CVE-2024-26631

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work<br /> <br /> idev-&gt;mc_ifc_count can be written over without proper locking.<br /> <br /> Originally found by syzbot [1], fix this issue by encapsulating calls<br /> to mld_ifc_stop_work() (and mld_gq_stop_work() for good measure) with<br /> mutex_lock() and mutex_unlock() accordingly as these functions<br /> should only be called with mc_lock per their declarations.<br /> <br /> [1]<br /> BUG: KCSAN: data-race in ipv6_mc_down / mld_ifc_work<br /> <br /> write to 0xffff88813a80c832 of 1 bytes by task 3771 on cpu 0:<br /> mld_ifc_stop_work net/ipv6/mcast.c:1080 [inline]<br /> ipv6_mc_down+0x10a/0x280 net/ipv6/mcast.c:2725<br /> addrconf_ifdown+0xe32/0xf10 net/ipv6/addrconf.c:3949<br /> addrconf_notify+0x310/0x980<br /> notifier_call_chain kernel/notifier.c:93 [inline]<br /> raw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461<br /> __dev_notify_flags+0x205/0x3d0<br /> dev_change_flags+0xab/0xd0 net/core/dev.c:8685<br /> do_setlink+0x9f6/0x2430 net/core/rtnetlink.c:2916<br /> rtnl_group_changelink net/core/rtnetlink.c:3458 [inline]<br /> __rtnl_newlink net/core/rtnetlink.c:3717 [inline]<br /> rtnl_newlink+0xbb3/0x1670 net/core/rtnetlink.c:3754<br /> rtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6558<br /> netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2545<br /> rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6576<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]<br /> netlink_unicast+0x589/0x650 net/netlink/af_netlink.c:1368<br /> netlink_sendmsg+0x66e/0x770 net/netlink/af_netlink.c:1910<br /> ...<br /> <br /> write to 0xffff88813a80c832 of 1 bytes by task 22 on cpu 1:<br /> mld_ifc_work+0x54c/0x7b0 net/ipv6/mcast.c:2653<br /> process_one_work kernel/workqueue.c:2627 [inline]<br /> process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2700<br /> worker_thread+0x525/0x730 kernel/workqueue.c:2781<br /> ...