{"id":"CVE-2024-26983","summary":"bootconfig: use memblock_free_late to free xbc memory to buddy","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbootconfig: use memblock_free_late to free xbc memory to buddy\n\nOn the time to free xbc memory in xbc_exit(), memblock may has handed\nover memory to buddy allocator. So it doesn't make sense to free memory\nback to memblock. memblock_free() called by xbc_exit() even causes UAF bugs\non architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86.\nFollowing KASAN logs shows this case.\n\nThis patch fixes the xbc memory free problem by calling memblock_free()\nin early xbc init error rewind path and calling memblock_free_late() in\nxbc exit path to free memory to buddy allocator.\n\n[    9.410890] ==================================================================\n[    9.418962] BUG: KASAN: use-after-free in memblock_isolate_range+0x12d/0x260\n[    9.426850] Read of size 8 at addr ffff88845dd30000 by task swapper/0/1\n\n[    9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G     U             6.9.0-rc3-00208-g586b5dfb51b9 #5\n[    9.446403] Hardware name: Intel Corporation RPLP LP5 (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D-00000000 Dec 28 2023\n[    9.460789] Call Trace:\n[    9.463518]  \u003cTASK\u003e\n[    9.465859]  dump_stack_lvl+0x53/0x70\n[    9.469949]  print_report+0xce/0x610\n[    9.473944]  ? __virt_addr_valid+0xf5/0x1b0\n[    9.478619]  ? memblock_isolate_range+0x12d/0x260\n[    9.483877]  kasan_report+0xc6/0x100\n[    9.487870]  ? memblock_isolate_range+0x12d/0x260\n[    9.493125]  memblock_isolate_range+0x12d/0x260\n[    9.498187]  memblock_phys_free+0xb4/0x160\n[    9.502762]  ? __pfx_memblock_phys_free+0x10/0x10\n[    9.508021]  ? mutex_unlock+0x7e/0xd0\n[    9.512111]  ? __pfx_mutex_unlock+0x10/0x10\n[    9.516786]  ? kernel_init_freeable+0x2d4/0x430\n[    9.521850]  ? __pfx_kernel_init+0x10/0x10\n[    9.526426]  xbc_exit+0x17/0x70\n[    9.529935]  kernel_init+0x38/0x1e0\n[    9.533829]  ? _raw_spin_unlock_irq+0xd/0x30\n[    9.538601]  ret_from_fork+0x2c/0x50\n[    9.542596]  ? __pfx_kernel_init+0x10/0x10\n[    9.547170]  ret_from_fork_asm+0x1a/0x30\n[    9.551552]  \u003c/TASK\u003e\n\n[    9.555649] The buggy address belongs to the physical page:\n[    9.561875] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x45dd30\n[    9.570821] flags: 0x200000000000000(node=0|zone=2)\n[    9.576271] page_type: 0xffffffff()\n[    9.580167] raw: 0200000000000000 ffffea0011774c48 ffffea0012ba1848 0000000000000000\n[    9.588823] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000\n[    9.597476] page dumped because: kasan: bad access detected\n\n[    9.605362] Memory state around the buggy address:\n[    9.610714]  ffff88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[    9.618786]  ffff88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[    9.626857] \u003effff88845dd30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[    9.634930]                    ^\n[    9.638534]  ffff88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[    9.646605]  ffff88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[    9.654675] ==================================================================","modified":"2026-04-16T04:31:45.523697615Z","published":"2024-05-01T05:27:15.635Z","related":["SUSE-SU-2024:2135-1","SUSE-SU-2024:2203-1","SUSE-SU-2024:2973-1","SUSE-SU-2025:20008-1","SUSE-SU-2025:20028-1","SUSE-SU-2025:20166-1","SUSE-SU-2025:20249-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26983.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1e7feb31a18c197d63a5e606025ed63c762f8918"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5a7dfb8fcd3f29fc93161100179b27f24f3d5f35"},{"type":"WEB","url":"https://git.kernel.org/stable/c/89f9a1e876b5a7ad884918c03a46831af202c8a0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e46d3be714ad9652480c6db129ab8125e2d20ab7"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26983.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26983"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"40caa127f3c7279c75cb0c9684559fa314ee3a66"},{"fixed":"1e7feb31a18c197d63a5e606025ed63c762f8918"},{"fixed":"e46d3be714ad9652480c6db129ab8125e2d20ab7"},{"fixed":"5a7dfb8fcd3f29fc93161100179b27f24f3d5f35"},{"fixed":"89f9a1e876b5a7ad884918c03a46831af202c8a0"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26983.json"}}],"schema_version":"1.7.5"}