CVE-2024-40980: drop_monitor: replace spin_lock by raw_spin_lock
In the Linux kernel, the following vulnerability has been resolved:
drop_monitor: replace spin_lock by raw_spin_lock
trace_drop_common() is called with preemption disabled, and it acquires
a spin_lock. This is problematic for RT kernels because spin_locks are
sleeping locks in this configuration, which causes the following splat:
BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 449, name: rcuc/47
preempt_count: 1, expected: 0
RCU nest depth: 2, expected: 2
5 locks held by rcuc/47/449:
#0: ff1100086ec30a60 ((softirq_ctrl.lock)){+.+.}-{2:2}, at: __local_bh_disable_ip+0x105/0x210
#1: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: rt_spin_lock+0xbf/0x130
#2: ffffffffb394a280 (rcu_read_lock){....}-{1:2}, at: __local_bh_disable_ip+0x11c/0x210
#3: ffffffffb394a160 (rcu_callback){....}-{0:0}, at: rcu_do_batch+0x360/0xc70
#4: ff1100086ee07520 (&data->lock){+.+.}-{2:2}, at: trace_drop_common.constprop.0+0xb5/0x290
irq event stamp: 139909
hardirqs last enabled at (139908): [<ffffffffb1df2b33>] _raw_spin_unlock_irqrestore+0x63/0x80
hardirqs last disabled at (139909): [<ffffffffb19bd03d>] trace_drop_common.constprop.0+0x26d/0x290
softirqs last enabled at (139892): [<ffffffffb07a1083>] __local_bh_enable_ip+0x103/0x170
softirqs last disabled at (139898): [<ffffffffb0909b33>] rcu_cpu_kthread+0x93/0x1f0
Preemption disabled at:
[<ffffffffb1de786b>] rt_mutex_slowunlock+0xab/0x2e0
CPU: 47 PID: 449 Comm: rcuc/47 Not tainted 6.9.0-rc2-rt1+ #7
Hardware name: Dell Inc. PowerEdge R650/0Y2G81, BIOS 1.6.5 04/15/2022
Call Trace:
<TASK>
dump_stack_lvl+0x8c/0xd0
dump_stack+0x14/0x20
__might_resched+0x21e/0x2f0
rt_spin_lock+0x5e/0x130
? trace_drop_common.constprop.0+0xb5/0x290
? skb_queue_purge_reason.part.0+0x1bf/0x230
trace_drop_common.constprop.0+0xb5/0x290
? preempt_count_sub+0x1c/0xd0
? _raw_spin_unlock_irqrestore+0x4a/0x80
? __pfx_trace_drop_common.constprop.0+0x10/0x10
? rt_mutex_slowunlock+0x26a/0x2e0
? skb_queue_purge_reason.part.0+0x1bf/0x230
? __pfx_rt_mutex_slowunlock+0x10/0x10
? skb_queue_purge_reason.part.0+0x1bf/0x230
trace_kfree_skb_hit+0x15/0x20
trace_kfree_skb+0xe9/0x150
kfree_skb_reason+0x7b/0x110
skb_queue_purge_reason.part.0+0x1bf/0x230
? __pfx_skb_queue_purge_reason.part.0+0x10/0x10
? mark_lock.part.0+0x8a/0x520
...
trace_drop_common() also disables interrupts, but this is a minor issue
because we could easily replace it with a local_lock.
Replace the spin_lock with raw_spin_lock to avoid sleeping in atomic
context.
CVE-2024-40980 is a Linux kernel locking bug in drop_monitor. On real-time kernels, code can try to take a lock that may sleep while preemption is disabled, causing a kernel warning or instability. Sources do not provide CVSS, confirmed exploitation, or broad impact detail.
Executive priority
Do not treat this as an emergency based on the provided evidence. Treat it as a targeted kernel-stability issue, with higher urgency for production real-time Linux, industrial systems, and appliances covered by vendor advisories.
Technical view
trace_drop_common() runs with preemption disabled and used spin_lock. On RT kernels, spin_locks can sleep, which is invalid in atomic context. The kernel fix replaces spin_lock with raw_spin_lock for the drop_monitor data lock. Evidence centers on PREEMPT_RT behavior and kernel stability, not remote exploitation.
Likely exposure
Exposure is most relevant to Linux systems using RT kernels or vendor products that include affected Linux kernels. General Linux fleets should still check vendor kernel advisories because the affected-version data in the source bundle is not detailed enough to prove safe versions alone.
Exploitation context
The source bundle does not show CISA KEV listing or any cited active exploitation. The described failure is a kernel locking-context bug triggered during packet-drop tracing paths, with evidence of a BUG splat on a 6.9.0-rc2-rt1 kernel.
Researcher notes
The record lacks CVSS, CWE, and exploit evidence. The useful technical anchor is the locking change in trace_drop_common(): spin_lock to raw_spin_lock because RT spin_locks can sleep. Validate against exact vendor kernel trees rather than relying on the flattened affected-version list.
Mitigation direction
Apply Linux kernel updates that include the referenced stable commits.
Use distribution or appliance vendor advisories for exact fixed packages.
Prioritize real-time Linux, industrial, and embedded systems first.
For Siemens products, follow the cited Siemens ProductCERT advisories.
If no vendor fix is available, monitor vendor guidance closely.
Validation and detection
Inventory Linux kernel versions and RT/PREEMPT_RT usage.
Check vendor changelogs for CVE-2024-40980 or referenced commit IDs.
Review kernel logs for sleeping-function invalid-context warnings in drop_monitor paths.
Confirm updated systems run vendor-fixed kernel builds.
Track Debian LTS and product advisories for package-specific status.
Based on public source material and reviewed before publication.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-40980 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.