{
  "threat_severity" : "Moderate",
  "public_date" : "2025-03-12T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: bpf: Fix deadlock when freeing cgroup storage",
    "id" : "2351620",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2351620"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-667",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbpf: Fix deadlock when freeing cgroup storage\nThe following commit\nbc235cdb423a (\"bpf: Prevent deadlock from recursive bpf_task_storage_[get|delete]\")\nfirst introduced deadlock prevention for fentry/fexit programs attaching\non bpf_task_storage helpers. That commit also employed the logic in map\nfree path in its v6 version.\nLater bpf_cgrp_storage was first introduced in\nc4bcfb38a95e (\"bpf: Implement cgroup storage available to non-cgroup-attached bpf progs\")\nwhich faces the same issue as bpf_task_storage, instead of its busy\ncounter, NULL was passed to bpf_local_storage_map_free() which opened\na window to cause deadlock:\n<TASK>\n(acquiring local_storage->lock)\n_raw_spin_lock_irqsave+0x3d/0x50\nbpf_local_storage_update+0xd1/0x460\nbpf_cgrp_storage_get+0x109/0x130\nbpf_prog_a4d4a370ba857314_cgrp_ptr+0x139/0x170\n? __bpf_prog_enter_recur+0x16/0x80\nbpf_trampoline_6442485186+0x43/0xa4\ncgroup_storage_ptr+0x9/0x20\n(holding local_storage->lock)\nbpf_selem_unlink_storage_nolock.constprop.0+0x135/0x160\nbpf_selem_unlink_storage+0x6f/0x110\nbpf_local_storage_map_free+0xa2/0x110\nbpf_map_free_deferred+0x5b/0x90\nprocess_one_work+0x17c/0x390\nworker_thread+0x251/0x360\nkthread+0xd2/0x100\nret_from_fork+0x34/0x50\nret_from_fork_asm+0x1a/0x30\n</TASK>\nProgs:\n- A: SEC(\"fentry/cgroup_storage_ptr\")\n- cgid (BPF_MAP_TYPE_HASH)\nRecord the id of the cgroup the current task belonging\nto in this hash map, using the address of the cgroup\nas the map key.\n- cgrpa (BPF_MAP_TYPE_CGRP_STORAGE)\nIf current task is a kworker, lookup the above hash\nmap using function parameter @owner as the key to get\nits corresponding cgroup id which is then used to get\na trusted pointer to the cgroup through\nbpf_cgroup_from_id(). This trusted pointer can then\nbe passed to bpf_cgrp_storage_get() to finally trigger\nthe deadlock issue.\n- B: SEC(\"tp_btf/sys_enter\")\n- cgrpb (BPF_MAP_TYPE_CGRP_STORAGE)\nThe only purpose of this prog is to fill Prog A's\nhash map by calling bpf_cgrp_storage_get() for as\nmany userspace tasks as possible.\nSteps to reproduce:\n- Run A;\n- while (true) { Run B; Destroy B; }\nFix this issue by passing its busy counter to the free procedure so\nit can be properly incremented before storage/smap locking." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20095",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.8.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20518",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.5.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20518",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.5.1.el9_7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-58088\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-58088\nhttps://lore.kernel.org/linux-cve-announce/2025031208-CVE-2024-58088-2b01@gregkh/T" ],
  "name" : "CVE-2024-58088",
  "csaw" : false
}