CVE-2024-44973

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm, slub: do not call do_slab_free for kfence object<br /> <br /> In 782f8906f805 the freeing of kfence objects was moved from deep<br /> inside do_slab_free to the wrapper functions outside. This is a nice<br /> change, but unfortunately it missed one spot in __kmem_cache_free_bulk.<br /> <br /> This results in a crash like this:<br /> <br /> BUG skbuff_head_cache (Tainted: G S B E ): Padding overwritten. 0xffff88907fea0f00-0xffff88907fea0fff @offset=3840<br /> <br /> slab_err (mm/slub.c:1129)<br /> free_to_partial_list (mm/slub.c:? mm/slub.c:4036)<br /> slab_pad_check (mm/slub.c:864 mm/slub.c:1290)<br /> check_slab (mm/slub.c:?)<br /> free_to_partial_list (mm/slub.c:3171 mm/slub.c:4036)<br /> kmem_cache_alloc_bulk (mm/slub.c:? mm/slub.c:4495 mm/slub.c:4586 mm/slub.c:4635)<br /> napi_build_skb (net/core/skbuff.c:348 net/core/skbuff.c:527 net/core/skbuff.c:549)<br /> <br /> All the other callers to do_slab_free appear to be ok.<br /> <br /> Add a kfence_free check in __kmem_cache_free_bulk to avoid the crash.