CVE-2024-26631

In the Linux kernel, the following vulnerability has been resolved: ipv6:
mcast: fix data-race in ipv6_mc_down / mld_ifc_work idev->mc_ifc_count can
be written over without proper locking. Originally found by syzbot [1], fix
this issue by encapsulating calls to mld_ifc_stop_work() (and
mld_gq_stop_work() for good measure) with mutex_lock() and mutex_unlock()
accordingly as these functions should only be called with mc_lock per their
declarations. [1] BUG: KCSAN: data-race in ipv6_mc_down / mld_ifc_work
write to 0xffff88813a80c832 of 1 bytes by task 3771 on cpu 0:
mld_ifc_stop_work net/ipv6/mcast.c:1080 [inline] ipv6_mc_down+0x10a/0x280
net/ipv6/mcast.c:2725 addrconf_ifdown+0xe32/0xf10 net/ipv6/addrconf.c:3949
addrconf_notify+0x310/0x980 notifier_call_chain kernel/notifier.c:93
[inline] raw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461
__dev_notify_flags+0x205/0x3d0 dev_change_flags+0xab/0xd0
net/core/dev.c:8685 do_setlink+0x9f6/0x2430 net/core/rtnetlink.c:2916
rtnl_group_changelink net/core/rtnetlink.c:3458 [inline] __rtnl_newlink
net/core/rtnetlink.c:3717 [inline] rtnl_newlink+0xbb3/0x1670
net/core/rtnetlink.c:3754 rtnetlink_rcv_msg+0x807/0x8c0
net/core/rtnetlink.c:6558 netlink_rcv_skb+0x126/0x220
net/netlink/af_netlink.c:2545 rtnetlink_rcv+0x1c/0x20
net/core/rtnetlink.c:6576 netlink_unicast_kernel
net/netlink/af_netlink.c:1342 [inline] netlink_unicast+0x589/0x650
net/netlink/af_netlink.c:1368 netlink_sendmsg+0x66e/0x770
net/netlink/af_netlink.c:1910 … write to 0xffff88813a80c832 of 1 bytes by
task 22 on cpu 1: mld_ifc_work+0x54c/0x7b0 net/ipv6/mcast.c:2653
process_one_work kernel/workqueue.c:2627 [inline]
process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2700
worker_thread+0x525/0x730 kernel/workqueue.c:2781 …

Notes