CVE-2024-38385

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> genirq/irqdesc: Prevent use-after-free in irq_find_at_or_after()<br /> <br /> irq_find_at_or_after() dereferences the interrupt descriptor which is<br /> returned by mt_find() while neither holding sparse_irq_lock nor RCU read<br /> lock, which means the descriptor can be freed between mt_find() and the<br /> dereference:<br /> <br /> CPU0 CPU1<br /> desc = mt_find()<br /> delayed_free_desc(desc)<br /> irq_desc_get_irq(desc)<br /> <br /> The use-after-free is reported by KASAN:<br /> <br /> Call trace:<br /> irq_get_next_irq+0x58/0x84<br /> show_stat+0x638/0x824<br /> seq_read_iter+0x158/0x4ec<br /> proc_reg_read_iter+0x94/0x12c<br /> vfs_read+0x1e0/0x2c8<br /> <br /> Freed by task 4471:<br /> slab_free_freelist_hook+0x174/0x1e0<br /> __kmem_cache_free+0xa4/0x1dc<br /> kfree+0x64/0x128<br /> irq_kobj_release+0x28/0x3c<br /> kobject_put+0xcc/0x1e0<br /> delayed_free_desc+0x14/0x2c<br /> rcu_do_batch+0x214/0x720<br /> <br /> Guard the access with a RCU read lock section.