Linux · Linux Kernel · CVE-2024-56693
**Name of the Vulnerable Software and Affected Versions**
Linux kernel versions prior to 6.12.0-rc3+
**Description**
A vulnerability in the Linux kernel has been resolved, which could cause a use-after-free (UAF) issue. The problem occurs when the `brd init` function calls `brd alloc` before the ` register blkdev` function succeeds, and then releases successfully created disks when `brd init` returns an error. This can lead to a UAF situation in certain cases. The vulnerability was discovered during fault injection testing, which revealed errors such as "unable to handle page fault for address" and "Oops" messages. The `loop init` function is used as a reference to fix this problem.
**Recommendations**
To resolve this issue, update the Linux kernel to a version that includes the fix, which defers automatic disk creation until module initialization succeeds. Additionally, the `brd devices mutex` has been reintroduced to help serialize modifications to the `brd list`. For versions prior to 6.12.0-rc3+, apply the necessary patches or updates to ensure the `brd init` function is modified to follow the same logic as the `loop init` function, and the `brd devices mutex` is used to prevent concurrent modifications to the `brd list`.