{"id":"CVE-2024-49982","summary":"aoe: fix the potential use-after-free problem in more places","details":"In the Linux kernel, the following vulnerability has been resolved:\n\naoe: fix the potential use-after-free problem in more places\n\nFor fixing CVE-2023-6270, f98364e92662 (\"aoe: fix the potential\nuse-after-free problem in aoecmd_cfg_pkts\") makes tx() calling dev_put()\ninstead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs\ninto use-after-free.\n\nThen Nicolai Stange found more places in aoe have potential use-after-free\nproblem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe()\nand aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push\npacket to tx queue. So they should also use dev_hold() to increase the\nrefcnt of skb-\u003edev.\n\nOn the other hand, moving dev_put() to tx() causes that the refcnt of\nskb-\u003edev be reduced to a negative value, because corresponding\ndev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(),\nprobe(), and aoecmd_cfg_rsp(). This patch fixed this issue.","modified":"2026-03-20T12:39:29.851671Z","published":"2024-10-21T18:02:27.820Z","related":["MGASA-2024-0344","MGASA-2024-0345","SUSE-SU-2024:3983-1","SUSE-SU-2024:3984-1","SUSE-SU-2024:3985-1","SUSE-SU-2024:3986-1","SUSE-SU-2024:4038-1","SUSE-SU-2024:4081-1","SUSE-SU-2024:4082-1","SUSE-SU-2024:4100-1","SUSE-SU-2024:4103-1","SUSE-SU-2024:4131-1","SUSE-SU-2024:4140-1","SUSE-SU-2024:4318-1","SUSE-SU-2024:4364-1","SUSE-SU-2024:4387-1","SUSE-SU-2025:0034-1","SUSE-SU-2025:20163-1","SUSE-SU-2025:20164-1","SUSE-SU-2025:20246-1","SUSE-SU-2025:20247-1","USN-7276-1","USN-7277-1","openSUSE-SU-2024:14500-1","openSUSE-SU-2025:14705-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49982.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/07b418d50ccbbca7e5d87a3a0d41d436cefebf79"},{"type":"WEB","url":"https://git.kernel.org/stable/c/12f7b89dd72b25da4eeaa22097877963cad6418e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6d6e54fc71ad1ab0a87047fd9c211e75d86084a3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8253a60c89ec35c8f36fb2cc08cdf854c7a3eb58"},{"type":"WEB","url":"https://git.kernel.org/stable/c/89d9a69ae0c667e4d9d028028e2dcc837bae626f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a786265aecf39015418e4f930cc1c14603a01490"},{"type":"WEB","url":"https://git.kernel.org/stable/c/acc5103a0a8c200a52af7d732c36a8477436a3d3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bc2cbf7525ac288e07d465f5a1d8cb8fb9599254"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f63461af2c1a86af4217910e47a5c46e3372e645"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49982.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49982"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ad80c34944d7175fa1f5c7a55066020002921a99"},{"fixed":"12f7b89dd72b25da4eeaa22097877963cad6418e"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1a54aa506b3b2f31496731039e49778f54eee881"},{"fixed":"a786265aecf39015418e4f930cc1c14603a01490"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"faf0b4c5e00bb680e8e43ac936df24d3f48c8e65"},{"fixed":"f63461af2c1a86af4217910e47a5c46e3372e645"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"7dd09fa80b0765ce68bfae92f4e2f395ccf0fba4"},{"fixed":"07b418d50ccbbca7e5d87a3a0d41d436cefebf79"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"74ca3ef68d2f449bc848c0a814cefc487bf755fa"},{"fixed":"bc2cbf7525ac288e07d465f5a1d8cb8fb9599254"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"eb48680b0255a9e8a9bdc93d6a55b11c31262e62"},{"fixed":"acc5103a0a8c200a52af7d732c36a8477436a3d3"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f98364e926626c678fb4b9004b75cacf92ff0662"},{"fixed":"89d9a69ae0c667e4d9d028028e2dcc837bae626f"},{"fixed":"8253a60c89ec35c8f36fb2cc08cdf854c7a3eb58"},{"fixed":"6d6e54fc71ad1ab0a87047fd9c211e75d86084a3"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"079cba4f4e307c69878226fdf5228c20aa1c969c"},{"last_affected":"a16fbb80064634b254520a46395e36b87ca4731e"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-49982.json"}}],"schema_version":"1.7.5"}