CVE-2024-57795

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/rxe: Remove the direct link to net_device<br /> <br /> The similar patch in siw is in the link:<br /> https://git.kernel.org/rdma/rdma/c/16b87037b48889<br /> <br /> This problem also occurred in RXE. The following analyze this problem.<br /> In the following Call Traces:<br /> "<br /> BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782<br /> Read of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295<br /> <br /> CPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted<br /> 6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0<br /> Hardware name: Google Compute Engine/Google Compute Engine,<br /> BIOS Google 09/13/2024<br /> Workqueue: infiniband ib_cache_event_task<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:377 [inline]<br /> print_report+0x169/0x550 mm/kasan/report.c:488<br /> kasan_report+0x143/0x180 mm/kasan/report.c:601<br /> dev_get_flags+0x188/0x1d0 net/core/dev.c:8782<br /> rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60<br /> __ib_query_port drivers/infiniband/core/device.c:2111 [inline]<br /> ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143<br /> ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494<br /> ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568<br /> process_one_work kernel/workqueue.c:3229 [inline]<br /> process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310<br /> worker_thread+0x870/0xd30 kernel/workqueue.c:3391<br /> kthread+0x2f2/0x390 kernel/kthread.c:389<br /> ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147<br /> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244<br /> <br /> "<br /> <br /> 1). In the link [1],<br /> <br /> "<br /> infiniband syz2: set down<br /> "<br /> <br /> This means that on 839.350575, the event ib_cache_event_task was sent andi<br /> queued in ib_wq.<br /> <br /> 2). In the link [1],<br /> <br /> "<br /> team0 (unregistering): Port device team_slave_0 removed<br /> "<br /> <br /> It indicates that before 843.251853, the net device should be freed.<br /> <br /> 3). In the link [1],<br /> <br /> "<br /> BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0<br /> "<br /> <br /> This means that on 850.559070, this slab-use-after-free problem occurred.<br /> <br /> In all, on 839.350575, the event ib_cache_event_task was sent and queued<br /> in ib_wq,<br /> <br /> before 843.251853, the net device veth was freed.<br /> <br /> on 850.559070, this event was executed, and the mentioned freed net device<br /> was called. Thus, the above call trace occurred.<br /> <br /> [1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000