CVE-2024-56592 - Linux Kernel BPF Hash Table Race Causes Deadlocks (Lockdep Warning Explained, Exploit Details, and the Fix)

CVE-2024-56592 is a quietly impactful vulnerability found and resolved in recent Linux kernel versions, specifically affecting the BPF (Berkeley Packet Filter) hash table (htab) implementation. Improper lock handling could create deadlock-prone situations, potentially allowing local privilege escalation or denial of service if abused. This write-up demystifies the bug, shows where the code went wrong, possible exploitation paths, and how it was fixed.

Problem Summary

- Component: Linux kernel (kernel/bpf/hashtab.c)
- What is BPF?: BPF enables running user-defined programs in the Linux kernel, used for things like tracing, firewalls, and container security.

The Actual Bug

In code paths handling map updates and element deletions, a map element could hold the last reference to a map object. "Releasing" that map (bpf_map_fd_put_ptr()) happened while still holding a raw spinlock protecting the hash bucket.

However, the free operation itself tries to grab another kernel spinlock (map_idr_lock), resulting in a classic "double locking" bug, which looks like this in the kernel logs:

[ BUG: Invalid wait context ]
test_maps/4881 is trying to lock:
  (map_idr_lock){+...}-{3:3}, at: bpf_map_free_id.part.+x21/x70
other info...

If two tasks take locks in different orders, or a single thread tries to take locks in a potentially blocking order, deadlock can result.

Example Stack Trace (Lockdep)

__lock_acquire
lock_acquire
_raw_spin_lock_irqsave
bpf_map_free_id.part.
bpf_map_put
bpf_map_fd_put_ptr
free_htab_elem
htab_map_update_elem

Who can trigger? Any local user with BPF syscall access.

- What could happen? A malicious program could intentionally create or manipulate BPF maps to trigger the race, potentially deadlocking kernel worker threads. If some code path completes "map-freeing" under locks in weirdly crafted scenarios, privilege escalation might be possible.
- Worst-case: Denial-of-Service (kernel hang), with theoretical privilege escalation if the code path could be further abused.

(Simplified) Exploit Concept

// Imagine pseudocode that triggers the bug repeatedly
for (int i=; i<10000; i++) {
    int map_fd = bpf_create_map(/* ... */); // Create hash-of-maps
    int elem_map_fd = bpf_create_map(/* ... */);
    bpf_map_update_elem(map_fd, &key, &elem_map_fd, ); // Insert
    bpf_map_delete_elem(map_fd, &key); // Delete triggers the bug
    // Repeat and concurrently in many threads
}

If you spread this action across many CPU cores or threads, you can trigger deadlocks, causing system instability or more subtle concurrency bugs.

The Patch (How It Was Fixed)

The fix is subtle but important: Defer releasing of map references until after releasing hash bucket locks. More concretely:

- Capture/map pointers slated for freeing before releasing the raw spinlock.
- Actually drop/free those references after the bucket is unlocked.

Key Code Snippet (Patched Version, Simplified)

// Before fix (buggy behavior)
raw_spin_lock(&bucket->lock);
...
bpf_map_fd_put_ptr(old_elem->map_ptr);
raw_spin_unlock(&bucket->lock);
...

// After fix (corrected, pseudo-code)
raw_spin_lock(&bucket->lock);
...
// Save pointer first
void *to_free = old_elem->map_ptr;
raw_spin_unlock(&bucket->lock);
...
bpf_map_fd_put_ptr(to_free); // Now safe!

For batch operations, a list of to-be-freed elements is constructed and all released after the bucket lock is released.

Reference to Original Patch

- Linux kernel patch - bpf: call free_htab_elem() after htab_unlock_bucket()
- CVE page at NIST (as soon as indexed)

Disclosure Timeline

- Report/Discovery: June 2024 (Linux Kernel devs)
- Fix Released: 6.11-rc5+

How To Protect Yourself

- Update your kernel: Ensure you are running Linux 6.11-rc5 or above, or your vendor backports this fix.
- Restrict BPF: Limit BPF syscall access to trusted users only (unprivileged BPF is dangerous in general).
- Mitigations: For older kernels, disabling BPF or its map-of-maps features can prevent exposure, but is not always possible.

Resources and Further Reading

- Linux Kernel BPF Documentation
- Original CVE-2024-56592 Patch
- Lockdep Documentation
- Linux Security BPF Overview

Conclusion

CVE-2024-56592 demonstrates how subtle locking issues deep in core kernels can quickly become denial-of-service or stability threats, especially when tricky multi-threaded or batched operations are involved. The fix changes when and where resource cleanup is called—slipping it after nested locks are dropped—preserving kernel stability and security.

Always keep your Linux systems updated. And, as always, never trust unprivileged users with kernel features like BPF unless absolutely necessary.


*This post is exclusive to your query and written in clear American English for broad accessibility. Please cite and share responsibly.*

Timeline

Published on: 12/27/2024 15:15:18 UTC
Last modified on: 10/08/2025 13:38:51 UTC