{"id":"CVE-2024-47748","summary":"vhost_vdpa: assign irq bypass producer token correctly","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nvhost_vdpa: assign irq bypass producer token correctly\n\nWe used to call irq_bypass_unregister_producer() in\nvhost_vdpa_setup_vq_irq() which is problematic as we don't know if the\ntoken pointer is still valid or not.\n\nActually, we use the eventfd_ctx as the token so the life cycle of the\ntoken should be bound to the VHOST_SET_VRING_CALL instead of\nvhost_vdpa_setup_vq_irq() which could be called by set_status().\n\nFixing this by setting up irq bypass producer's token when handling\nVHOST_SET_VRING_CALL and un-registering the producer before calling\nvhost_vring_ioctl() to prevent a possible use after free as eventfd\ncould have been released in vhost_vring_ioctl(). And such registering\nand unregistering will only be done if DRIVER_OK is set.","modified":"2026-04-02T12:20:27.112256Z","published":"2024-10-21T12:14:14.448Z","related":["MGASA-2024-0344","MGASA-2024-0345","SUSE-SU-2024:3983-1","SUSE-SU-2024:3984-1","SUSE-SU-2024:3985-1","SUSE-SU-2024:3986-1","SUSE-SU-2024:4082-1","SUSE-SU-2024:4131-1","SUSE-SU-2024:4318-1","SUSE-SU-2024:4364-1","SUSE-SU-2024:4387-1","SUSE-SU-2025:20163-1","SUSE-SU-2025:20164-1","SUSE-SU-2025:20246-1","SUSE-SU-2025:20247-1","USN-7276-1","USN-7277-1","openSUSE-SU-2024:14500-1","openSUSE-SU-2025:14705-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47748.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/02e9e9366fefe461719da5d173385b6685f70319"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0c170b1e918b9afac25e2bbd01eaa2bfc0ece8c0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7cf2fb51175cafe01df8c43fa15a06194a59c6e2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/927a2580208e0f9b0b47b08f1c802b7233a7ba3c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ca64edd7ae93402af2596a952e0d94d545e2b9c0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ec5f1b54ceb23475049ada6e7a43452cf4df88d1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fae9b1776f53aab93ab345bdbf653b991aed717d"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47748.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47748"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60"},{"fixed":"0c170b1e918b9afac25e2bbd01eaa2bfc0ece8c0"},{"fixed":"927a2580208e0f9b0b47b08f1c802b7233a7ba3c"},{"fixed":"ec5f1b54ceb23475049ada6e7a43452cf4df88d1"},{"fixed":"ca64edd7ae93402af2596a952e0d94d545e2b9c0"},{"fixed":"fae9b1776f53aab93ab345bdbf653b991aed717d"},{"fixed":"7cf2fb51175cafe01df8c43fa15a06194a59c6e2"},{"fixed":"02e9e9366fefe461719da5d173385b6685f70319"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-47748.json"}}],"schema_version":"1.7.5"}