CVE-2024-58070 in Linux
Summary
by MITRE • 03/06/2025
In the Linux kernel, the following vulnerability has been resolved:
bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT
In PREEMPT_RT, kmalloc(GFP_ATOMIC) is still not safe in non preemptible context. bpf_mem_alloc must be used in PREEMPT_RT. This patch is to enforce bpf_mem_alloc in the bpf_local_storage when CONFIG_PREEMPT_RT is enabled.
[ 35.118559] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
[ 35.118566] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1832, name: test_progs
[ 35.118569] preempt_count: 1, expected: 0
[ 35.118571] RCU nest depth: 1, expected: 1
[ 35.118577] INFO: lockdep is turned off.
... [ 35.118647] __might_resched+0x433/0x5b0
[ 35.118677] rt_spin_lock+0xc3/0x290
[ 35.118700] ___slab_alloc+0x72/0xc40
[ 35.118723] __kmalloc_noprof+0x13f/0x4e0
[ 35.118732] bpf_map_kzalloc+0xe5/0x220
[ 35.118740] bpf_selem_alloc+0x1d2/0x7b0
[ 35.118755] bpf_local_storage_update+0x2fa/0x8b0
[ 35.118784] bpf_sk_storage_get_tracing+0x15a/0x1d0
[ 35.118791] bpf_prog_9a118d86fca78ebb_trace_inet_sock_set_state+0x44/0x66
[ 35.118795] bpf_trace_run3+0x222/0x400
[ 35.118820] __bpf_trace_inet_sock_set_state+0x11/0x20
[ 35.118824] trace_inet_sock_set_state+0x112/0x130
[ 35.118830] inet_sk_state_store+0x41/0x90
[ 35.118836] tcp_set_state+0x3b3/0x640
There is no need to adjust the gfp_flags passing to the bpf_mem_cache_alloc_flags() which only honors the GFP_KERNEL. The verifier has ensured GFP_KERNEL is passed only in sleepable context.
It has been an old issue since the first introduction of the bpf_local_storage ~5 years ago, so this patch targets the bpf-next.
bpf_mem_alloc is needed to solve it, so the Fixes tag is set to the commit when bpf_mem_alloc was first used in the bpf_local_storage.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/16/2026
The vulnerability described in CVE-2024-58070 affects the Linux kernel's implementation of eBPF local storage functionality, specifically when running on systems configured with PREEMPT_RT real-time kernel support. This issue stems from improper memory allocation practices within the bpf_local_storage subsystem that lead to kernel lockup conditions and system instability. The root cause occurs when kmalloc is invoked with GFP_ATOMIC flags in non-preemptible contexts, which violates the strict locking requirements of the PREEMPT_RT kernel configuration. The kernel's locking subsystem, particularly the spinlock implementation in spinlock_rt.c, detects this violation and triggers a BUG message indicating that a sleeping function was called from an invalid context. This scenario manifests when the bpf_selem_alloc function attempts to allocate memory using bpf_map_kzalloc, which internally calls __kmalloc_noprof, ultimately failing in the PREEMPT_RT environment where such allocations are not permitted in non-preemptible contexts. The stack trace reveals a clear call path through the BPF tracing subsystem, specifically involving bpf_sk_storage_get_tracing and bpf_local_storage_update functions, demonstrating how the vulnerability propagates through the kernel's network socket state management. The issue has persisted for approximately five years since the initial introduction of bpf_local_storage functionality, making it a long-standing problem that affects systems using real-time kernel configurations. This vulnerability directly relates to CWE-362, which describes Race Conditions, and aligns with ATT&CK technique T1547.006 for Kernel Modules and Extensions, as it involves improper kernel memory management within BPF subsystem extensions. The fix implemented in this patch enforces the use of bpf_mem_alloc instead of standard kmalloc operations when PREEMPT_RT is enabled, ensuring that memory allocation adheres to the real-time kernel's strict requirements. The solution specifically targets the bpf_local_storage_update function and related BPF tracing mechanisms that operate in contexts where standard kernel memory allocators are unsafe. The patch ensures that bpf_mem_cache_alloc_flags is used with appropriate GFP_KERNEL flags, which are only passed in sleepable contexts as verified by the BPF verifier. This approach maintains compatibility with the kernel's memory management policies while providing the necessary allocation mechanisms for real-time systems. The fix addresses the fundamental incompatibility between standard kernel memory allocation patterns and the PREEMPT_RT kernel's strict context requirements, preventing system crashes and ensuring proper operation of BPF programs in real-time environments. The patch specifically references the commit that first introduced bpf_mem_alloc usage in bpf_local_storage, establishing a clear lineage for the fix and ensuring proper version control tracking. This vulnerability represents a critical issue for embedded systems, industrial control systems, and any real-time applications that rely on both BPF functionality and PREEMPT_RT kernel support. The impact extends beyond simple memory allocation failures to potentially cause complete system lockups and service disruptions in production environments where real-time performance guarantees are essential. The resolution ensures that BPF programs can safely operate in real-time kernel configurations without triggering the kernel's lockdep subsystem and related debugging mechanisms that detect unsafe context usage. This patch demonstrates the complexity of maintaining compatibility between advanced kernel subsystems and real-time requirements, highlighting the importance of proper memory management in concurrent kernel environments. The fix essentially provides a bridge between traditional kernel memory allocation patterns and the stricter requirements imposed by PREEMPT_RT, ensuring that BPF functionality remains available while maintaining system stability. The vulnerability affects systems where BPF programs interact with socket state management and tracing mechanisms, making it particularly relevant for network monitoring, security enforcement, and system observability applications that utilize eBPF. The patch represents a targeted solution that addresses the specific memory allocation requirements of PREEMPT_RT while preserving the functionality of BPF local storage operations in all other kernel configurations.