CVE-2024-47735 in Linuxinfo

Summary

by MITRE • 10/21/2024

In the Linux kernel, the following vulnerability has been resolved:

RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled

Fix missuse of spin_lock_irq()/spin_unlock_irq() when spin_lock_irqsave()/spin_lock_irqrestore() was hold.

This was discovered through the lock debugging, and the corresponding log is as follows:

raw_local_irq_restore() called with IRQs enabled WARNING: CPU: 96 PID: 2074 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x30/0x40 ... Call trace: warn_bogus_irq_restore+0x30/0x40 _raw_spin_unlock_irqrestore+0x84/0xc8 add_qp_to_list+0x11c/0x148 [hns_roce_hw_v2]
hns_roce_create_qp_common.constprop.0+0x240/0x780 [hns_roce_hw_v2]
hns_roce_create_qp+0x98/0x160 [hns_roce_hw_v2]
create_qp+0x138/0x258 ib_create_qp_kernel+0x50/0xe8 create_mad_qp+0xa8/0x128 ib_mad_port_open+0x218/0x448 ib_mad_init_device+0x70/0x1f8 add_client_context+0xfc/0x220 enable_device_and_get+0xd0/0x140 ib_register_device.part.0+0xf4/0x1c8 ib_register_device+0x34/0x50 hns_roce_register_device+0x174/0x3d0 [hns_roce_hw_v2]
hns_roce_init+0xfc/0x2c0 [hns_roce_hw_v2]
__hns_roce_hw_v2_init_instance+0x7c/0x1d0 [hns_roce_hw_v2]
hns_roce_hw_v2_init_instance+0x9c/0x180 [hns_roce_hw_v2]

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 01/19/2026

The vulnerability identified as CVE-2024-47735 affects the Linux kernel's RDMA implementation, specifically within the hns_roce_hw_v2 driver used for Huawei Networking Solutions RoCE (RDMA over Converged Ethernet) hardware. This issue stems from improper handling of interrupt state management during spin lock operations, creating a potential for system instability and security implications. The flaw manifests when spin_lock_irqsave() and spin_lock_irqrestore() functions are used inappropriately alongside spin_lock_irq() and spin_unlock_irq() functions, leading to a mismatch in interrupt state preservation that violates kernel locking semantics.

The technical root cause lies in the incorrect usage pattern of kernel locking primitives where spin_lock_irqsave() is acquired to save the interrupt state and disable interrupts, but spin_unlock_irq() is subsequently called instead of spin_unlock_irqrestore(). This creates a scenario where the kernel's interrupt flag debugging mechanism detects that interrupts are being re-enabled when they should remain disabled, triggering the warning message "raw_local_irq_restore() called with IRQs enabled". The call trace demonstrates this issue originates from the add_qp_to_list function within the hns_roce_hw_v2 module, propagating through the RDMA device initialization and QP (Queue Pair) creation process, ultimately reaching the ib_mad_port_open function that handles MAD (Management Datagram) port operations.

This vulnerability presents significant operational risks to systems utilizing Huawei RDMA hardware, particularly in high-performance computing and data center environments where interrupt handling and locking correctness are critical for system stability. The improper interrupt state management could lead to race conditions, data corruption, or potential privilege escalation scenarios where malicious actors might exploit the inconsistent locking behavior to gain unauthorized access to kernel memory or disrupt system operations. The issue directly relates to CWE-691, which addresses inadequate locking mechanisms and improper interrupt state management in kernel code, and aligns with ATT&CK technique T1068, which covers local privilege escalation through kernel vulnerabilities.

Mitigation strategies should focus on applying the kernel patch that corrects the spin lock usage pattern by ensuring that spin_lock_irqsave() is paired with spin_unlock_irqrestore() and spin_lock_irq() is paired with spin_unlock_irq() respectively. System administrators should prioritize updating the Linux kernel to versions containing the fix, particularly in production environments running Huawei RDMA hardware. Additionally, monitoring for kernel warnings related to interrupt state management and implementing proper logging of such events can help detect potential exploitation attempts. Organizations should also consider implementing runtime protections such as kernel lockdown modes and ensuring that only trusted code can access RDMA device interfaces to minimize the attack surface. Regular security assessments of kernel modules and hardware drivers should be conducted to identify similar improper locking patterns that could lead to similar vulnerabilities in the future.

Responsible

Linux

Reservation

09/30/2024

Disclosure

10/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00189

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!