{"id":"CVE-2024-26957","summary":"s390/zcrypt: fix reference counting on zcrypt card objects","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ns390/zcrypt: fix reference counting on zcrypt card objects\n\nTests with hot-plugging crytpo cards on KVM guests with debug\nkernel build revealed an use after free for the load field of\nthe struct zcrypt_card. The reason was an incorrect reference\nhandling of the zcrypt card object which could lead to a free\nof the zcrypt card object while it was still in use.\n\nThis is an example of the slab message:\n\n    kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b\n    kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43\n    kernel:  kmalloc_trace+0x3f2/0x470\n    kernel:  zcrypt_card_alloc+0x36/0x70 [zcrypt]\n    kernel:  zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]\n    kernel:  ap_device_probe+0x15c/0x290\n    kernel:  really_probe+0xd2/0x468\n    kernel:  driver_probe_device+0x40/0xf0\n    kernel:  __device_attach_driver+0xc0/0x140\n    kernel:  bus_for_each_drv+0x8c/0xd0\n    kernel:  __device_attach+0x114/0x198\n    kernel:  bus_probe_device+0xb4/0xc8\n    kernel:  device_add+0x4d2/0x6e0\n    kernel:  ap_scan_adapter+0x3d0/0x7c0\n    kernel:  ap_scan_bus+0x5a/0x3b0\n    kernel:  ap_scan_bus_wq_callback+0x40/0x60\n    kernel:  process_one_work+0x26e/0x620\n    kernel:  worker_thread+0x21c/0x440\n    kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43\n    kernel:  kfree+0x37e/0x418\n    kernel:  zcrypt_card_put+0x54/0x80 [zcrypt]\n    kernel:  ap_device_remove+0x4c/0xe0\n    kernel:  device_release_driver_internal+0x1c4/0x270\n    kernel:  bus_remove_device+0x100/0x188\n    kernel:  device_del+0x164/0x3c0\n    kernel:  device_unregister+0x30/0x90\n    kernel:  ap_scan_adapter+0xc8/0x7c0\n    kernel:  ap_scan_bus+0x5a/0x3b0\n    kernel:  ap_scan_bus_wq_callback+0x40/0x60\n    kernel:  process_one_work+0x26e/0x620\n    kernel:  worker_thread+0x21c/0x440\n    kernel:  kthread+0x150/0x168\n    kernel:  __ret_from_fork+0x3c/0x58\n    kernel:  ret_from_fork+0xa/0x30\n    kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)\n    kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88\n    kernel: Redzone  00000000885a74b0: bb bb bb bb bb bb bb bb                          ........\n    kernel: Object   00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk\n    kernel: Object   00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5  kkkkkkkkkkhKkkk.\n    kernel: Redzone  00000000885a7518: bb bb bb bb bb bb bb bb                          ........\n    kernel: Padding  00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a              ZZZZZZZZZZZZ\n    kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2\n    kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)\n    kernel: Call Trace:\n    kernel:  [\u003c00000000ca5ab5b8\u003e] dump_stack_lvl+0x90/0x120\n    kernel:  [\u003c00000000c99d78bc\u003e] check_bytes_and_report+0x114/0x140\n    kernel:  [\u003c00000000c99d53cc\u003e] check_object+0x334/0x3f8\n    kernel:  [\u003c00000000c99d820c\u003e] alloc_debug_processing+0xc4/0x1f8\n    kernel:  [\u003c00000000c99d852e\u003e] get_partial_node.part.0+0x1ee/0x3e0\n    kernel:  [\u003c00000000c99d94ec\u003e] ___slab_alloc+0xaf4/0x13c8\n    kernel:  [\u003c00000000c99d9e38\u003e] __slab_alloc.constprop.0+0x78/0xb8\n    kernel:  [\u003c00000000c99dc8dc\u003e] __kmalloc+0x434/0x590\n    kernel:  [\u003c00000000c9b4c0ce\u003e] ext4_htree_store_dirent+0x4e/0x1c0\n    kernel:  [\u003c00000000c9b908a2\u003e] htree_dirblock_to_tree+0x17a/0x3f0\n    kernel: \n---truncated---","modified":"2026-04-02T10:06:32.624278Z","published":"2024-05-01T05:19:00.134Z","related":["SUSE-SU-2024:1979-1","SUSE-SU-2024:1983-1","SUSE-SU-2024:2008-1","SUSE-SU-2024:2019-1","SUSE-SU-2024:2135-1","SUSE-SU-2024:2184-1","SUSE-SU-2024:2190-1","SUSE-SU-2024:2203-1","SUSE-SU-2024:2973-1","SUSE-SU-2025:20008-1","SUSE-SU-2025:20028-1","SUSE-SU-2025:20166-1","SUSE-SU-2025:20249-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26957.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484"},{"type":"WEB","url":"https://git.kernel.org/stable/c/50ed48c80fecbe17218afed4f8bed005c802976c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6470078ab3d8f222115e11c4ec67351f3031b3dd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7e500849fa558879a1cde43f80c7c048c2437058"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9daddee03de3f231012014dab8ab2b277a116a55"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a55677878b93e9ebc31f66d0e2fb93be5e7836a6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a64ab862e84e3e698cd351a87cdb504c7fc575ca"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b7f6c3630eb3f103115ab0d7613588064f665d0d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/befb7f889594d23e1b475720cf93efd2f77df000"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26957.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26957"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e28d2af43614eb86f59812e7221735fc221bbc10"},{"fixed":"7e500849fa558879a1cde43f80c7c048c2437058"},{"fixed":"9daddee03de3f231012014dab8ab2b277a116a55"},{"fixed":"6470078ab3d8f222115e11c4ec67351f3031b3dd"},{"fixed":"a55677878b93e9ebc31f66d0e2fb93be5e7836a6"},{"fixed":"b7f6c3630eb3f103115ab0d7613588064f665d0d"},{"fixed":"a64ab862e84e3e698cd351a87cdb504c7fc575ca"},{"fixed":"befb7f889594d23e1b475720cf93efd2f77df000"},{"fixed":"394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484"},{"fixed":"50ed48c80fecbe17218afed4f8bed005c802976c"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26957.json"}}],"schema_version":"1.7.5"}