CVE-2024-49980: 
CBL Mariner vulnerability analysis and mitigation

CVE-2024-49980 affects the Linux kernel's Virtual Routing and Forwarding (VRF) subsystem. The vulnerability was introduced when a commit removed an RCU-bh critical section protection that was necessary for proper locking behavior. The issue affects Linux kernel versions from 6.6 up to (excluding) 6.6.55, from 6.7 up to (excluding) 6.10.14, and from 6.11 up to (excluding) 6.11.3 (NVD).

The vulnerability stems from the removal of an RCU-bh (Read-Copy-Update Bottom Half) critical section in the VRF subsystem. The dev_queue_xmit_nit function is expected to be called with BH (Bottom Half) disabled, as __dev_queue_xmit requires soft interrupts to be disabled for various locks. The removal of this protection triggered lockdep warnings indicating an inconsistent lock state between {IN-SOFTIRQ-W} and {SOFTIRQ-ON-W}. The CVSS v3.1 base score is 5.5 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD, Kernel Patch).

The vulnerability can lead to inconsistent lock states in the kernel's networking subsystem, potentially causing system crashes or deadlocks. The issue specifically affects the VRF functionality when handling network packets, which could result in denial of service conditions (NVD).

The issue has been fixed by reverting the problematic commit (504fc6f4f7f681d2a03aa5f68aad549d90eab853) and restoring the necessary RCU-bh critical section protection. Users should upgrade to Linux kernel versions 6.6.55, 6.10.14, or 6.11.3 or later, depending on their kernel series (Kernel Patch).