CVE-2024-56592

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-56592
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-56592.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-56592
Downstream
Related
Published
2024-12-27T14:50:59Z
Modified
2025-10-17T19:00:22.431296Z
Summary
bpf: Call free_htab_elem() after htab_unlock_bucket()
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Call freehtabelem() after htabunlockbucket()

For htab of maps, when the map is removed from the htab, it may hold the last reference of the map. bpfmapfdputptr() will invoke bpfmapfreeid() to free the id of the removed map element. However, bpfmapfdputptr() is invoked while holding a bucket lock (rawspinlockt), and bpfmapfreeid() attempts to acquire mapidrlock (spinlockt), triggering the following lockdep warning:

============================= [ BUG: Invalid wait context ] 6.11.0-rc4+ #49 Not tainted


testmaps/4881 is trying to lock: ffffffff84884578 (mapidrlock){+...}-{3:3}, at: bpfmapfreeid.part.0+0x21/0x70 other info that might help us debug this: context-{5:5} 2 locks held by testmaps/4881: #0: ffffffff846caf60 (rcureadlock){....}-{1:3}, at: bpffdhtabmapupdateelem+0xf9/0x270 #1: ffff888149ced148 (&htab->lockdepkey#2){....}-{2:2}, at: htabmapupdateelem+0x178/0xa80 stack backtrace: CPU: 0 UID: 0 PID: 4881 Comm: testmaps Not tainted 6.11.0-rc4+ #49 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), ... Call Trace: <TASK> dumpstacklvl+0x6e/0xb0 dumpstack+0x10/0x20 _lockacquire+0x73e/0x36c0 lockacquire+0x182/0x450 _rawspinlockirqsave+0x43/0x70 bpfmapfreeid.part.0+0x21/0x70 bpfmapput+0xcf/0x110 bpfmapfdputptr+0x9a/0xb0 freehtabelem+0x69/0xe0 htabmapupdateelem+0x50f/0xa80 bpffdhtabmapupdateelem+0x131/0x270 htabmapupdateelem+0x50f/0xa80 bpffdhtabmapupdateelem+0x131/0x270 bpfmapupdatevalue+0x266/0x380 _sysbpf+0x21bb/0x36b0 _x64sysbpf+0x45/0x60 x64syscall+0x1b2a/0x20d0 dosyscall64+0x5d/0x100 entrySYSCALL64after_hwframe+0x76/0x7e

One way to fix the lockdep warning is using rawspinlockt for mapidrlock as well. However, bpfmapallocid() invokes idralloccyclic() after acquiring mapidrlock, it will trigger a similar lockdep warning because the slab's lock (s->cpuslab->lock) is still a spinlock.

Instead of changing mapidrlock's type, fix the issue by invoking htabputfdvalue() after htabunlockbucket(). However, only deferring the invocation of htabputfdvalue() is not enough, because the old map pointers in htab of maps can not be saved during batched deletion. Therefore, also defer the invocation of freehtabelem(), so these to-be-freed elements could be linked together similar to lru map.

There are four callers for ->mapfdput_ptr:

(1) allochtabelem() (through htabputfdvalue()) It invokes ->mapfdputptr() under a rawspinlockt. The invocation of htabputfdvalue() can not simply move after htabunlockbucket(), because the old element has already been stashed in htab->extraelems. It may be reused immediately after htabunlockbucket() and the invocation of htabputfdvalue() after htabunlockbucket() may release the newly-added element incorrectly. Therefore, saving the map pointer of the old element for htab of maps before unlocking the bucket and releasing the mapptr after unlock. Beside the map pointer in the old element, should do the same thing for the special fields in the old element as well.

(2) freehtabelem() (through htabputfdvalue()) Its caller includes _htabmaplookupanddeleteelem(), htabmapdeleteelem() and _htabmaplookupanddeletebatch().

For htabmapdeleteelem(), simply invoke freehtabelem() after htabunlockbucket(). For _htabmaplookupanddeletebatch(), just like lru map, linking the to-be-freed element into nodetofree list and invoking freehtabelem() for these element after unlock. It is safe to reuse batchflink as the link for nodetofree, because these elements have been removed from the hash llist.

Because htab of maps doesn't support lookupanddelete operation, _htabmaplookupanddeleteelem() doesn't have the problem, so kept it as ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f3f1c054c288bb6e503005e6d73611151ed20e91
Fixed
10e8a2dec9ff1b81de8e892b0850924038adbc6d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f3f1c054c288bb6e503005e6d73611151ed20e91
Fixed
a50b4aa3007e63a590d501341f304676ebc74b3b
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f3f1c054c288bb6e503005e6d73611151ed20e91
Fixed
b9e9ed90b10c82a4e9d4d70a2890f06bfcdd3b78

Affected versions

v4.*

v4.12
v4.12-rc3
v4.12-rc4
v4.12-rc5
v4.12-rc6
v4.12-rc7
v4.13
v4.13-rc1
v4.13-rc2
v4.13-rc3
v4.13-rc4
v4.13-rc5
v4.13-rc6
v4.13-rc7
v4.14
v4.14-rc1
v4.14-rc2
v4.14-rc3
v4.14-rc4
v4.14-rc5
v4.14-rc6
v4.14-rc7
v4.14-rc8
v4.15
v4.15-rc1
v4.15-rc2
v4.15-rc3
v4.15-rc4
v4.15-rc5
v4.15-rc6
v4.15-rc7
v4.15-rc8
v4.15-rc9
v4.16
v4.16-rc1
v4.16-rc2
v4.16-rc3
v4.16-rc4
v4.16-rc5
v4.16-rc6
v4.16-rc7
v4.17
v4.17-rc1
v4.17-rc2
v4.17-rc3
v4.17-rc4
v4.17-rc5
v4.17-rc6
v4.17-rc7
v4.18
v4.18-rc1
v4.18-rc2
v4.18-rc3
v4.18-rc4
v4.18-rc5
v4.18-rc6
v4.18-rc7
v4.18-rc8
v4.19
v4.19-rc1
v4.19-rc2
v4.19-rc3
v4.19-rc4
v4.19-rc5
v4.19-rc6
v4.19-rc7
v4.19-rc8
v4.20
v4.20-rc1
v4.20-rc2
v4.20-rc3
v4.20-rc4
v4.20-rc5
v4.20-rc6
v4.20-rc7

v5.*

v5.0
v5.0-rc1
v5.0-rc2
v5.0-rc3
v5.0-rc4
v5.0-rc5
v5.0-rc6
v5.0-rc7
v5.0-rc8
v5.1
v5.1-rc1
v5.1-rc2
v5.1-rc3
v5.1-rc4
v5.1-rc5
v5.1-rc6
v5.1-rc7
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.2
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2-rc6
v5.2-rc7
v5.3
v5.3-rc1
v5.3-rc2
v5.3-rc3
v5.3-rc4
v5.3-rc5
v5.3-rc6
v5.3-rc7
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.2
v6.12.3
v6.12.4
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.59
v6.6.6
v6.6.60
v6.6.61
v6.6.62
v6.6.63
v6.6.64
v6.6.65
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.13.0
Fixed
6.6.66
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.5