CVE-2024-26724

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: DPLL, Fix possible use after free after delayed work timer triggers

I managed to hit following use after free warning recently:

[ 2169.711665] ================================================================== [ 2169.714009] BUG: KASAN: slab-use-after-free in _runtimers.part.0+0x179/0x4c0 [ 2169.716293] Write of size 8 at addr ffff88812b326a70 by task swapper/4/0

[ 2169.719022] CPU: 4 PID: 0 Comm: swapper/4 Not tainted 6.8.0-rc2jiri+ #2 [ 2169.720974] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 2169.722457] Call Trace: [ 2169.722756] <IRQ> [ 2169.723024] dumpstacklvl+0x58/0xb0 [ 2169.723417] printreport+0xc5/0x630 [ 2169.723807] ? _virtaddrvalid+0x126/0x2b0 [ 2169.724268] kasanreport+0xbe/0xf0 [ 2169.724667] ? _runtimers.part.0+0x179/0x4c0 [ 2169.725116] ? _runtimers.part.0+0x179/0x4c0 [ 2169.725570] _runtimers.part.0+0x179/0x4c0 [ 2169.726003] ? calltimerfn+0x320/0x320 [ 2169.726404] ? lockdowngrade+0x3a0/0x3a0 [ 2169.726820] ? kvmclockgetcycles+0x14/0x20 [ 2169.727257] ? ktimeget+0x92/0x150 [ 2169.727630] ? lapicnextdeadline+0x35/0x60 [ 2169.728069] runtimersoftirq+0x40/0x80 [ 2169.728475] _dosoftirq+0x1a1/0x509 [ 2169.728866] irqexitrcu+0x95/0xc0 [ 2169.729241] sysvecapictimerinterrupt+0x6b/0x80 [ 2169.729718] </IRQ> [ 2169.729993] <TASK> [ 2169.730259] asmsysvecapictimerinterrupt+0x16/0x20 [ 2169.730755] RIP: 0010:defaultidle+0x13/0x20 [ 2169.731190] Code: c0 08 00 00 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 72 ff ff ff cc cc cc cc 8b 05 9a 7f 1f 02 85 c0 7e 07 0f 00 2d cf 69 43 00 fb f4 <fa> c3 66 66 2e 0f 1f 84 00 00 00 00 00 65 48 8b 04 25 c0 93 04 00 [ 2169.732759] RSP: 0018:ffff888100dbfe10 EFLAGS: 00000242 [ 2169.733264] RAX: 0000000000000001 RBX: ffff888100d9c200 RCX: ffffffff8241bd62 [ 2169.733925] RDX: ffffed109a848b15 RSI: 0000000000000004 RDI: ffffffff8127ac55 [ 2169.734566] RBP: 0000000000000004 R08: 0000000000000000 R09: ffffed109a848b14 [ 2169.735200] R10: ffff8884d42458a3 R11: 000000000000ba7e R12: ffffffff83d7d3a0 [ 2169.735835] R13: 1ffff110201b7fc6 R14: 0000000000000000 R15: ffff888100d9c200 [ 2169.736478] ? ctkernelexit.constprop.0+0xa2/0xc0 [ 2169.736954] ? doidle+0x285/0x290 [ 2169.737323] defaultidlecall+0x63/0x90 [ 2169.737730] doidle+0x285/0x290 [ 2169.738089] ? archcpuidleexit+0x30/0x30 [ 2169.738511] ? markheldlocks+0x1a/0x80 [ 2169.738917] ? lockdephardirqsonprepare+0x12e/0x200 [ 2169.739417] cpustartupentry+0x30/0x40 [ 2169.739825] startsecondary+0x19a/0x1c0 [ 2169.740229] ? setcpusiblingmap+0xbd0/0xbd0 [ 2169.740673] secondarystartup64noverify+0x15d/0x16b [ 2169.741179] </TASK>

[ 2169.741686] Allocated by task 1098: [ 2169.742058] kasansavestack+0x1c/0x40 [ 2169.742456] kasansavetrack+0x10/0x30 [ 2169.742852] _kasankmalloc+0x83/0x90 [ 2169.743246] mlx5dpllprobe+0xf5/0x3c0 [mlx5dpll] [ 2169.743730] auxiliarybusprobe+0x62/0xb0 [ 2169.744148] reallyprobe+0x127/0x590 [ 2169.744534] _driverprobedevice+0xd2/0x200 [ 2169.744973] devicedriverattach+0x6b/0xf0 [ 2169.745402] bindstore+0x90/0xe0 [ 2169.745761] kernfsfopwriteiter+0x1df/0x2a0 [ 2169.746210] vfswrite+0x41f/0x790 [ 2169.746579] ksyswrite+0xc7/0x160 [ 2169.746947] dosyscall64+0x6f/0x140 [ 2169.747333] entrySYSCALL64after_hwframe+0x46/0x4e

[ 2169.748049] Freed by task 1220: [ 2169.748393] kasansavestack+0x1c/0x40 [ 2169.748789] kasansavetrack+0x10/0x30 [ 2169.749188] kasansavefreeinfo+0x3b/0x50 [ 2169.749621] poisonslabobject+0x106/0x180 [ 2169.750044] _kasanslabfree+0x14/0x50 [ 2169.750451] kfree+0x118/0x330 [ 2169.750792] mlx5dpllremove+0xf5/0x110 [mlx5dpll] [ 2169.751271] auxiliarybusremove+0x2e/0x40 [ 2169.751694] devicereleasedriverinternal+0x24b/0x2e0 [ 2169.752191] unbindstore+0xa6/0xb0 [ 2169.752563] kernfsfo ---truncated---