CVE-2024-35910

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp: properly terminate timers for kernel sockets<br /> <br /> We had various syzbot reports about tcp timers firing after<br /> the corresponding netns has been dismantled.<br /> <br /> Fortunately Josef Bacik could trigger the issue more often,<br /> and could test a patch I wrote two years ago.<br /> <br /> When TCP sockets are closed, we call inet_csk_clear_xmit_timers()<br /> to &amp;#39;stop&amp;#39; the timers.<br /> <br /> inet_csk_clear_xmit_timers() can be called from any context,<br /> including when socket lock is held.<br /> This is the reason it uses sk_stop_timer(), aka del_timer().<br /> This means that ongoing timers might finish much later.<br /> <br /> For user sockets, this is fine because each running timer<br /> holds a reference on the socket, and the user socket holds<br /> a reference on the netns.<br /> <br /> For kernel sockets, we risk that the netns is freed before<br /> timer can complete, because kernel sockets do not hold<br /> reference on the netns.<br /> <br /> This patch adds inet_csk_clear_xmit_timers_sync() function<br /> that using sk_stop_timer_sync() to make sure all timers<br /> are terminated before the kernel socket is released.<br /> Modules using kernel sockets close them in their netns exit()<br /> handler.<br /> <br /> Also add sock_not_owned_by_me() helper to get LOCKDEP<br /> support : inet_csk_clear_xmit_timers_sync() must not be called<br /> while socket lock is held.<br /> <br /> It is very possible we can revert in the future commit<br /> 3a58f13a881e ("net: rds: acquire refcount on TCP sockets")<br /> which attempted to solve the issue in rds only.<br /> (net/smc/af_smc.c and net/mptcp/subflow.c have similar code)<br /> <br /> We probably can remove the check_net() tests from<br /> tcp_out_of_resources() and __tcp_close() in the future.