{"id":"CVE-2024-26737","summary":"bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel\n\nThe following race is possible between bpf_timer_cancel_and_free\nand bpf_timer_cancel. It will lead a UAF on the timer-\u003etimer.\n\nbpf_timer_cancel();\n\tspin_lock();\n\tt = timer-\u003etime;\n\tspin_unlock();\n\n\t\t\t\t\tbpf_timer_cancel_and_free();\n\t\t\t\t\t\tspin_lock();\n\t\t\t\t\t\tt = timer-\u003etimer;\n\t\t\t\t\t\ttimer-\u003etimer = NULL;\n\t\t\t\t\t\tspin_unlock();\n\t\t\t\t\t\thrtimer_cancel(&t-\u003etimer);\n\t\t\t\t\t\tkfree(t);\n\n\t/* UAF on t */\n\thrtimer_cancel(&t-\u003etimer);\n\nIn bpf_timer_cancel_and_free, this patch frees the timer-\u003etimer\nafter a rcu grace period. This requires a rcu_head addition\nto the \"struct bpf_hrtimer\". Another kfree(t) happens in bpf_timer_init,\nthis does not need a kfree_rcu because it is still under the\nspin_lock and timer-\u003etimer has not been visible by others yet.\n\nIn bpf_timer_cancel, rcu_read_lock() is added because this helper\ncan be used in a non rcu critical section context (e.g. from\na sleepable bpf prog). Other timer-\u003etimer usages in helpers.c\nhave been audited, bpf_timer_cancel() is the only place where\ntimer-\u003etimer is used outside of the spin_lock.\n\nAnother solution considered is to mark a t-\u003eflag in bpf_timer_cancel\nand clear it after hrtimer_cancel() is done.  In bpf_timer_cancel_and_free,\nit busy waits for the flag to be cleared before kfree(t). This patch\ngoes with a straight forward solution and frees timer-\u003etimer after\na rcu grace period.","modified":"2026-04-02T10:05:44.940712Z","published":"2024-04-03T17:00:23.414Z","related":["ALSA-2024:4928","SUSE-SU-2024:1490-1","SUSE-SU-2024:1659-1","SUSE-SU-2024:1663-1","SUSE-SU-2024:2135-1","SUSE-SU-2024:2203-1","SUSE-SU-2024:2973-1","SUSE-SU-2025:20008-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26737.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0281b919e175bb9c3128bd3872ac2903e9436e3f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5268bb02107b9eedfdcd51db75b407d10043368c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7d80a9e745fa5b47da3bca001f186c02485c7c33"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/addf5e297e6cbf5341f9c07720693ca9ba0057b5"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26737.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26737"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b00628b1c7d595ae5b544e059c27b1f5828314b4"},{"fixed":"5268bb02107b9eedfdcd51db75b407d10043368c"},{"fixed":"addf5e297e6cbf5341f9c07720693ca9ba0057b5"},{"fixed":"8327ed12e8ebc5436bfaa1786c49988894f9c8a6"},{"fixed":"7d80a9e745fa5b47da3bca001f186c02485c7c33"},{"fixed":"0281b919e175bb9c3128bd3872ac2903e9436e3f"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26737.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}