CVE-2024-57795 in Linux
Summary
by MITRE • 01/15/2025
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Remove the direct link to net_device
The similar patch in siw is in the link: https://git.kernel.org/rdma/rdma/c/16b87037b48889
This problem also occurred in RXE. The following analyze this problem. In the following Call Traces: " BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782 Read of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295
CPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted 6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: infiniband ib_cache_event_task Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 dev_get_flags+0x188/0x1d0 net/core/dev.c:8782 rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60 __ib_query_port drivers/infiniband/core/device.c:2111 [inline]
ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143 ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494 ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568 process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> "
1). In the link [1],
" infiniband syz2: set down "
This means that on 839.350575, the event ib_cache_event_task was sent andi queued in ib_wq.
2). In the link [1],
" team0 (unregistering): Port device team_slave_0 removed "
It indicates that before 843.251853, the net device should be freed.
3). In the link [1],
" BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 "
This means that on 850.559070, this slab-use-after-free problem occurred.
In all, on 839.350575, the event ib_cache_event_task was sent and queued in ib_wq,
before 843.251853, the net device veth was freed.
on 850.559070, this event was executed, and the mentioned freed net device was called. Thus, the above call trace occurred.
[1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/08/2026
The vulnerability described in CVE-2024-57795 represents a critical use-after-free condition within the Linux kernel's RDMA/rxe subsystem, specifically affecting the interaction between the RXE (RDMA over Ethernet) driver and the underlying network device management. This flaw manifests when the kernel attempts to access a network device structure that has already been freed, leading to potential system instability and security risks. The issue arises from a direct link between the RDMA subsystem and the net_device structure that bypasses proper reference counting mechanisms. The vulnerability is particularly concerning as it occurs during the execution of kernel workqueue tasks, specifically within the ib_cache_event_task handler, where asynchronous cleanup operations collide with active network device access patterns. The call trace demonstrates a classic use-after-free scenario where dev_get_flags is called on a freed net_device structure, resulting in a KASAN (Kernel Address Sanitizer) detection of memory corruption. This type of vulnerability directly maps to CWE-416 (Use After Free) and can be categorized under ATT&CK technique T1059.006 (Windows Command Shell) in the context of potential exploitation pathways through kernel memory corruption.
The technical root cause of this vulnerability stems from improper synchronization between network device lifecycle management and RDMA subsystem operations. When a network device is unregistered and subsequently freed, the RXE driver maintains references to the device structure through its internal data structures. The ib_cache_event_task workqueue function executes asynchronously and attempts to query port information using rxe_query_port, which in turn calls dev_get_flags on what should be a freed device. This race condition occurs because the RDMA subsystem does not properly account for the possibility that the referenced net_device may have been freed during the time between when the event was queued and when it was executed. The kernel's network device management system uses reference counting to prevent such issues, but the direct linking mechanism in the RXE driver circumvents these safeguards. The vulnerability is particularly dangerous because it can lead to arbitrary code execution or system crashes when the freed memory is accessed, and the issue affects the core networking infrastructure of the kernel, making it a high-severity concern for systems relying on RDMA functionality.
The operational impact of this vulnerability extends beyond simple system instability, as it can compromise the integrity of RDMA-based network communications and potentially provide attackers with a means to escalate privileges within the kernel. Systems utilizing RXE drivers for high-performance networking, such as those in data centers or high-frequency trading environments, face significant risk from this flaw. The vulnerability is triggered during normal operation when network devices are being removed or reconfigured, making it difficult to predict or prevent in production environments. The use of KASAN detection indicates that this vulnerability was likely discovered through automated testing, specifically through fuzzing tools like syzkaller, which are designed to identify such memory safety issues. The timing of the events shows a clear temporal sequence where device removal occurs before the workqueue task execution, highlighting the need for proper synchronization primitives. This vulnerability affects the Linux kernel versions that include the affected RDMA/rxe driver components and represents a fundamental flaw in how the subsystem handles device lifecycle management, particularly in concurrent environments where asynchronous operations may outlive their referenced resources.
Mitigation strategies for this vulnerability must address the core synchronization issue within the RXE driver's handling of net_device references. The primary fix involves implementing proper reference counting or locking mechanisms that ensure net_device structures remain valid during RDMA operations that depend on them. Kernel patches should enforce that the RDMA subsystem checks whether referenced network devices are still valid before accessing their properties, rather than relying on direct links that bypass kernel safety mechanisms. Organizations should apply the upstream patches that resolve this issue, which typically involve modifying the rxe_query_port function to properly validate device references before querying their status. Additional mitigations include implementing proper device lifecycle management within the RDMA subsystem, ensuring that workqueue tasks are either canceled or deferred until device structures are guaranteed to remain valid. System administrators should monitor for any signs of memory corruption or system instability that might indicate exploitation attempts, particularly in environments where RDMA functionality is actively used. The vulnerability demonstrates the importance of proper kernel memory management and the need for comprehensive testing of asynchronous operations that interact with shared kernel resources, as such issues can have far-reaching consequences in production environments where reliability and security are paramount.