CVE-2024-45000

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.50

Description A NULL pointer dereference bug has been identified in the Linux kernel due to a data race. This issue occurs when the fscache cookie state machine() function is slow and still running while another process invokes fscache unuse cookie(), leading to a fscache cookie lru do one() call that sets the FSCACHE COOKIE DO LRU DISCARD flag. This flag is then picked up by fscache cookie state machine(), which withdraws the cookie via cachefiles withdraw cookie() and clears cookie->cache priv. At the same time, another process may invoke cachefiles prepare write(), finding a NULL pointer in the code line struct cachefiles object *object = cachefiles cres object(cres), causing a crash. The n accesses counter is non-zero during cachefiles prepare write() (via fscache begin operation()), and the cookie must not be withdrawn until this counter drops to zero. The counter is checked by fscache cookie state machine() before switching to certain states, but not for FSCACHE COOKIE STATE LRU DISCARDING. This patch adds the missing check, ensuring that with a non-zero access counter, the function returns and the next fscache end cookie access() call will queue another fscache cookie state machine() call to handle the still-pending FSCACHE COOKIE DO LRU DISCARD.

Recommendations To resolve this issue, update the Linux kernel to version 6.6.50 or later. As a temporary workaround, consider disabling the cachefiles prepare write() function until a patch is available. However, this may have performance implications and should be carefully evaluated before implementation.