CVE-2024-38780: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-38780 is a vulnerability in the Linux kernel's dma-buf/sw-sync component, discovered and disclosed on June 21, 2024. The issue affects multiple versions of the Linux kernel up to versions 4.14, 4.19.316, 5.4.278, 5.10.219, 5.15.161, 6.1.93, 6.6.33, and 6.9.4. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) (NVD).

The vulnerability stems from an incorrect replacement of spinunlockirqrestore() with spinunlockirq() for both syncdebugfsshow() and syncprintobj() functions, introduced by commit a6aa8fca4d79. This caused inconsistent lock state warnings from lockdep when syncprintobj() is called from syncdebugfsshow(), as the latter was already using spin{lock,unlock}irq(). The issue was identified as CWE-667 (Improper Locking) (Kernel Patch).

The vulnerability affects the locking mechanism in the Linux kernel's dma-buf subsystem, potentially leading to availability issues. The CVSS scoring indicates no impact on confidentiality or integrity, but a high impact on availability, with local access required for exploitation (NVD).

The issue has been fixed by modifying syncprintobj() to use plain spin{lock,unlock}() instead of spinlockirq() and spinunlock_irq(). The fix has been implemented across multiple Linux distributions including Ubuntu and Debian. Ubuntu has released patches for versions 24.04 LTS (6.8.0-44.44), 22.04 LTS (5.15.0-121.131), and 20.04 LTS (5.4.0-192.212) (Ubuntu).