In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
Inthe Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost and I don'tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from atask that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1-> 0transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost and Idon'tsee ause-after-free) but as erroneous trigger of debug check.Add amutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once froma task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected1 ->0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost andI don'tseea use-after-free) but as erroneous trigger of debug check.Adda mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost and I don'tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
| linux | | https://git.kernel.org/linus/565d121b69980637f040eb4d84289869cdaabedf | https://git.kernel.org/linus/e9bd0cca09d13ac2f08d25e195203e42d4ad1ce8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost and I don'tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
| linux | | https://git.kernel.org/linus/565d121b69980637f040eb4d84289869cdaabedf | https://git.kernel.org/linus/e9bd0cca09d13ac2f08d25e195203e42d4ad1ce8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from atask that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1-> 0transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost and Idon'tsee ause-after-free) but as erroneous trigger of debug check.Add amutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
| linux | | https://git.kernel.org/linus/565d121b69980637f040eb4d84289869cdaabedf | https://git.kernel.org/linus/e9bd0cca09d13ac2f08d25e195203e42d4ad1ce8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once froma task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected1 ->0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost andI don'tseea use-after-free) but as erroneous trigger of debug check.Adda mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
| linux | | https://git.kernel.org/linus/565d121b69980637f040eb4d84289869cdaabedf | https://git.kernel.org/linus/e9bd0cca09d13ac2f08d25e195203e42d4ad1ce8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from atask that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1-> 0transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost and Idon'tsee ause-after-free) but as erroneous trigger of debug check.Add amutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
| linux | | https://git.kernel.org/linus/565d121b69980637f040eb4d84289869cdaabedf | https://git.kernel.org/linus/e9bd0cca09d13ac2f08d25e195203e42d4ad1ce8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once froma task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected1 ->0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost andI don'tseea use-after-free) but as erroneous trigger of debug check.Adda mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
| linux | | https://git.kernel.org/linus/565d121b69980637f040eb4d84289869cdaabedf | https://git.kernel.org/linus/e9bd0cca09d13ac2f08d25e195203e42d4ad1ce8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from atask that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1-> 0transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost and Idon'tsee ause-after-free) but as erroneous trigger of debug check.Add amutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
| linux | | https://git.kernel.org/linus/565d121b69980637f040eb4d84289869cdaabedf | https://git.kernel.org/linus/e9bd0cca09d13ac2f08d25e195203e42d4ad1ce8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once froma task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected1 ->0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost andI don'tseea use-after-free) but as erroneous trigger of debug check.Adda mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
| linux | | https://git.kernel.org/linus/565d121b69980637f040eb4d84289869cdaabedf | https://git.kernel.org/linus/e9bd0cca09d13ac2f08d25e195203e42d4ad1ce8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from atask that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1-> 0transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost and Idon'tsee ause-after-free) but as erroneous trigger of debug check.Add amutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
| linux | | https://git.kernel.org/linus/565d121b69980637f040eb4d84289869cdaabedf | https://git.kernel.org/linus/e9bd0cca09d13ac2f08d25e195203e42d4ad1ce8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once froma task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected1 ->0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost andI don'tseea use-after-free) but as erroneous trigger of debug check.Adda mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
| linux | | https://git.kernel.org/linus/565d121b69980637f040eb4d84289869cdaabedf | https://git.kernel.org/linus/e9bd0cca09d13ac2f08d25e195203e42d4ad1ce8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from atask that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1-> 0transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost and Idon'tsee ause-after-free) but as erroneous trigger of debug check.Add amutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
| linux | | https://git.kernel.org/linus/565d121b69980637f040eb4d84289869cdaabedf | https://git.kernel.org/linus/e9bd0cca09d13ac2f08d25e195203e42d4ad1ce8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once froma task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected1 ->0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost andI don'tseea use-after-free) but as erroneous trigger of debug check.Adda mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
| linux | | https://git.kernel.org/linus/565d121b69980637f040eb4d84289869cdaabedf | https://git.kernel.org/linus/e9bd0cca09d13ac2f08d25e195203e42d4ad1ce8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from atask that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1-> 0transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost and Idon'tsee ause-after-free) but as erroneous trigger of debug check.Add amutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
| linux | | https://git.kernel.org/linus/565d121b69980637f040eb4d84289869cdaabedf | https://git.kernel.org/linus/e9bd0cca09d13ac2f08d25e195203e42d4ad1ce8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once froma task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected1 ->0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost andI don'tseea use-after-free) but as erroneous trigger of debug check.Adda mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
| linux | | https://git.kernel.org/linus/565d121b69980637f040eb4d84289869cdaabedf | https://git.kernel.org/linus/e9bd0cca09d13ac2f08d25e195203e42d4ad1ce8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost and I don'tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost and I don'tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from atask that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1-> 0transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost and Idon'tsee ause-after-free) but as erroneous trigger of debug check.Add amutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once froma task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected1 ->0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost andI don'tseea use-after-free) but as erroneous trigger of debug check.Adda mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from atask that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1-> 0transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost and Idon'tsee ause-after-free) but as erroneous trigger of debug check.Add amutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once froma task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected1 ->0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost andI don'tseea use-after-free) but as erroneous trigger of debug check.Adda mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from atask that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1-> 0transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost and Idon'tsee ause-after-free) but as erroneous trigger of debug check.Add amutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once froma task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected1 ->0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost andI don'tseea use-after-free) but as erroneous trigger of debug check.Adda mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from atask that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1-> 0transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost and Idon'tsee ause-after-free) but as erroneous trigger of debug check.Add amutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once froma task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected1 ->0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost andI don'tseea use-after-free) but as erroneous trigger of debug check.Adda mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from atask that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1-> 0transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost and Idon'tsee ause-after-free) but as erroneous trigger of debug check.Add amutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once froma task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected1 ->0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost andI don'tseea use-after-free) but as erroneous trigger of debug check.Adda mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, thefollowing vulnerability has been resolved:tcp: preventconcurrent executionof tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, oncefrom a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commitb099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twskin any dyingnetns, not just the onepassedin via exit_batch list.This means that the error unwind of setup_net()can "steal" anddestroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.Atsame time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING:.. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10kernel/nsproxy.c:110... because refcount_dec() of tw_refcountunexpectedly dropped to0.This doesn'tseem like an actual bug(notw sockets gotlost and I don'tsee a use-after-free) butas erroneous trigger ofdebug check.Adda mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremovedall tw sockets of dying netns.The Linux kernel CVE team hasassigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
IntheLinuxkernel,the following vulnerabilityhas been resolved:tcp: prevent concurrent execution oftcp_sk_exit_batchItspossible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failedto clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net:Batch inet_twsk_purge"),this function picks up twsk in any dying netns, notjust the onepassedin via exit_batchlist.This means that the error unwind of setup_net() can "steal" anddestroytimewait socketsbelonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwindpath that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110...because refcount_dec() of tw_refcount unexpectedly dropped to0.This doesn't seemlike an actual bug(no tw sockets got lostandI don'tseea use-after-free) but as erroneous trigger ofdebug check.Add a mutexto force strictordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dyingnetns.The Linux kernel CVE team has assigned CVE-2024-44991to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from atask that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1-> 0transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost and Idon'tsee ause-after-free) but as erroneous trigger of debug check.Add amutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once froma task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected1 ->0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost andI don'tseea use-after-free) but as erroneous trigger of debug check.Adda mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from atask that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1-> 0transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost and Idon'tsee ause-after-free) but as erroneous trigger of debug check.Add amutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once froma task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected1 ->0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost andI don'tseea use-after-free) but as erroneous trigger of debug check.Adda mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from atask that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1-> 0transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost and Idon'tsee ause-after-free) but as erroneous trigger of debug check.Add amutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once froma task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected1 ->0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost andI don'tseea use-after-free) but as erroneous trigger of debug check.Adda mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from atask that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1-> 0transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost and Idon'tsee ause-after-free) but as erroneous trigger of debug check.Add amutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once froma task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected1 ->0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost andI don'tseea use-after-free) but as erroneous trigger of debug check.Adda mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from atask that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1-> 0transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost and Idon'tsee ause-after-free) but as erroneous trigger of debug check.Add amutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once froma task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can "steal" and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected1 ->0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug (no tw sockets got lost andI don'tseea use-after-free) but as erroneous trigger of debug check.Adda mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
Inthe Linux kernel, thefollowing vulnerability has been resolved:tcp: prevent concurrentexecution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue,once from atask thatfailedto clonea new netns. In the latter case, errorunwindingcalls the exit handlersin reverseorder for the 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk inany dying netns, not just the one passedin via exit_batchlist.This means thatthe errorunwind of setup_net() can "steal" and destroytimewait socketsbelonging to the exiting netns.This allows the netns exitworker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected1 -> 0 transition, which then splats.At same time, error unwindpath that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly droppedto 0.This doesn'tseem likean actual bug (no tw sockets got lost and I don'tsee a use-after-free) but as erroneous trigger of debugcheck.Add a mutex to force strictordering: thetask that calls tcp_twsk_purge()blocks othertask from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dyingnetns.The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
IntheLinuxkernel, the followingvulnerability has been resolved:tcp: prevent concurrent executionof tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once froma task thatfailed tocloneanew netns. In the latter case, error unwindingcalls theexit handlersin reverse order forthe 'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),this function picks up twsk in any dyingnetns, not just the one passedin via exit_batch list.Thismeans that the errorunwind ofsetup_net() can "steal" and destroytimewait sockets belongingto the exiting netns.This allows the netns exit worker toproceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0transition, which then splats.At same time, error unwind path thatis also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.Thisdoesn't seem likean actualbug (no tw sockets got lost and I don'tsee a use-after-free) but as erroneous trigger of debug check.Adda mutex to force strict ordering:the task thatcalls tcp_twsk_purge()blocks other task fromdoing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.TheLinux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed toclonea new netns. Inthe latter case, error unwinding calls the exit handlersin reverse order for the'failed' netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that sincecommit b099ce2602d8 ("net: Batchinet_twsk_purge"),this function picks up twsk in anydying netns, not just the one passedin via exit_batch list.This means that theerror unwind of setup_net() can "steal" and destroytimewait sockets belongingto the exiting netns.This allows thenetns exitworker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected1 -> 0 transition, which then splats.At same time,error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_decinclude/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() oftw_refcount unexpectedly dropped to 0.This doesn't seem like an actual bug(no tw socketsgotlost and I don'tsee a use-after-free) butas erroneous trigger of debug check.Add a mutex to forcestrict ordering: the task that calls tcp_twsk_purge()blocks other task from doingfinal_dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.The Linux kernelCVE team has assigned CVE-2024-44991to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved: tcp: prevent concurrent execution of tcp_sk_exit_batch Its possible that two threads call tcp_sk_exit_batch() concurrently, once from the cleanup_net workqueue, once from a task that failedto clone a new netns.In the latter case, error unwinding calls the exit handlers in reverse order forthe 'failed' netns. tcp_sk_exit_batch() calls tcp_twsk_purge(). Problem is thatsince commit b099ce2602d8 ("net:Batch inet_twsk_purge"), this function picks up twskin any dying netns, not just the one passed in via exit_batch list. This meansthat the error unwind of setup_net() can "steal" and destroy timewait socketsbelonging to the exiting netns. Thisallows thenetns exit worker to proceed to call WARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount)); withoutthe expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge() will splat as well: WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110 ... becauserefcount_dec() of tw_refcount unexpectedly dropped to 0. This doesn't seemlike an actualbug(no tw sockets got lost and I don't see ause-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge() blocksothertask from doing final _dec_and_test before mutex-owner has removed all tw sockets of dyingnetns. The Linux kernel CVE team hasassigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved: tcp: prevent concurrent execution of tcp_sk_exit_batch Its possible that two threads call tcp_sk_exit_batch() concurrently, once from the cleanup_net workqueue, once from atask that failed to clone anew netns. In the latter case, error unwinding calls the exit handlers in reverse order for the 'failed' netns. tcp_sk_exit_batch() calls tcp_twsk_purge(). Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"), this function picks up twsk in any dying netns, not just the one passed in via exit_batch list. This means that the error unwind of setup_net() can "steal" and destroy timewait sockets belonging to the exiting netns. This allows the netns exit worker to proceed to call WARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount)); without the expected 1-> 0transition, which then splats. At same time, error unwind path that is also running inet_twsk_purge() will splat as well: WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 ... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110 ... because refcount_dec() of tw_refcount unexpectedly dropped to 0. This doesn't seem like an actual bug (no tw sockets got lost and Idon't see ause-after-free) but as erroneous trigger of debug check. Add amutex to force strict ordering: the task that calls tcp_twsk_purge() blocks other task from doing final _dec_and_test before mutex-owner has removed all tw sockets of dying netns. The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved: tcp: prevent concurrent execution of tcp_sk_exit_batch Its possible that two threads call tcp_sk_exit_batch() concurrently, once from the cleanup_net workqueue, once froma task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlers in reverse order for the 'failed' netns. tcp_sk_exit_batch() calls tcp_twsk_purge(). Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"), this function picks up twsk in any dying netns, not just the one passed in via exit_batch list. This means that the error unwind of setup_net() can "steal" and destroy timewait sockets belonging to the exiting netns. This allows the netns exit worker to proceed to call WARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount)); without the expected1 ->0 transition, which then splats. At same time, error unwind path that is also running inet_twsk_purge() will splat as well: WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 ... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110 ... because refcount_dec() of tw_refcount unexpectedly dropped to 0. This doesn't seem like an actual bug (no tw sockets got lost andI don't seea use-after-free) but as erroneous trigger of debug check. Adda mutex to force strict ordering: the task that calls tcp_twsk_purge() blocks other task from doing final _dec_and_test before mutex-owner has removed all tw sockets of dying netns. The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved: tcp: prevent concurrent execution of tcp_sk_exit_batch Its possible that two threads call tcp_sk_exit_batch() concurrently, once from the cleanup_net workqueue, once from atask that failed to clone anew netns. In the latter case, error unwinding calls the exit handlers in reverse order for the 'failed' netns. tcp_sk_exit_batch() calls tcp_twsk_purge(). Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"), this function picks up twsk in any dying netns, not just the one passed in via exit_batch list. This means that the error unwind of setup_net() can "steal" and destroy timewait sockets belonging to the exiting netns. This allows the netns exit worker to proceed to call WARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount)); without the expected 1-> 0transition, which then splats. At same time, error unwind path that is also running inet_twsk_purge() will splat as well: WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 ... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110 ... because refcount_dec() of tw_refcount unexpectedly dropped to 0. This doesn't seem like an actual bug (no tw sockets got lost and Idon't see ause-after-free) but as erroneous trigger of debug check. Add amutex to force strict ordering: the task that calls tcp_twsk_purge() blocks other task from doing final _dec_and_test before mutex-owner has removed all tw sockets of dying netns. The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved: tcp: prevent concurrent execution of tcp_sk_exit_batch Its possible that two threads call tcp_sk_exit_batch() concurrently, once from the cleanup_net workqueue, once froma task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlers in reverse order for the 'failed' netns. tcp_sk_exit_batch() calls tcp_twsk_purge(). Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"), this function picks up twsk in any dying netns, not just the one passed in via exit_batch list. This means that the error unwind of setup_net() can "steal" and destroy timewait sockets belonging to the exiting netns. This allows the netns exit worker to proceed to call WARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount)); without the expected1 ->0 transition, which then splats. At same time, error unwind path that is also running inet_twsk_purge() will splat as well: WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 ... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110 ... because refcount_dec() of tw_refcount unexpectedly dropped to 0. This doesn't seem like an actual bug (no tw sockets got lost andI don't seea use-after-free) but as erroneous trigger of debug check. Adda mutex to force strict ordering: the task that calls tcp_twsk_purge() blocks other task from doing final _dec_and_test before mutex-owner has removed all tw sockets of dying netns. The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved: tcp: prevent concurrent execution of tcp_sk_exit_batch Its possible that two threads call tcp_sk_exit_batch() concurrently, once from the cleanup_net workqueue, once from atask that failed to clone anew netns. In the latter case, error unwinding calls the exit handlers in reverse order for the 'failed' netns. tcp_sk_exit_batch() calls tcp_twsk_purge(). Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"), this function picks up twsk in any dying netns, not just the one passed in via exit_batch list. This means that the error unwind of setup_net() can "steal" and destroy timewait sockets belonging to the exiting netns. This allows the netns exit worker to proceed to call WARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount)); without the expected 1-> 0transition, which then splats. At same time, error unwind path that is also running inet_twsk_purge() will splat as well: WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 ... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110 ... because refcount_dec() of tw_refcount unexpectedly dropped to 0. This doesn't seem like an actual bug (no tw sockets got lost and Idon't see ause-after-free) but as erroneous trigger of debug check. Add amutex to force strict ordering: the task that calls tcp_twsk_purge() blocks other task from doing final _dec_and_test before mutex-owner has removed all tw sockets of dying netns. The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
In the Linux kernel, the following vulnerability has been resolved:tcp: prevent concurrent execution of tcp_sk_exit_batchIts possible that two threads call tcp_sk_exit_batch() concurrently,once from the cleanup_net workqueue, once from a task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlersin reverse order for the failed netns.tcp_sk_exit_batch() calls tcp_twsk_purge().Problem is that since commit b099ce2602d8 ( net: Batch inet_twsk_purge ),this function picks up twsk in any dying netns, not just the one passedin via exit_batch list.This means that the error unwind of setup_net() can steal and destroytimewait sockets belonging to the exiting netns.This allows the netns exit worker to proceed to callWARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount));without the expected 1 -> 0 transition, which then splats.At same time, error unwind path that is also running inet_twsk_purge()will splat as well:WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110... because refcount_dec() of tw_refcount unexpectedly dropped to 0.This doesn t seem like an actual bug (no tw sockets got lost and I don tsee a use-after-free) but as erroneous trigger of debug check.Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()blocks other task from doing final _dec_and_test before mutex-owner hasremoved all tw sockets of dying netns.
In the Linux kernel, the following vulnerability has been resolved: tcp: prevent concurrent execution of tcp_sk_exit_batch Its possible that two threads call tcp_sk_exit_batch() concurrently, once from the cleanup_net workqueue, once froma task that failed to clonea new netns. In the latter case, error unwinding calls the exit handlers in reverse order for the 'failed' netns. tcp_sk_exit_batch() calls tcp_twsk_purge(). Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"), this function picks up twsk in any dying netns, not just the one passed in via exit_batch list. This means that the error unwind of setup_net() can "steal" and destroy timewait sockets belonging to the exiting netns. This allows the netns exit worker to proceed to call WARN_ON_ONCE(!refcount_dec_and_test(&net->ipv4.tcp_death_row.tw_refcount)); without the expected1 ->0 transition, which then splats. At same time, error unwind path that is also running inet_twsk_purge() will splat as well: WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 ... refcount_dec include/linux/refcount.h:351 [inline] inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70 inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221 inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304 tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522 ops_exit_list+0x128/0x180 net/core/net_namespace.c:178 setup_net+0x714/0xb40 net/core/net_namespace.c:375 copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508 create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110 ... because refcount_dec() of tw_refcount unexpectedly dropped to 0. This doesn't seem like an actual bug (no tw sockets got lost andI don't seea use-after-free) but as erroneous trigger of debug check. Adda mutex to force strict ordering: the task that calls tcp_twsk_purge() blocks other task from doing final _dec_and_test before mutex-owner has removed all tw sockets of dying netns. The Linux kernel CVE team has assigned CVE-2024-44991 to this issue.
