{"id":"CVE-2024-40900","summary":"cachefiles: remove requests from xarray during flushing requests","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: remove requests from xarray during flushing requests\n\nEven with CACHEFILES_DEAD set, we can still read the requests, so in the\nfollowing concurrency the request may be used after it has been freed:\n\n     mount  |   daemon_thread1    |    daemon_thread2\n------------------------------------------------------------\n cachefiles_ondemand_init_object\n  cachefiles_ondemand_send_req\n   REQ_A = kzalloc(sizeof(*req) + data_len)\n   wait_for_completion(&REQ_A-\u003edone)\n            cachefiles_daemon_read\n             cachefiles_ondemand_daemon_read\n                                  // close dev fd\n                                  cachefiles_flush_reqs\n                                   complete(&REQ_A-\u003edone)\n   kfree(REQ_A)\n              xa_lock(&cache-\u003ereqs);\n              cachefiles_ondemand_select_req\n                req-\u003emsg.opcode != CACHEFILES_OP_READ\n                // req use-after-free !!!\n              xa_unlock(&cache-\u003ereqs);\n                                   xa_destroy(&cache-\u003ereqs)\n\nHence remove requests from cache-\u003ereqs when flushing them to avoid\naccessing freed requests.","modified":"2026-04-02T12:17:18.076630Z","published":"2024-07-12T12:20:42.192Z","related":["SUSE-SU-2024:2894-1","SUSE-SU-2024:2939-1","SUSE-SU-2024:2947-1","SUSE-SU-2024:3194-1","SUSE-SU-2024:3195-1","SUSE-SU-2024:3383-1","SUSE-SU-2025:20044-1","SUSE-SU-2025:20047-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40900.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0fc75c5940fa634d84e64c93bfc388e1274ed013"},{"type":"WEB","url":"https://git.kernel.org/stable/c/37e19cf86a520d65de1de9cb330415c332a40d19"},{"type":"WEB","url":"https://git.kernel.org/stable/c/50d0e55356ba5b84ffb51c42704126124257e598"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9f13aacdd4ee9a7644b2a3c96d67113cd083c9c7"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40900.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40900"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c8383054506c77b814489c09877b5db83fd4abf2"},{"fixed":"9f13aacdd4ee9a7644b2a3c96d67113cd083c9c7"},{"fixed":"50d0e55356ba5b84ffb51c42704126124257e598"},{"fixed":"37e19cf86a520d65de1de9cb330415c332a40d19"},{"fixed":"0fc75c5940fa634d84e64c93bfc388e1274ed013"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-40900.json"}}],"schema_version":"1.7.5"}