CVE-2024-26793

In the Linux kernel, the following vulnerability has been resolved:

gtp: fix use-after-free and null-ptr-deref in gtp_newlink()

The gtplinkops operations structure for the subsystem must be registered after registering the gtpnetops pernet operations structure.

Syzkaller hit 'general protection fault in gtpgenldump_pdp' bug:

[ 1010.702740] gtp: GTP module unloaded [ 1010.715877] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI [ 1010.715888] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] [ 1010.715895] CPU: 1 PID: 128616 Comm: a.out Not tainted 6.8.0-rc6-std-def-alt1 #1 [ 1010.715899] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014 [ 1010.715908] RIP: 0010:gtp_newlink+0x4d7/0x9c0 [gtp] [ 1010.715915] Code: 80 3c 02 00 0f 85 41 04 00 00 48 8b bb d8 05 00 00 e8 ed f6 ff ff 48 89 c2 48 89 c5 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4f 04 00 00 4c 89 e2 4c 8b 6d 00 48 b8 00 00 00 [ 1010.715920] RSP: 0018:ffff888020fbf180 EFLAGS: 00010203 [ 1010.715929] RAX: dffffc0000000000 RBX: ffff88800399c000 RCX: 0000000000000000 [ 1010.715933] RDX: 0000000000000001 RSI: ffffffff84805280 RDI: 0000000000000282 [ 1010.715938] RBP: 000000000000000d R08: 0000000000000001 R09: 0000000000000000 [ 1010.715942] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88800399cc80 [ 1010.715947] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000400 [ 1010.715953] FS: 00007fd1509ab5c0(0000) GS:ffff88805b300000(0000) knlGS:0000000000000000 [ 1010.715958] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1010.715962] CR2: 0000000000000000 CR3: 000000001c07a000 CR4: 0000000000750ee0 [ 1010.715968] PKRU: 55555554 [ 1010.715972] Call Trace: [ 1010.715985] ? __diebody.cold+0x1a/0x1f [ 1010.715995] ? dieaddr+0x43/0x70 [ 1010.716002] ? excgeneralprotection+0x199/0x2f0 [ 1010.716016] ? asmexcgeneralprotection+0x1e/0x30 [ 1010.716026] ? gtpnewlink+0x4d7/0x9c0 [gtp] [ 1010.716034] ? gtpnetexit+0x150/0x150 [gtp] [ 1010.716042] __rtnlnewlink+0x1063/0x1700 [ 1010.716051] ? rtnlsetlink+0x3c0/0x3c0 [ 1010.716063] ? is_bpftextaddress+0xc0/0x1f0 [ 1010.716070] ? kerneltextaddress.part.0+0xbb/0xd0 [ 1010.716076] ? __kerneltextaddress+0x56/0xa0 [ 1010.716084] ? unwind_getreturnaddress+0x5a/0xa0 [ 1010.716091] ? createprofcpumask+0x30/0x30 [ 1010.716098] ? archstackwalk+0x9e/0xf0 [ 1010.716106] ? stacktracesave+0x91/0xd0 [ 1010.716113] ? stacktraceconsumeentry+0x170/0x170 [ 1010.716121] ? __lockacquire+0x15c5/0x5380 [ 1010.716139] ? markheldlocks+0x9e/0xe0 [ 1010.716148] ? kmemcachealloctrace+0x35f/0x3c0 [ 1010.716155] ? __rtnlnewlink+0x1700/0x1700 [ 1010.716160] rtnlnewlink+0x69/0xa0 [ 1010.716166] rtnetlinkrcvmsg+0x43b/0xc50 [ 1010.716172] ? rtnlfdbdump+0x9f0/0x9f0 [ 1010.716179] ? lockacquire+0x1fe/0x560 [ 1010.716188] ? netlinkdelivertap+0x12f/0xd50 [ 1010.716196] netlinkrcvskb+0x14d/0x440 [ 1010.716202] ? rtnlfdbdump+0x9f0/0x9f0 [ 1010.716208] ? netlinkack+0xab0/0xab0 [ 1010.716213] ? netlinkdelivertap+0x202/0xd50 [ 1010.716220] ? netlinkdelivertap+0x218/0xd50 [ 1010.716226] ? __virtaddrvalid+0x30b/0x590 [ 1010.716233] netlinkunicast+0x54b/0x800 [ 1010.716240] ? netlinkattachskb+0x870/0x870 [ 1010.716248] ? __checkobjectsize+0x2de/0x3b0 [ 1010.716254] netlinksendmsg+0x938/0xe40 [ 1010.716261] ? netlinkunicast+0x800/0x800 [ 1010.716269] ? __importiovec+0x292/0x510 [ 1010.716276] ? netlinkunicast+0x800/0x800 [ 1010.716284] __sock_sendmsg+0x159/0x190 [ 1010.716290] ____syssendmsg+0x712/0x880 [ 1010.716297] ? sockwrite_iter+0x3d0/0x3d0 [ 1010.716304] ? __ia32sysrecvmmsg+0x270/0x270 [ 1010.716309] ? lockacquire+0x1fe/0x560 [ 1010.716315] ? drainarray_locked+0x90/0x90 [ 1010.716324] __syssendmsg+0xf8/0x170 [ 1010.716331] ? sendmsgcopymsghdr+0x170/0x170 [ 1010.716337] ? lockdepinitmap ---truncated---