{"id":"CVE-2024-36979","summary":"net: bridge: mst: fix vlan use-after-free","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: mst: fix vlan use-after-free\n\nsyzbot reported a suspicious rcu usage[1] in bridge's mst code. While\nfixing it I noticed that nothing prevents a vlan to be freed while\nwalking the list from the same path (br forward delay timer). Fix the rcu\nusage and also make sure we are not accessing freed memory by making\nbr_mst_vlan_set_state use rcu read lock.\n\n[1]\n WARNING: suspicious RCU usage\n 6.9.0-rc6-syzkaller #0 Not tainted\n -----------------------------\n net/bridge/br_private.h:1599 suspicious rcu_dereference_protected() usage!\n ...\n stack backtrace:\n CPU: 1 PID: 8017 Comm: syz-executor.1 Not tainted 6.9.0-rc6-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n Call Trace:\n  \u003cIRQ\u003e\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n  lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712\n  nbp_vlan_group net/bridge/br_private.h:1599 [inline]\n  br_mst_set_state+0x1ea/0x650 net/bridge/br_mst.c:105\n  br_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47\n  br_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88\n  call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793\n  expire_timers kernel/time/timer.c:1844 [inline]\n  __run_timers kernel/time/timer.c:2418 [inline]\n  __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2429\n  run_timer_base kernel/time/timer.c:2438 [inline]\n  run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448\n  __do_softirq+0x2c6/0x980 kernel/softirq.c:554\n  invoke_softirq kernel/softirq.c:428 [inline]\n  __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633\n  irq_exit_rcu+0x9/0x30 kernel/softirq.c:645\n  instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]\n  sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043\n  \u003c/IRQ\u003e\n  \u003cTASK\u003e\n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702\n RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5758\n Code: 2b 00 74 08 4c 89 f7 e8 ba d1 84 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 \u003c4b\u003e c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25\n RSP: 0018:ffffc90013657100 EFLAGS: 00000206\n RAX: 0000000000000001 RBX: 1ffff920026cae2c RCX: 0000000000000001\n RDX: dffffc0000000000 RSI: ffffffff8bcaca00 RDI: ffffffff8c1eaa60\n RBP: ffffc90013657260 R08: ffffffff92efe507 R09: 1ffffffff25dfca0\n R10: dffffc0000000000 R11: fffffbfff25dfca1 R12: 1ffff920026cae28\n R13: dffffc0000000000 R14: ffffc90013657160 R15: 0000000000000246","modified":"2026-04-16T04:38:30.751223375Z","published":"2024-06-19T13:35:12.708Z","related":["ALSA-2024:6567","SUSE-SU-2024:3194-1","SUSE-SU-2024:3195-1","SUSE-SU-2024:3383-1","SUSE-SU-2025:0255-1","SUSE-SU-2025:0262-1","SUSE-SU-2025:0263-1","SUSE-SU-2025:0265-1","SUSE-SU-2025:0268-1","SUSE-SU-2025:0269-1","SUSE-SU-2025:20044-1","SUSE-SU-2025:20047-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36979.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3a7c1661ae1383364cd6092d851f5e5da64d476b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4488617e5e995a09abe4d81add5fb165674edb59"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8ca9a750fc711911ef616ceb627d07357b04545e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a2b01e65d9ba8af2bb086d3b7288ca53a07249ac"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e43dd2b1ec746e105b7db5f9ad6ef14685a615a4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36979.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36979"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ec7328b59176227216c461601c6bd0e922232a9b"},{"fixed":"8ca9a750fc711911ef616ceb627d07357b04545e"},{"fixed":"4488617e5e995a09abe4d81add5fb165674edb59"},{"fixed":"a2b01e65d9ba8af2bb086d3b7288ca53a07249ac"},{"fixed":"e43dd2b1ec746e105b7db5f9ad6ef14685a615a4"},{"fixed":"3a7c1661ae1383364cd6092d851f5e5da64d476b"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36979.json"}}],"schema_version":"1.7.5"}