{"id":"CVE-2024-57979","summary":"pps: Fix a use-after-free","details":"In the Linux kernel, the following vulnerability has been resolved:\n\npps: Fix a use-after-free\n\nOn a board running ntpd and gpsd, I'm seeing a consistent use-after-free\nin sys_exit() from gpsd when rebooting:\n\n    pps pps1: removed\n    ------------[ cut here ]------------\n    kobject: '(null)' (00000000db4bec24): is not initialized, yet kobject_put() is being called.\n    WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150\n    CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1\n    Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT)\n    pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n    pc : kobject_put+0x120/0x150\n    lr : kobject_put+0x120/0x150\n    sp : ffffffc0803d3ae0\n    x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001\n    x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440\n    x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600\n    x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000\n    x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20\n    x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000\n    x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n    x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\n    x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\n    x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\n    Call trace:\n     kobject_put+0x120/0x150\n     cdev_put+0x20/0x3c\n     __fput+0x2c4/0x2d8\n     ____fput+0x1c/0x38\n     task_work_run+0x70/0xfc\n     do_exit+0x2a0/0x924\n     do_group_exit+0x34/0x90\n     get_signal+0x7fc/0x8c0\n     do_signal+0x128/0x13b4\n     do_notify_resume+0xdc/0x160\n     el0_svc+0xd4/0xf8\n     el0t_64_sync_handler+0x140/0x14c\n     el0t_64_sync+0x190/0x194\n    ---[ end trace 0000000000000000 ]---\n\n...followed by more symptoms of corruption, with similar stacks:\n\n    refcount_t: underflow; use-after-free.\n    kernel BUG at lib/list_debug.c:62!\n    Kernel panic - not syncing: Oops - BUG: Fatal exception\n\nThis happens because pps_device_destruct() frees the pps_device with the\nembedded cdev immediately after calling cdev_del(), but, as the comment\nabove cdev_del() notes, fops for previously opened cdevs are still\ncallable even after cdev_del() returns. I think this bug has always\nbeen there: I can't explain why it suddenly started happening every time\nI reboot this particular board.\n\nIn commit d953e0e837e6 (\"pps: Fix a use-after free bug when\nunregistering a source.\"), George Spelvin suggested removing the\nembedded cdev. That seems like the simplest way to fix this, so I've\nimplemented his suggestion, using __register_chrdev() with pps_idr\nbecoming the source of truth for which minor corresponds to which\ndevice.\n\nBut now that pps_idr defines userspace visibility instead of cdev_add(),\nwe need to be sure the pps-\u003edev refcount can't reach zero while\nuserspace can still find it again. So, the idr_remove() call moves to\npps_unregister_cdev(), and pps_idr now holds a reference to pps-\u003edev.\n\n    pps_core: source serial1 got cdev (251:1)\n    \u003c...\u003e\n    pps pps1: removed\n    pps_core: unregistering pps1\n    pps_core: deallocating pps1","modified":"2026-05-18T05:57:21.229296784Z","published":"2025-02-27T02:07:06.168Z","related":["ALSA-2025:2473","ALSA-2025:2474","SUSE-SU-2025:01919-1","SUSE-SU-2025:0847-1","SUSE-SU-2025:1178-1","SUSE-SU-2025:1180-1","SUSE-SU-2025:1293-1","SUSE-SU-2025:20190-1","SUSE-SU-2025:20192-1","SUSE-SU-2025:20260-1","SUSE-SU-2025:20270-1","USN-7521-2"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/57xxx/CVE-2024-57979.json"},"references":[{"type":"WEB","url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1a7735ab2cb9747518a7416fb5929e85442dec62"},{"type":"WEB","url":"https://git.kernel.org/stable/c/785c78ed0d39d1717cca3ef931d3e51337b5e90e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7e5ee3281dc09014367f5112b6d566ba36ea2d49"},{"type":"WEB","url":"https://git.kernel.org/stable/c/85241f7de216f8298f6e48540ea13d7dcd100870"},{"type":"WEB","url":"https://git.kernel.org/stable/c/91932db1d96b2952299ce30c1c693d834d10ace6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c79a39dc8d060b9e64e8b0fa9d245d44befeefbe"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/57xxx/CVE-2024-57979.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-57979"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d953e0e837e65ecc1ddaa4f9560f7925878a0de6"},{"fixed":"785c78ed0d39d1717cca3ef931d3e51337b5e90e"},{"fixed":"1a7735ab2cb9747518a7416fb5929e85442dec62"},{"fixed":"c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7"},{"fixed":"91932db1d96b2952299ce30c1c693d834d10ace6"},{"fixed":"cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64"},{"fixed":"7e5ee3281dc09014367f5112b6d566ba36ea2d49"},{"fixed":"85241f7de216f8298f6e48540ea13d7dcd100870"},{"fixed":"c79a39dc8d060b9e64e8b0fa9d245d44befeefbe"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"77327a71f9841b7dfa708195d1cb133d4ef4a989"},{"last_affected":"cd59fb14918a6b20c1ac8be121fa6397b97b00cb"},{"last_affected":"49626fbb0360332e40fd76a48cb2ba876d6134ad"}]}],"versions":["v3.4.86","v3.4.85","v3.4.84","v3.4.83","v3.4.82","v3.4.81","v3.4.80","v3.4.79","v3.4.78","v3.4.77","v3.4.76","v3.4.75","v3.4.74","v3.4.73","v3.4.72","v3.4.71","v3.4.70","v3.4.69","v3.4.68","v3.4.67","v3.4.66","v3.4.65","v3.4.64","v3.4.63","v3.4.62","v3.4.61","v3.4.60","v3.4.59","v3.4.58","v3.4.57","v3.4.56","v3.4.55","v3.4.54","v3.4.53","v3.4.52","v3.4.51","v3.4.50","v3.4.49","v3.4.48","v3.4.47","v3.4.46","v3.4.45","v3.4.44","v3.4.43","v3.4.42","v3.4.41","v3.4.40","v3.4.39","v3.8","v3.4.38","v3.4.37","v3.4.36","v3.4.35","v3.2.39","v3.4.34","v3.4.33","v3.8-rc7","v3.4.32","v3.8-rc6","v3.2.38","v3.8-rc5","v3.4.31","v3.4.30","v3.8-rc2","v3.4.29","v3.2.37","v3.4.28","v3.8-rc1","v3.8-rc3","v3.8-rc4","v3.4.27","v3.4.26","v3.4.25","v3.2.36","v3.7","v3.4.24","v3.2.35","v3.4.23","v3.7-rc1","v3.6","v3.7-rc6","v3.7-rc7","v3.4.22","v3.7-rc3","v3.7-rc8","v3.2.34","v3.4.21","v3.4.20","v3.7-rc2","v3.4.19","v3.7-rc4","v3.7-rc5","v3.4.18","v3.2.33","v3.4.17","v3.4.16","v3.2.32","v3.4.15","v3.4.14","v3.2.31","v3.4.13","v3.2.30","v3.6-rc7","v3.4.12","v3.6-rc1","v3.5-rc3","v3.4.11","v3.6-rc6","v3.6-rc5","v3.5","v3.6-rc3","v3.6-rc4","v3.2.29","v3.6-rc2","v3.4.10","v3.2.28","v3.4-rc4","v3.4.9","v3.2.27","v3.4.8","v3.2.26","v3.4.7","v3.2.25","v3.2.24","v3.4.6","v3.5-rc7","v3.2.23","v3.5-rc5","v3.5-rc6","v3.4.5","v3.4.4","v3.5-rc2","v3.2.22","v3.5-rc1","v3.5-rc4","v3.2.21","v3.4","v3.4.3","v3.2.20","v3.4.2","v3.2.19","v3.4.1","v3.2.18","v3.4-rc2","v3.4-rc1","v3.2.17","v3.4-rc7","v3.4-rc6","v3.4-rc3","v3.4-rc5","v3.2.16","v3.2.15","v3.3","v3.2.14","v3.2.13","v3.3-rc6","v3.3-rc3","v3.2.12","v3.3-rc7","v3.2.11","v3.3-rc2","v3.3-rc5","v3.2","v3.2.10","v3.3-rc4","v3.2.9","v3.3-rc1","v3.2.8","v3.2.7","v3.2.6","v3.2.5","v3.2.4","v3.2.3","v3.2.2","v3.2.1","v3.2-rc4","v3.2-rc7","v3.2-rc6","v3.2-rc5","v3.2-rc3","v3.1","v3.2-rc2","v3.2-rc1","v3.1-rc1","v3.1-rc9","v3.1-rc8","v3.1-rc10","v3.1-rc7","v3.1-rc3","v3.1-rc2","v3.1-rc4","v3.1-rc5","v3.0","v3.1-rc6","v3.0-rc7","v3.0-rc4","v3.0-rc6","v3.0-rc5","v3.0-rc3","v3.0-rc1","v2.6.39","v3.0-rc2","v2.6.38","v2.6.39-rc2","v2.6.39-rc7","v2.6.39-rc5","v2.6.39-rc1","v2.6.38-rc7","v2.6.39-rc6","v2.6.39-rc4","v2.6.39-rc3","v2.6.37","v2.6.38-rc1","v2.6.38-rc8","v2.6.38-rc2","v2.6.38-rc6","v2.6.38-rc5","v2.6.38-rc4","v2.6.38-rc3","v2.6.37-rc4","v2.6.37-rc2","v2.6.36","v2.6.37-rc5","v2.6.37-rc8","v2.6.37-rc7","v2.6.37-rc6","v2.6.37-rc1","v2.6.37-rc3","v2.6.36-rc6","v2.6.35-rc4","v2.6.36-rc8","v2.6.35","v2.6.36-rc7","v2.6.36-rc3","v2.6.36-rc5","v2.6.36-rc4","v2.6.36-rc2","v2.6.36-rc1","v2.6.35-rc5","v2.6.35-rc6","v2.6.34","v2.6.35-rc3","v2.6.35-rc1","v2.6.35-rc2","v2.6.34-rc7","v2.6.34-rc6","v2.6.34-rc5","v2.6.34-rc4","v2.6.34-rc3","v2.6.34-rc2","v2.6.34-rc1","v2.6.33","v2.6.33-rc6","v2.6.33-rc8","v2.6.33-rc4","v2.6.33-rc5","v2.6.33-rc3","v2.6.33-rc7","v2.6.33-rc2","v2.6.32","v2.6.33-rc1","v2.6.32-rc8","v2.6.32-rc7","v2.6.32-rc6","v2.6.31","v2.6.32-rc5","v2.6.32-rc4","v2.6.32-rc2","v2.6.32-rc1","v2.6.32-rc3","v2.6.31-rc9","v2.6.31-rc1","v2.6.31-rc7","v2.6.31-rc8","v2.6.31-rc6","v2.6.30-rc6","v2.6.30","v2.6.31-rc4","v2.6.31-rc5","v2.6.31-rc3","v2.6.31-rc2","v2.6.30-rc7","v2.6.30-rc8","v2.6.30-rc5","v2.6.30-rc3","v2.6.30-rc4","v2.6.30-rc1","v2.6.30-rc2","v2.6.29","v2.6.29-rc8","v2.6.29-rc7","v2.6.29-rc5","v2.6.29-rc1","v2.6.29-rc6","v2.6.29-rc4","v2.6.29-rc3","v2.6.29-rc2","v2.6.28","v2.6.28-rc7","v2.6.28-rc9","v2.6.28-rc8","v2.6.28-rc6","v2.6.28-rc5","v2.6.28-rc4","v2.6.28-rc2","v2.6.28-rc3","v2.6.28-rc1","v2.6.27","v2.6.27-rc7","v2.6.27-rc9","v2.6.27-rc8","v2.6.27-rc5","v2.6.27-rc6","v2.6.27-rc4","v2.6.27-rc1","v2.6.27-rc3","v2.6.27-rc2","v2.6.26","v2.6.26-rc9","v2.6.26-rc8","v2.6.26-rc3","v2.6.26-rc7","v2.6.26-rc6","v2.6.26-rc5","v2.6.26-rc4","v2.6.26-rc2","v2.6.26-rc1","v2.6.25","v2.6.25-rc7","v2.6.25-rc9","v2.6.25-rc8","v2.6.25-rc6","v2.6.25-rc5","v2.6.25-rc3","v2.6.25-rc4","v2.6.24","v2.6.25-rc2","v2.6.25-rc1","v2.6.24-rc8","v2.6.24-rc7","v2.6.24-rc6","v2.6.24-rc5","v2.6.24-rc4","v2.6.24-rc3","v2.6.24-rc2","v2.6.24-rc1","v2.6.23","v2.6.23-rc9","v2.6.23-rc8","v2.6.23-rc5","v2.6.23-rc7","v2.6.23-rc6","v2.6.23-rc4","v2.6.23-rc3","v2.6.23-rc2","v2.6.23-rc1","v2.6.22","v2.6.22-rc7","v2.6.22-rc6","v2.6.22-rc5","v2.6.22-rc4","v2.6.22-rc3","v2.6.22-rc2","v2.6.22-rc1","v2.6.21","v2.6.21-rc7","v2.6.21-rc6","v2.6.21-rc5","v2.6.21-rc4","v2.6.21-rc3","v2.6.21-rc2","v2.6.21-rc1","v2.6.20-rc7","v2.6.20-rc6","v2.6.20-rc5","v2.6.20-rc4","v2.6.20-rc3","v2.6.20-rc1","v2.6.20-rc2","v2.6.19-rc2","v2.6.18","v2.6.19-rc1","v2.6.18-rc6","v2.6.18-rc5","v2.6.18-rc3","v2.6.18-rc2","v2.6.18-rc1","v2.6.17","v2.6.17-rc4","v2.6.17-rc6","v2.6.17-rc5","v2.6.17-rc3","v2.6.17-rc2","v2.6.17-rc1","v2.6.16","v2.6.16-rc6","v2.6.16-rc4","v2.6.16-rc5","v2.6.16-rc3","v2.6.16-rc2","v2.6.16-rc1","v2.6.15-rc7","v2.6.15-rc5","v2.6.15-rc4","v2.6.15-rc2","v2.6.15-rc1","v2.6.14-rc3","v2.6.14-rc2","v2.6.14-rc1","v2.6.13","v2.6.13-rc7","v2.6.13-rc6","v2.6.13-rc5","v2.6.13-rc3","v2.6.13-rc4","v2.6.13-rc2","v2.6.13-rc1","v2.6.12-rc4","v2.6.12-rc3","v2.6.12-rc2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-57979.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.9.0"},{"fixed":"5.4.291"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.235"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.179"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.129"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.76"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.13"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.13.2"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-57979.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}