{"id":"CVE-2024-40981","summary":"batman-adv: bypass empty buckets in batadv_purge_orig_ref()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: bypass empty buckets in batadv_purge_orig_ref()\n\nMany syzbot reports are pointing to soft lockups in\nbatadv_purge_orig_ref() [1]\n\nRoot cause is unknown, but we can avoid spending too much\ntime there and perhaps get more interesting reports.\n\n[1]\n\nwatchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621]\nModules linked in:\nirq event stamp: 6182794\n hardirqs last  enabled at (6182793): [\u003cffff8000801dae10\u003e] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386\n hardirqs last disabled at (6182794): [\u003cffff80008ad66a78\u003e] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]\n hardirqs last disabled at (6182794): [\u003cffff80008ad66a78\u003e] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551\n softirqs last  enabled at (6182792): [\u003cffff80008aab71c4\u003e] spin_unlock_bh include/linux/spinlock.h:396 [inline]\n softirqs last  enabled at (6182792): [\u003cffff80008aab71c4\u003e] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287\n softirqs last disabled at (6182790): [\u003cffff80008aab61dc\u003e] spin_lock_bh include/linux/spinlock.h:356 [inline]\n softirqs last disabled at (6182790): [\u003cffff80008aab61dc\u003e] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271\nCPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\nWorkqueue: bat_events batadv_purge_orig\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline]\n pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388\n lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386\nsp : ffff800099007970\nx29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000\nx26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001\nx23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4\nx20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0\nx17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001\nx14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003\nx11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000\nx8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000\nCall trace:\n  __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline]\n  arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline]\n  __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386\n  __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n  _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210\n  spin_unlock_bh include/linux/spinlock.h:396 [inline]\n  batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287\n  batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300\n  process_one_work+0x694/0x1204 kernel/workqueue.c:2633\n  process_scheduled_works kernel/workqueue.c:2706 [inline]\n  worker_thread+0x938/0xef4 kernel/workqueue.c:2787\n  kthread+0x288/0x310 kernel/kthread.c:388\n  ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860\nSending NMI from CPU 0 to CPUs 1:\nNMI backtrace for cpu 1\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51\n lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103\nsp : ffff800093a17d30\nx29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4\nx26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002\nx23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000\nx20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396\nx17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001\n---truncated---","modified":"2026-03-20T12:37:27.314654Z","published":"2024-07-12T12:32:16.277Z","related":["SUSE-SU-2024:2894-1","SUSE-SU-2024:2939-1","SUSE-SU-2024:2947-1","SUSE-SU-2024:3194-1","SUSE-SU-2024:3195-1","SUSE-SU-2024:3383-1","SUSE-SU-2025:20044-1","SUSE-SU-2025:20047-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40981.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/154e3f862ba33675cf3f4abf0a0a309a89df87d2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2685008a5f9a636434a8508419cee8158a2f52c8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/40dc8ab605894acae1473e434944924a22cfaaa0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/79636f636126775436a11ee9cf00a9253a33ac11"},{"type":"WEB","url":"https://git.kernel.org/stable/c/82cdea8f3af1e36543c937df963d108c60bea030"},{"type":"WEB","url":"https://git.kernel.org/stable/c/92176caf9896572f00e741a93cecc0ef1172da07"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ae7f3cffe86aea3da0e8e079525a1ae619b8862a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fed7914858a1f1f3e6350bb0f620d6ef15107d16"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40981.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40981"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"fb778ea173fcd58b8fc3d75c674f07fab187b55f"},{"fixed":"79636f636126775436a11ee9cf00a9253a33ac11"},{"fixed":"154e3f862ba33675cf3f4abf0a0a309a89df87d2"},{"fixed":"82cdea8f3af1e36543c937df963d108c60bea030"},{"fixed":"92176caf9896572f00e741a93cecc0ef1172da07"},{"fixed":"fed7914858a1f1f3e6350bb0f620d6ef15107d16"},{"fixed":"2685008a5f9a636434a8508419cee8158a2f52c8"},{"fixed":"ae7f3cffe86aea3da0e8e079525a1ae619b8862a"},{"fixed":"40dc8ab605894acae1473e434944924a22cfaaa0"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-40981.json"}}],"schema_version":"1.7.5"}