CVE-2024-44991

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp: prevent concurrent execution of tcp_sk_exit_batch<br /> <br /> Its possible that two threads call tcp_sk_exit_batch() concurrently,<br /> once from the cleanup_net workqueue, once from a task that failed to clone<br /> a new netns. In the latter case, error unwinding calls the exit handlers<br /> in reverse order for the &amp;#39;failed&amp;#39; netns.<br /> <br /> tcp_sk_exit_batch() calls tcp_twsk_purge().<br /> Problem is that since commit b099ce2602d8 ("net: Batch inet_twsk_purge"),<br /> this function picks up twsk in any dying netns, not just the one passed<br /> in via exit_batch list.<br /> <br /> This means that the error unwind of setup_net() can "steal" and destroy<br /> timewait sockets belonging to the exiting netns.<br /> <br /> This allows the netns exit worker to proceed to call<br /> <br /> WARN_ON_ONCE(!refcount_dec_and_test(&amp;net-&gt;ipv4.tcp_death_row.tw_refcount));<br /> <br /> without the expected 1 -&gt; 0 transition, which then splats.<br /> <br /> At same time, error unwind path that is also running inet_twsk_purge()<br /> will splat as well:<br /> <br /> WARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210<br /> ...<br /> refcount_dec include/linux/refcount.h:351 [inline]<br /> inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70<br /> inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221<br /> inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304<br /> tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522<br /> ops_exit_list+0x128/0x180 net/core/net_namespace.c:178<br /> setup_net+0x714/0xb40 net/core/net_namespace.c:375<br /> copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508<br /> create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110<br /> <br /> ... because refcount_dec() of tw_refcount unexpectedly dropped to 0.<br /> <br /> This doesn&amp;#39;t seem like an actual bug (no tw sockets got lost and I don&amp;#39;t<br /> see a use-after-free) but as erroneous trigger of debug check.<br /> <br /> Add a mutex to force strict ordering: the task that calls tcp_twsk_purge()<br /> blocks other task from doing final _dec_and_test before mutex-owner has<br /> removed all tw sockets of dying netns.