CVE-2024-57979

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pps: Fix a use-after-free<br /> <br /> On a board running ntpd and gpsd, I&amp;#39;m seeing a consistent use-after-free<br /> in sys_exit() from gpsd when rebooting:<br /> <br /> pps pps1: removed<br /> ------------[ cut here ]------------<br /> kobject: &amp;#39;(null)&amp;#39; (00000000db4bec24): is not initialized, yet kobject_put() is being called.<br /> WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150<br /> CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1<br /> Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT)<br /> pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : kobject_put+0x120/0x150<br /> lr : kobject_put+0x120/0x150<br /> sp : ffffffc0803d3ae0<br /> x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001<br /> x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440<br /> x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600<br /> x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000<br /> x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20<br /> x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000<br /> x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000<br /> x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000<br /> x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000<br /> x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000<br /> Call trace:<br /> kobject_put+0x120/0x150<br /> cdev_put+0x20/0x3c<br /> __fput+0x2c4/0x2d8<br /> ____fput+0x1c/0x38<br /> task_work_run+0x70/0xfc<br /> do_exit+0x2a0/0x924<br /> do_group_exit+0x34/0x90<br /> get_signal+0x7fc/0x8c0<br /> do_signal+0x128/0x13b4<br /> do_notify_resume+0xdc/0x160<br /> el0_svc+0xd4/0xf8<br /> el0t_64_sync_handler+0x140/0x14c<br /> el0t_64_sync+0x190/0x194<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> ...followed by more symptoms of corruption, with similar stacks:<br /> <br /> refcount_t: underflow; use-after-free.<br /> kernel BUG at lib/list_debug.c:62!<br /> Kernel panic - not syncing: Oops - BUG: Fatal exception<br /> <br /> This happens because pps_device_destruct() frees the pps_device with the<br /> embedded cdev immediately after calling cdev_del(), but, as the comment<br /> above cdev_del() notes, fops for previously opened cdevs are still<br /> callable even after cdev_del() returns. I think this bug has always<br /> been there: I can&amp;#39;t explain why it suddenly started happening every time<br /> I reboot this particular board.<br /> <br /> In commit d953e0e837e6 ("pps: Fix a use-after free bug when<br /> unregistering a source."), George Spelvin suggested removing the<br /> embedded cdev. That seems like the simplest way to fix this, so I&amp;#39;ve<br /> implemented his suggestion, using __register_chrdev() with pps_idr<br /> becoming the source of truth for which minor corresponds to which<br /> device.<br /> <br /> But now that pps_idr defines userspace visibility instead of cdev_add(),<br /> we need to be sure the pps-&gt;dev refcount can&amp;#39;t reach zero while<br /> userspace can still find it again. So, the idr_remove() call moves to<br /> pps_unregister_cdev(), and pps_idr now holds a reference to pps-&gt;dev.<br /> <br /> pps_core: source serial1 got cdev (251:1)<br /> <br /> pps pps1: removed<br /> pps_core: unregistering pps1<br /> pps_core: deallocating pps1