CVE-2024-42300

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.10.0-rc7+

Description The issue is related to a race condition in the z erofs get gbuf() function, where the current task may be migrated to another CPU between z erofs gbuf id() and spin lock(&gbuf->lock), triggering an issue in z erofs put gbuf(). This was found by a stress test, which caused a kernel bug. The call trace includes functions such as z erofs put gbuf(), z erofs lz4 decompress(), z erofs decompress queue(), z erofs runqueue(), and z erofs readahead().

Recommendations To resolve the issue, update the Linux kernel to a version later than 6.10.0-rc7+. As a temporary workaround, consider disabling the z erofs get gbuf() function until a patch is available. Restrict access to the vulnerable erofs module to minimize the risk of exploitation. Avoid using the z erofs put gbuf() function in the affected kernel versions until the issue is resolved.