-2024-35959 to this issue.

Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024052019-CVE-2024-35959-6e06@gregkh/T

Other sources

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Fix mlx5eprivinit() cleanup flow

When mlx5eprivinit() fails, the cleanup flow calls mlx5eselqcleanup which calls mlx5eselqapply() that assures that the priv->statelock is held using lockdepisheld().

Acquire the statelock in mlx5eselqcleanup().

Kernel log: ============================= WARNING: suspicious RCU usage 6.8.0-rc3netnext841a9b5 #1 Not tainted ----------------------------- drivers/net/ethernet/mellanox/mlx5/core/en/selq.c:124 suspicious rcudereferenceprotected() usage!

other info that might help us debug this:

rcuscheduleractive = 2, debuglocks = 1 2 locks held by systemd-modules/293: #0: ffffffffa05067b0 (devicesrwsem){++++}-{3:3}, at: ibregisterclient+0x109/0x1b0 [ibcore] #1: ffff8881096c65c0 (&device->clientdatarwsem){++++}-{3:3}, at: addclientcontext+0x104/0x1c0 [ibcore]

stack backtrace: CPU: 4 PID: 293 Comm: systemd-modules Not tainted 6.8.0-rc3netnext841a9b5 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x8a/0xa0 lockdeprcususpicious+0x154/0x1a0 mlx5eselqapply+0x94/0xa0 [mlx5core] mlx5eselqcleanup+0x3a/0x60 [mlx5core] mlx5eprivinit+0x2be/0x2f0 [mlx5core] mlx5rdmasetuprn+0x7c/0x1a0 [mlx5core] rdmainitnetdev+0x4e/0x80 [ibcore] ? mlx5rdmanetdevfree+0x70/0x70 [mlx5core] ipoibintfinit+0x64/0x550 [ibipoib] ipoibintfalloc+0x4e/0xc0 [ibipoib] ipoibaddone+0xb0/0x360 [ibipoib] addclientcontext+0x112/0x1c0 [ibcore] ibregisterclient+0x166/0x1b0 [ibcore] ? 0xffffffffa0573000 ipoibinitmodule+0xeb/0x1a0 [ibipoib] dooneinitcall+0x61/0x250 doinitmodule+0x8a/0x270 initmodulefromfile+0x8b/0xd0 idempotentinitmodule+0x17d/0x230 x64sysfinitmodule+0x61/0xb0 dosyscall64+0x71/0x140 entrySYSCALL64afterhwframe+0x46/0x4e </TASK>

NVD

Linux Kernel is vulnerable to a denial of service, caused by a flaw in the mlx5eprivinit() cleanup flow. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.

IBM

Affected Software

15 affected componentsFixes available
IBM Security Verify Governance<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Software Stack<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Virtual Appliance<=ISVG 10.0.2
IBM Security Verify Governance Identity Manager Container<=ISVG 10.0.2
debian/linux
5.10.223-15.10.234-16.1.129-16.1.135-16.12.22-16.12.25-1
redhat/kernel<6.1.87
6.1.87
redhat/kernel<6.6.28
6.6.28
redhat/kernel<6.8.7
6.8.7
redhat/kernel<6.9
6.9
Linux Linux kernel>=5.18<6.1.87
Linux Linux kernel>=6.2<6.6.28
Linux Linux kernel>=6.7<6.8.7
Linux Linux kernel=6.9-rc1
Linux Linux kernel=6.9-rc2
Linux Linux kernel=6.9-rc3

Remediation

Patch Available

https://git.kernel.org/stable/c/6bd77865fda662913dcb5722a66a773840370aa7

Patch Available

https://git.kernel.org/stable/c/ad26f26abd353113dea4e8d5ebadccdab9b61e76

Patch Available

https://git.kernel.org/stable/c/ecb829459a841198e142f72fadab56424ae96519

Patch Available

https://git.kernel.org/stable/c/f9ac93b6f3de34aa0bb983b9be4f69ca50fc70f3

Event History

May 20, 2024
CVE Published
via MITRE·09:41 AM
Data Sourced
via MITRE·09:41 AM
Description
Data Sourced
via NVD·10:15 AM
Description
Data Sourced
via NVD·10:15 AM
RemedySeverityWeaknessAffected Software
Data Sourced
via Red Hat·05:05 PM
DescriptionSeverityAffected Software
Jul 11, 2024
Data Sourced
via Launchpad·07:47 PM
Description
Apr 27, 2025
Data Sourced
via Ubuntu·12:23 AM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-35959?

CVE-2024-35959 has a medium severity rating as it involves a cleanup flow issue in the Linux kernel.

2

How do I fix CVE-2024-35959?

To fix CVE-2024-35959, upgrade to the latest kernel versions such as 6.1.87, 6.6.28, 6.8.7, 6.9, or specific Debian Linux versions listed in the advisory.

3

What versions are affected by CVE-2024-35959?

CVE-2024-35959 affects multiple kernel versions, specifically those prior to 6.1.87, 6.6.28, 6.8.7, and 6.9.

4

Who is impacted by CVE-2024-35959?

Users and systems running the affected versions of the Linux kernel on Red Hat or Debian distributions may be impacted by CVE-2024-35959.

5

What component is affected by CVE-2024-35959?

CVE-2024-35959 affects the net/mlx5e component within the Linux kernel.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203