CVE-2024-39500

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sock_map: avoid race between sock_map_close and sk_psock_put<br /> <br /> sk_psock_get will return NULL if the refcount of psock has gone to 0, which<br /> will happen when the last call of sk_psock_put is done. However,<br /> sk_psock_drop may not have finished yet, so the close callback will still<br /> point to sock_map_close despite psock being NULL.<br /> <br /> This can be reproduced with a thread deleting an element from the sock map,<br /> while the second one creates a socket, adds it to the map and closes it.<br /> <br /> That will trigger the WARN_ON_ONCE:<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 1 PID: 7220 at net/core/sock_map.c:1701 sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701<br /> Modules linked in:<br /> CPU: 1 PID: 7220 Comm: syz-executor380 Not tainted 6.9.0-syzkaller-07726-g3c999d1ae3c7 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024<br /> RIP: 0010:sock_map_close+0x2a2/0x2d0 net/core/sock_map.c:1701<br /> Code: df e8 92 29 88 f8 48 8b 1b 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 79 29 88 f8 4c 8b 23 eb 89 e8 4f 15 23 f8 90 0b 90 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d e9 13 26 3d 02<br /> RSP: 0018:ffffc9000441fda8 EFLAGS: 00010293<br /> RAX: ffffffff89731ae1 RBX: ffffffff94b87540 RCX: ffff888029470000<br /> RDX: 0000000000000000 RSI: ffffffff8bcab5c0 RDI: ffffffff8c1faba0<br /> RBP: 0000000000000000 R08: ffffffff92f9b61f R09: 1ffffffff25f36c3<br /> R10: dffffc0000000000 R11: fffffbfff25f36c4 R12: ffffffff89731840<br /> R13: ffff88804b587000 R14: ffff88804b587000 R15: ffffffff89731870<br /> FS: 000055555e080380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000000 CR3: 00000000207d4000 CR4: 0000000000350ef0<br /> Call Trace:<br /> <br /> unix_release+0x87/0xc0 net/unix/af_unix.c:1048<br /> __sock_release net/socket.c:659 [inline]<br /> sock_close+0xbe/0x240 net/socket.c:1421<br /> __fput+0x42b/0x8a0 fs/file_table.c:422<br /> __do_sys_close fs/open.c:1556 [inline]<br /> __se_sys_close fs/open.c:1541 [inline]<br /> __x64_sys_close+0x7f/0x110 fs/open.c:1541<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7fb37d618070<br /> Code: 00 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d4 e8 10 2c 00 00 80 3d 31 f0 07 00 00 74 17 b8 03 00 00 00 0f 05 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c<br /> RSP: 002b:00007ffcd4a525d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003<br /> RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fb37d618070<br /> RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000004<br /> RBP: 0000000000000000 R08: 0000000100000000 R09: 0000000100000000<br /> R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000<br /> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000<br /> <br /> <br /> Use sk_psock, which will only check that the pointer is not been set to<br /> NULL yet, which should only happen after the callbacks are restored. If,<br /> then, a reference can still be gotten, we may call sk_psock_stop and cancel<br /> psock-&gt;work.<br /> <br /> As suggested by Paolo Abeni, reorder the condition so the control flow is<br /> less convoluted.<br /> <br /> After that change, the reproducer does not trigger the WARN_ON_ONCE<br /> anymore.