CVE-2024-56584

Published: January 1, 2025Last modified: January 1, 2025

Description

In the Linux kernel, the following vulnerability has been resolved: io_uring/tctx: work around xa_store() allocation error issue syzbot triggered the following WARN_ON: WARNING: CPU: 0 PID: 16 at io_uring/tctx.c:51 __io_uring_free+0xfa/0x140 io_uring/tctx.c:51 which is the WARN_ON_ONCE(!xa_empty(&tctx->xa)); sanity check in __io_uring_free() when a io_uring_task is going through its final put. The syzbot test case includes injecting memory allocation failures, and it very much looks like xa_store() can fail one of its memory allocations and end up with ->head being non-NULL even though no entries exist in the xarray. Until this issue gets sorted out, work around it by attempting to iterate entries in our xarray, and WARN_ON_ONCE() if one is found.

Status

References

• https://git.kernel.org/stable/c/42882b583095dcf747da6e3af1daeff40e27033e
• https://git.kernel.org/stable/c/7eb75ce7527129d7f1fee6951566af409a37a1c4
• https://git.kernel.org/stable/c/94ad56f61b873ffeebcc620d451eacfbdf9d40f0
• https://git.kernel.org/stable/c/d5b2ddf1f90c7248eff9630b95895c8950f2f36d