CVE-2024-26864

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp: Fix refcnt handling in __inet_hash_connect().<br /> <br /> syzbot reported a warning in sk_nulls_del_node_init_rcu().<br /> <br /> The commit 66b60b0c8c4a ("dccp/tcp: Unhash sk from ehash for tb2 alloc<br /> failure after check_estalblished().") tried to fix an issue that an<br /> unconnected socket occupies an ehash entry when bhash2 allocation fails.<br /> <br /> In such a case, we need to revert changes done by check_established(),<br /> which does not hold refcnt when inserting socket into ehash.<br /> <br /> So, to revert the change, we need to __sk_nulls_add_node_rcu() instead<br /> of sk_nulls_add_node_rcu().<br /> <br /> Otherwise, sock_put() will cause refcnt underflow and leak the socket.<br /> <br /> [0]:<br /> WARNING: CPU: 0 PID: 23948 at include/net/sock.h:799 sk_nulls_del_node_init_rcu+0x166/0x1a0 include/net/sock.h:799<br /> Modules linked in:<br /> CPU: 0 PID: 23948 Comm: syz-executor.2 Not tainted 6.8.0-rc6-syzkaller-00159-gc055fc00c07b #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024<br /> RIP: 0010:sk_nulls_del_node_init_rcu+0x166/0x1a0 include/net/sock.h:799<br /> Code: e8 7f 71 c6 f7 83 fb 02 7c 25 e8 35 6d c6 f7 4d 85 f6 0f 95 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 1b 6d c6 f7 90 0b 90 eb b2 e8 10 6d c6 f7 4c 89 e7 be 04 00 00 00 e8 63 e7 d2<br /> RSP: 0018:ffffc900032d7848 EFLAGS: 00010246<br /> RAX: ffffffff89cd0035 RBX: 0000000000000001 RCX: 0000000000040000<br /> RDX: ffffc90004de1000 RSI: 000000000003ffff RDI: 0000000000040000<br /> RBP: 1ffff1100439ac26 R08: ffffffff89ccffe3 R09: 1ffff1100439ac28<br /> R10: dffffc0000000000 R11: ffffed100439ac29 R12: ffff888021cd6140<br /> R13: dffffc0000000000 R14: ffff88802a9bf5c0 R15: ffff888021cd6130<br /> FS: 00007f3b823f16c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f3b823f0ff8 CR3: 000000004674a000 CR4: 00000000003506f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> __inet_hash_connect+0x140f/0x20b0 net/ipv4/inet_hashtables.c:1139<br /> dccp_v6_connect+0xcb9/0x1480 net/dccp/ipv6.c:956<br /> __inet_stream_connect+0x262/0xf30 net/ipv4/af_inet.c:678<br /> inet_stream_connect+0x65/0xa0 net/ipv4/af_inet.c:749<br /> __sys_connect_file net/socket.c:2048 [inline]<br /> __sys_connect+0x2df/0x310 net/socket.c:2065<br /> __do_sys_connect net/socket.c:2075 [inline]<br /> __se_sys_connect net/socket.c:2072 [inline]<br /> __x64_sys_connect+0x7a/0x90 net/socket.c:2072<br /> do_syscall_64+0xf9/0x240<br /> entry_SYSCALL_64_after_hwframe+0x6f/0x77<br /> RIP: 0033:0x7f3b8167dda9<br /> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007f3b823f10c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a<br /> RAX: ffffffffffffffda RBX: 00007f3b817abf80 RCX: 00007f3b8167dda9<br /> RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003<br /> RBP: 00007f3b823f1120 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001<br /> R13: 000000000000000b R14: 00007f3b817abf80 R15: 00007ffd3beb57b8<br />