CVE-2024-35860
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-35860
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-35860.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-35860
- Downstream
- Related
- Published
- 2024-05-19T08:34:19Z
- Modified
- 2025-10-17T05:10:40.252847Z
- Summary
- bpf: support deferring bpf_link dealloc to after RCU grace period
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bpf: support deferring bpf_link dealloc to after RCU grace period
BPF link for some program types is passed as a "context" which can be used by those BPF programs to look up additional information. E.g., for multi-kprobes and multi-uprobes, link is used to fetch BPF cookie values.
Because of this runtime dependency, when bpf_link refcnt drops to zero there could still be active BPF programs running accessing link data.
This patch adds generic support to defer bpflink dealloc callback to after RCU GP, if requested. This is done by exposing two different deallocation callbacks, one synchronous and one deferred. If deferred one is provided, bpflinkfree() will schedule deallocdeferred() callback to happen after RCU GP.
BPF is using two flavors of RCU: "classic" non-sleepable one and RCU tasks trace one. The latter is used when sleepable BPF programs are used. bpflinkfree() accommodates that by checking underlying BPF program's sleepable flag, and goes either through normal RCU GP only for non-sleepable, or through RCU tasks trace GP and then normal RCU GP (taking into account rcutraceimpliesrcugp() optimization), if BPF program is sleepable.
We use this for multi-kprobe and multi-uprobe links, which dereference link during program run. We also preventively switch rawtp link to use deferred dealloc callback, as upcoming changes in bpf-next tree expose rawtp link data (specifically, cookie value) to BPF program at runtime as well.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0dcac272540613d41c05e89679e4ddb978b612f1Fixed876941f533e7b47fc69977fc4551c02f2d18af97
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0dcac272540613d41c05e89679e4ddb978b612f1Fixed5d8d447777564b35f67000e7838e7ccb64d525c8
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0dcac272540613d41c05e89679e4ddb978b612f1Fixed1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce
Affected versions
v5.*
v5.17
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.8.1
v6.8.2
v6.8.3
v6.8.4
v6.9-rc1
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"id": "CVE-2024-35860-003df2d0",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5d8d447777564b35f67000e7838e7ccb64d525c8",
"signature_version": "v1",
"target": {
"function": "bpf_link_free",
"file": "kernel/bpf/syscall.c"
},
"digest": {
"function_hash": "61632900228507146343645298049075408345",
"length": 196.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2024-35860-0df2964b",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@876941f533e7b47fc69977fc4551c02f2d18af97",
"signature_version": "v1",
"target": {
"function": "bpf_link_free",
"file": "kernel/bpf/syscall.c"
},
"digest": {
"function_hash": "61632900228507146343645298049075408345",
"length": 196.0
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2024-35860-13078816",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@876941f533e7b47fc69977fc4551c02f2d18af97",
"signature_version": "v1",
"target": {
"file": "kernel/bpf/syscall.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"258412796679797631091681967814254035740",
"236443261112963479116799307190902444414",
"63273186725200926354216136970579185963",
"300498392041258583420754943397411833378",
"73545870000469046877947631426341670051",
"253527621119778481905211371252724146984",
"228709162019871319499527763477470965045",
"177462943532095713313078977533010915032",
"172085719337875214437793748911954730655",
"18305394215199501432835929053745825368",
"51065920221468311306391588188966711878",
"151451179548997975636058324106766107789",
"153756909956258304930993547531282994472",
"310310587504264006926948193480025643038",
"248810799603125049467001850129244669917"
]
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2024-35860-34985e76",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5d8d447777564b35f67000e7838e7ccb64d525c8",
"signature_version": "v1",
"target": {
"file": "kernel/bpf/syscall.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"258412796679797631091681967814254035740",
"236443261112963479116799307190902444414",
"63273186725200926354216136970579185963",
"300498392041258583420754943397411833378",
"73545870000469046877947631426341670051",
"253527621119778481905211371252724146984",
"228709162019871319499527763477470965045",
"177462943532095713313078977533010915032",
"172085719337875214437793748911954730655",
"18305394215199501432835929053745825368",
"51065920221468311306391588188966711878",
"151451179548997975636058324106766107789",
"153756909956258304930993547531282994472",
"310310587504264006926948193480025643038",
"248810799603125049467001850129244669917"
]
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2024-35860-686821fa",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce",
"signature_version": "v1",
"target": {
"file": "kernel/trace/bpf_trace.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"128882421880788147905645684279118646154",
"178197801443998158362948272746003970024",
"9357175666854461097391324769062820176",
"708124055320274273607260442658305937",
"327526962925448384339525286434057805355",
"299983685750919301182766377827222308207",
"303615520983466766113640993867663220682",
"188678849879316706790496220533619513188"
]
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2024-35860-9c94fd5f",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@876941f533e7b47fc69977fc4551c02f2d18af97",
"signature_version": "v1",
"target": {
"file": "kernel/trace/bpf_trace.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"128882421880788147905645684279118646154",
"178197801443998158362948272746003970024",
"9357175666854461097391324769062820176",
"708124055320274273607260442658305937",
"327526962925448384339525286434057805355",
"265045532143210413987769321692152133933",
"69542426281405101425720794411767626021",
"158645787610253847206779921782389643052"
]
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2024-35860-b98dbd27",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@876941f533e7b47fc69977fc4551c02f2d18af97",
"signature_version": "v1",
"target": {
"file": "include/linux/bpf.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"298743005952280305479057676496183902024",
"237744575012127065602780615713206304745",
"75558992682232938669525444437790380550",
"139177436972959760139058440290227247632",
"305141503360280225579588551893208551822",
"284623335378569526411650299037115209640",
"302280720663174523229981369151431061396",
"210987211370596196549918176285862929011"
]
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2024-35860-bdbc00ee",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5d8d447777564b35f67000e7838e7ccb64d525c8",
"signature_version": "v1",
"target": {
"file": "kernel/trace/bpf_trace.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"128882421880788147905645684279118646154",
"178197801443998158362948272746003970024",
"9357175666854461097391324769062820176",
"708124055320274273607260442658305937",
"327526962925448384339525286434057805355",
"299983685750919301182766377827222308207",
"303615520983466766113640993867663220682",
"188678849879316706790496220533619513188"
]
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2024-35860-ce1974ba",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce",
"signature_version": "v1",
"target": {
"function": "bpf_link_free",
"file": "kernel/bpf/syscall.c"
},
"digest": {
"function_hash": "61632900228507146343645298049075408345",
"length": 196.0
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2024-35860-d5762bc8",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce",
"signature_version": "v1",
"target": {
"file": "include/linux/bpf.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"298743005952280305479057676496183902024",
"237744575012127065602780615713206304745",
"75558992682232938669525444437790380550",
"139177436972959760139058440290227247632",
"305141503360280225579588551893208551822",
"284623335378569526411650299037115209640",
"302280720663174523229981369151431061396",
"210987211370596196549918176285862929011"
]
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2024-35860-e128db11",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce",
"signature_version": "v1",
"target": {
"file": "kernel/bpf/syscall.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"258412796679797631091681967814254035740",
"236443261112963479116799307190902444414",
"63273186725200926354216136970579185963",
"300498392041258583420754943397411833378",
"73545870000469046877947631426341670051",
"253527621119778481905211371252724146984",
"228709162019871319499527763477470965045",
"177462943532095713313078977533010915032",
"172085719337875214437793748911954730655",
"18305394215199501432835929053745825368",
"51065920221468311306391588188966711878",
"151451179548997975636058324106766107789",
"153756909956258304930993547531282994472",
"310310587504264006926948193480025643038",
"248810799603125049467001850129244669917"
]
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2024-35860-e22caeb9",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5d8d447777564b35f67000e7838e7ccb64d525c8",
"signature_version": "v1",
"target": {
"file": "include/linux/bpf.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"298743005952280305479057676496183902024",
"237744575012127065602780615713206304745",
"75558992682232938669525444437790380550",
"139177436972959760139058440290227247632",
"305141503360280225579588551893208551822",
"284623335378569526411650299037115209640",
"302280720663174523229981369151431061396",
"210987211370596196549918176285862929011"
]
},
"deprecated": false
}
]