CVE CyberSecurity Database News

CVE-2024-36004 - i40e Workqueue Memory Reclaim Flag Issue in Linux Kernel

Poster -

A recently resolved vulnerability in the Linux Kernel, CVE-2024-36004, involved an improper use of the WQ_MEM_RECLAIM flag in the Intel i40e Ethernet driver. This issue could lead to kernel warnings and system instability when using SR-IOV, especially alongside the i40iw driver for RDMA operations. Below, we'll explain what happened, provide code snippets from the patch, break down the bug in simple language, and offer links to original resources and exploit details.

What Happened?

When both the i40e (Intel Ethernet) driver and i40iw (Intel iWARP RDMA) driver were loaded, users saw warnings from the kernel related to workqueue flushing and memory reclaim. This showed up especially during virtualization and advanced networking (SR-IOV) tests.

The i40e driver was creating its internal workqueue with the WQ_MEM_RECLAIM flag, while i40iw was not. This difference triggered a kernel warning in check_flush_dependency(). A similar bug previously hit the newer ice driver and was already resolved by removing the WQ_MEM_RECLAIM flag. The maintainers decided to do the same for i40e.

Kernel Warning Example

workqueue: WQ_MEM_RECLAIM i40e:i40e_service_task [i40e] is flushing !WQ_MEM_RECLAIM infiniband:x
WARNING: CPU:  PID: 937 at kernel/workqueue.c:2966 check_flush_dependency+x10b/x120

Why Is This a Problem?

The WQ_MEM_RECLAIM flag is used when a workqueue must be able to progress even if memory is low, like in reclaim tasks or critical cleanup. If a workqueue with this flag waits for one without the flag during memory pressure, it can create deadlocks or stalls in kernel memory management.

Here, i40e’s service task workqueue tried to flush operations from another workqueue (used by the i40iw RDMA driver), which was not declared as reclaimable. The kernel correctly warns that this can cause dependency issues or deadlocks, risking system reliability.

How Was This Fixed?

The fix is simple: remove the WQ_MEM_RECLAIM flag from i40e’s workqueue. This matches the solution for the ice driver and avoids the problematic dependency.

Original Vulnerable Code

adapter->service_wq = alloc_workqueue("i40e_service_task",
                                       WQ_MEM_RECLAIM, );

Fixed Code

adapter->service_wq = alloc_workqueue("i40e_service_task",
                                       , );

That's it! By not using the flag, the dangerous dependency and warning go away.

Reference:
- Linux netdev mailing list patch
- i40e driver source code

Is this a Security Risk?

This bug does not let ordinary users escalate privilege or run code. Instead, it’s a stability and reliability bug. However, attackers could theoretically trigger the warning (DoS) by loading/unloading affected drivers in crafted sequences or exploiting heavy I/O loads and causing soft-lockups or panics, disrupting service on affected machines.

Ensure both i40e and i40iw drivers are present and loaded.

2. Use tools to trigger RDMA/InfiniBand operations (sockets, RDMA benchmarks).

Example Test Sequence

modprobe i40e
modprobe i40iw
# Run RDMA traffic or network stress (e.g., rping, ib_send_bw)
rmmod i40iw         # or reboot
# Watch dmesg for warnings like check_flush_dependency

#### Kernel Panic/Warning Output

workqueue: WQ_MEM_RECLAIM i40e:i40e_service_task [i40e] is flushing !WQ_MEM_RECLAIM infiniband:x
WARNING: CPU:  PID: 937 at kernel/workqueue.c:2966 check_flush_dependency+x10b/x120

No local privilege escalation or remote exploit exists, but servers could be forced into a faulty state, especially with repeated stress.

What Should I Do?

Admins:

Upgrade your kernel once a version with the commit lands in your vendor's package repo.

- If running custom kernels, apply this patch or manually edit out WQ_MEM_RECLAIM from i40e.

Vendors/OEMs:
- Backport the fix to all supported enterprise kernels where i40e SR-IOV & RDMA stack is used in production.

Conclusion

CVE-2024-36004 is a subtle but important kernel bug affecting high-performance network and RDMA stacks on Intel hardware. The fix is simple and avoids hard-to-debug driver interaction bugs and critical kernel warnings. While not "attack-grade" security, it’s highly relevant for uptime and system health in demanding Linux environments.

References

- Linux Kernel Patch (lore.kernel.org)
- i40e Patch Commit (kernel.org)
- Linux workqueue documentation
- CVE Record (may update with more info)

Fast Check

If you see kernel warnings about check_flush_dependency involving i40e and infiniband, you are probably affected and should update!

Timeline

Published on: 05/20/2024 10:15:14 UTC
Last modified on: 05/04/2025 09:10:19 UTC