{"id":"AZL-58992","summary":"CVE-2024-57979 affecting package kernel for versions less than 5.15.180.1-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\npps: Fix a use-after-free\n\nOn a board running ntpd and gpsd, I'm seeing a consistent use-after-free\nin sys_exit() from gpsd when rebooting:\n\n    pps pps1: removed\n    ------------[ cut here ]------------\n    kobject: '(null)' (00000000db4bec24): is not initialized, yet kobject_put() is being called.\n    WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150\n    CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1\n    Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT)\n    pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n    pc : kobject_put+0x120/0x150\n    lr : kobject_put+0x120/0x150\n    sp : ffffffc0803d3ae0\n    x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001\n    x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440\n    x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600\n    x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000\n    x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20\n    x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000\n    x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n    x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\n    x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\n    x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\n    Call trace:\n     kobject_put+0x120/0x150\n     cdev_put+0x20/0x3c\n     __fput+0x2c4/0x2d8\n     ____fput+0x1c/0x38\n     task_work_run+0x70/0xfc\n     do_exit+0x2a0/0x924\n     do_group_exit+0x34/0x90\n     get_signal+0x7fc/0x8c0\n     do_signal+0x128/0x13b4\n     do_notify_resume+0xdc/0x160\n     el0_svc+0xd4/0xf8\n     el0t_64_sync_handler+0x140/0x14c\n     el0t_64_sync+0x190/0x194\n    ---[ end trace 0000000000000000 ]---\n\n...followed by more symptoms of corruption, with similar stacks:\n\n    refcount_t: underflow; use-after-free.\n    kernel BUG at lib/list_debug.c:62!\n    Kernel panic - not syncing: Oops - BUG: Fatal exception\n\nThis happens because pps_device_destruct() frees the pps_device with the\nembedded cdev immediately after calling cdev_del(), but, as the comment\nabove cdev_del() notes, fops for previously opened cdevs are still\ncallable even after cdev_del() returns. I think this bug has always\nbeen there: I can't explain why it suddenly started happening every time\nI reboot this particular board.\n\nIn commit d953e0e837e6 (\"pps: Fix a use-after free bug when\nunregistering a source.\"), George Spelvin suggested removing the\nembedded cdev. That seems like the simplest way to fix this, so I've\nimplemented his suggestion, using __register_chrdev() with pps_idr\nbecoming the source of truth for which minor corresponds to which\ndevice.\n\nBut now that pps_idr defines userspace visibility instead of cdev_add(),\nwe need to be sure the pps-\u003edev refcount can't reach zero while\nuserspace can still find it again. So, the idr_remove() call moves to\npps_unregister_cdev(), and pps_idr now holds a reference to pps-\u003edev.\n\n    pps_core: source serial1 got cdev (251:1)\n    \u003c...\u003e\n    pps pps1: removed\n    pps_core: unregistering pps1\n    pps_core: deallocating pps1","modified":"2026-04-01T05:19:49.959028Z","published":"2025-02-27T02:15:11Z","upstream":["CVE-2024-57979"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-57979"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.15.180.1-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-58992.json"}}],"schema_version":"1.7.5"}