VYPR
← All advisories
High severity7.8NVD Advisory· Published Oct 21, 2024· Updated May 12, 2026

CVE-2024-47696

CVE-2024-47696

Description

In the Linux kernel, the following vulnerability has been resolved:

RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency

In the commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs"), the function flush_workqueue is invoked to flush the work queue iwcm_wq.

But at that time, the work queue iwcm_wq was created via the function alloc_ordered_workqueue without the flag WQ_MEM_RECLAIM.

Because the current process is trying to flush the whole iwcm_wq, if iwcm_wq doesn't have the flag WQ_MEM_RECLAIM, verify that the current process is not reclaiming memory or running on a workqueue which doesn't have the flag WQ_MEM_RECLAIM as that can break forward-progress guarantee leading to a deadlock.

The call trace is as below:

[ 125.350876][ T1430] Call Trace: [ 125.356281][ T1430] [ 125.361285][ T1430] ? __warn (kernel/panic.c:693) [ 125.367640][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9)) [ 125.375689][ T1430] ? report_bug (lib/bug.c:180 lib/bug.c:219) [ 125.382505][ T1430] ? handle_bug (arch/x86/kernel/traps.c:239) [ 125.388987][ T1430] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1)) [ 125.395831][ T1430] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621) [ 125.403125][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9)) [ 125.410984][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9)) [ 125.418764][ T1430] __flush_workqueue (kernel/workqueue.c:3970) [ 125.426021][ T1430] ? __pfx___might_resched (kernel/sched/core.c:10151) [ 125.433431][ T1430] ? destroy_cm_id (drivers/infiniband/core/iwcm.c:375) iw_cm [ 125.441209][ T1430] ? __pfx___flush_workqueue (kernel/workqueue.c:3910) [ 125.473900][ T1430] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) [ 125.473909][ T1430] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161) [ 125.482537][ T1430] _destroy_id (drivers/infiniband/core/cma.c:2044) rdma_cm [ 125.495072][ T1430] nvme_rdma_free_queue (drivers/nvme/host/rdma.c:656 drivers/nvme/host/rdma.c:650) nvme_rdma [ 125.505827][ T1430] nvme_rdma_reset_ctrl_work (drivers/nvme/host/rdma.c:2180) nvme_rdma [ 125.505831][ T1430] process_one_work (kernel/workqueue.c:3231) [ 125.515122][ T1430] worker_thread (kernel/workqueue.c:3306 kernel/workqueue.c:3393) [ 125.515127][ T1430] ? __pfx_worker_thread (kernel/workqueue.c:3339) [ 125.531837][ T1430] kthread (kernel/kthread.c:389) [ 125.539864][ T1430] ? __pfx_kthread (kernel/kthread.c:342) [ 125.550628][ T1430] ret_from_fork (arch/x86/kernel/process.c:147) [ 125.558840][ T1430] ? __pfx_kthread (kernel/kthread.c:342) [ 125.558844][ T1430] ret_from_fork_asm (arch/x86/entry/entry_64.S:257) [ 125.566487][ T1430] [ 125.566488][ T1430] ---[ end trace 0000000000000000 ]---

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free fix in the Linux kernel's RDMA/iwcm introduced a flush_workqueue call that can trigger a WARNING and potential deadlock when the workqueue lacks WQ_MEM_RECLAIM.

Vulnerability

Overview

CVE-2024-47696 is a bug in the Linux kernel's RDMA/iwcm (iWarp Connection Manager) subsystem. The vulnerability arises from a commit (aee2424246f9) that was intended to fix a use-after-free issue related to destroying CM IDs. That commit added a call to flush_workqueue() for the iwcm_wq workqueue. However, iwcm_wq was created with alloc_ordered_workqueue without the WQ_MEM_RECLAIM flag. The kernel's workqueue infrastructure includes a check (check_flush_dependency) that triggers a WARNING when a process running in a memory-reclaim context or on a workqueue without WQ_MEM_RECLAIM attempts to flush a workqueue also lacking that flag, because doing so can break the forward-progress guarantee and lead to deadlock [1].

Attack

Surface and Exploitation

The issue is triggered in the destroy_cm_id function. For exploitation, an attacker would need to be able to trigger the code path that calls destroy_cm_id while the current process is either reclaiming memory or running on a workqueue without WQ_MEM_RECLAIM. This is a local condition, requiring the ability to execute code on the system and influence the timing of CM ID destruction relative to memory-reclaim or workqueue execution contexts. The prerequisite is local access with the ability to create and destroy RDMA/iWarp connection manager IDs, which typically requires privileges to use RDMA resources (e.g., CAP_NET_ADMIN or similar) or access to a device that supports iWarp [1].

Impact

The impact is a denial of service (system crash or hang) due to the WARNING splat from the kernel and the potential for a deadlock. The kernel will emit a WARNING and then proceed with flush, but the forward-progress guarantee is broken, which could lead to a system lockup. There is no evidence of privilege escalation or information disclosure; the primary effect is availability degradation. The CVSS v3 base score is 7.8 (High) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, but the description only confirms system hang/crash; the high CIA scores likely reflect the worst-case local privilege escalation via system instability [1].

Mitigation

The fix for CVE-2024-47696 is to ensure that iwcm_wq is created with the WQ_MEM_RECLAIM flag, or to avoid flushing the workqueue from contexts that might be in memory reclaim. The commit that introduced the regression (aee2424246f9) was included in kernel versions prior to the fix, and stable kernel updates have been released to address the issue. Users should update their Linux kernel to a patched version. Affected products include devices with Linux-based subsystems, such as Siemens SIMATIC S7-1500 TM MFP - GNU/Linux subsystem, which lists this CVE among many others [2]. Users should apply the latest kernel updates from their distribution or vendor [1][2].

References
  1. SSA-355557
  2. SSA-265688

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

114

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

13

News mentions

0

No linked articles in our index yet.