CVE-2024-44934

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: bridge: mcast: wait for previous gc cycles when removing port<br /> <br /> syzbot hit a use-after-free[1] which is caused because the bridge doesn&amp;#39;t<br /> make sure that all previous garbage has been collected when removing a<br /> port. What happens is:<br /> CPU 1 CPU 2<br /> start gc cycle remove port<br /> acquire gc lock first<br /> wait for lock<br /> call br_multicasg_gc() directly<br /> acquire lock now but free port<br /> the port can be freed<br /> while grp timers still<br /> running<br /> <br /> Make sure all previous gc cycles have finished by using flush_work before<br /> freeing the port.<br /> <br /> [1]<br /> BUG: KASAN: slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861<br /> Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699<br /> <br /> CPU: 1 PID: 9699 Comm: syz.5.1232 Not tainted 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114<br /> print_address_description mm/kasan/report.c:377 [inline]<br /> print_report+0xc3/0x620 mm/kasan/report.c:488<br /> kasan_report+0xd9/0x110 mm/kasan/report.c:601<br /> br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861<br /> call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792<br /> expire_timers kernel/time/timer.c:1843 [inline]<br /> __run_timers+0x74b/0xaf0 kernel/time/timer.c:2417<br /> __run_timer_base kernel/time/timer.c:2428 [inline]<br /> __run_timer_base kernel/time/timer.c:2421 [inline]<br /> run_timer_base+0x111/0x190 kernel/time/timer.c:2437