DEBIAN-CVE-2024-41057

In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefileswithdrawcookie() We got the following issue in our fault injection stress test: ================================================================== BUG: KASAN: slab-use-after-free in cachefileswithdrawcookie+0x4d9/0x600 Read of size 8 at addr ffff888118efc000 by task kworker/u78:0/109 CPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566 Call Trace: <TASK> kasanreport+0x93/0xc0 cachefileswithdrawcookie+0x4d9/0x600 fscachecookiestatemachine+0x5c8/0x1230 fscachecookieworker+0x91/0x1c0 processonework+0x7fa/0x1800 [...] Allocated by task 117: kmalloctrace+0x1b3/0x3c0 cachefilesacquirevolume+0xf3/0x9c0 fscachecreatevolumework+0x97/0x150 processonework+0x7fa/0x1800 [...] Freed by task 120301: kfree+0xf1/0x2c0 cachefileswithdrawcache+0x3fa/0x920 cachefilesputunbindpincount+0x1f6/0x250 cachefilesdaemonrelease+0x13b/0x290 _fput+0x204/0xa00 taskworkrun+0x139/0x230 doexit+0x87a/0x29b0 [...] ================================================================== Following is the process that triggers the issue: p1 | p2 ------------------------------------------------------------ fscachebeginlookup fscachebeginvolumeaccess fscachecacheislive(fscachecache) cachefilesdaemonrelease cachefilesputunbindpincount cachefilesdaemonunbind cachefileswithdrawcache fscachewithdrawcache fscachesetcachestate(cache, FSCACHECACHEISWITHDRAWN); cachefileswithdrawobjects(cache) fscachewaitforobjects(fscache) atomicread(&fscachecache->objectcount) == 0 fscacheperformlookup cachefileslookupcookie cachefilesallocobject refcountset(&object->ref, 1); object->volume = volume fscachecountobject(vcookie->cache); atomicinc(&fscachecache->objectcount) cachefileswithdrawvolumes cachefileswithdrawvolume fscachewithdrawvolume _cachefilesfreevolume kfree(cachefilesvolume) fscachecookiestatemachine cachefileswithdrawcookie cache = object->volume->cache; // cachefilesvolume UAF !!! After setting FSCACHECACHEISWITHDRAWN, wait for all the cookie lookups to complete first, and then wait for fscachecache->objectcount == 0 to avoid the cookie exiting after the volume has been freed and triggering the above issue. Therefore call fscachewithdrawvolume() before calling cachefileswithdrawobjects(). This way, after setting FSCACHECACHEISWITHDRAWN, only the following two cases will occur: 1) fscachebeginlookup fails in fscachebeginvolumeaccess(). 2) fscachewithdrawvolume() will ensure that fscachecountobject() has been executed before calling fscachewaitfor_objects().