{"id":"CVE-2021-47238","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv4: fix memory leak in ip_mc_add1_src\n\nBUG: memory leak\nunreferenced object 0xffff888101bc4c00 (size 32):\n  comm \"syz-executor527\", pid 360, jiffies 4294807421 (age 19.329s)\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n    01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................\n  backtrace:\n    [\u003c00000000f17c5244\u003e] kmalloc include/linux/slab.h:558 [inline]\n    [\u003c00000000f17c5244\u003e] kzalloc include/linux/slab.h:688 [inline]\n    [\u003c00000000f17c5244\u003e] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline]\n    [\u003c00000000f17c5244\u003e] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095\n    [\u003c000000001cb99709\u003e] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416\n    [\u003c0000000052cf19ed\u003e] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline]\n    [\u003c0000000052cf19ed\u003e] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423\n    [\u003c00000000477edfbc\u003e] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857\n    [\u003c00000000e75ca9bb\u003e] __sys_setsockopt+0x158/0x270 net/socket.c:2117\n    [\u003c00000000bdb993a8\u003e] __do_sys_setsockopt net/socket.c:2128 [inline]\n    [\u003c00000000bdb993a8\u003e] __se_sys_setsockopt net/socket.c:2125 [inline]\n    [\u003c00000000bdb993a8\u003e] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125\n    [\u003c000000006a1ffdbd\u003e] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47\n    [\u003c00000000b11467c4\u003e] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nIn commit 24803f38a5c0 (\"igmp: do not remove igmp souce list info when set\nlink down\"), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed,\nbecause it was also called in igmpv3_clear_delrec().\n\nRough callgraph:\n\ninetdev_destroy\n-\u003e ip_mc_destroy_dev\n     -\u003e igmpv3_clear_delrec\n        -\u003e ip_mc_clear_src\n-\u003e RCU_INIT_POINTER(dev-\u003eip_ptr, NULL)\n\nHowever, ip_mc_clear_src() called in igmpv3_clear_delrec() doesn't\nrelease in_dev-\u003emc_list-\u003esources. And RCU_INIT_POINTER() assigns the\nNULL to dev-\u003eip_ptr. As a result, in_dev cannot be obtained through\ninetdev_by_index() and then in_dev-\u003emc_list-\u003esources cannot be released\nby ip_mc_del1_src() in the sock_close. Rough call sequence goes like:\n\nsock_close\n-\u003e __sock_release\n   -\u003e inet_release\n      -\u003e ip_mc_drop_socket\n         -\u003e inetdev_by_index\n         -\u003e ip_mc_leave_src\n            -\u003e ip_mc_del_src\n               -\u003e ip_mc_del1_src\n\nSo we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free\nin_dev-\u003emc_list-\u003esources.","modified":"2026-03-15T21:45:11.879287Z","published":"2024-05-21T15:15:13.017Z","related":["SUSE-SU-2024:1979-1","SUSE-SU-2024:1983-1","SUSE-SU-2024:2184-1"],"references":[{"type":"FIX","url":"https://git.kernel.org/stable/c/0dc13e75507faa17ac9f7562b4ef7bf8fcd78422"},{"type":"FIX","url":"https://git.kernel.org/stable/c/1e28018b5c83d5073f74a6fb72eabe8370b2f501"},{"type":"FIX","url":"https://git.kernel.org/stable/c/3dd2aeac2e9624cff9fa634710837e4f2e352758"},{"type":"FIX","url":"https://git.kernel.org/stable/c/6cff57eea3347f79f1867cc53e1093b6614138d8"},{"type":"FIX","url":"https://git.kernel.org/stable/c/77de6ee73f54a9a89c0afa0bf4c53b239aa9953a"},{"type":"FIX","url":"https://git.kernel.org/stable/c/ac31cc837cafb57a271babad8ccffbf733caa076"},{"type":"FIX","url":"https://git.kernel.org/stable/c/d8e2973029b8b2ce477b564824431f3385c77083"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47238.json","unresolved_ranges":[{"events":[{"introduced":"3.2.87"},{"fixed":"3.3"}]},{"events":[{"introduced":"3.16.42"},{"fixed":"3.17"}]},{"events":[{"introduced":"4.9"},{"fixed":"4.9.274"}]},{"events":[{"introduced":"4.10"},{"fixed":"4.14.238"}]},{"events":[{"introduced":"4.15"},{"fixed":"4.19.196"}]},{"events":[{"introduced":"4.20"},{"fixed":"5.4.128"}]},{"events":[{"introduced":"5.5"},{"fixed":"5.10.46"}]},{"events":[{"introduced":"5.11"},{"fixed":"5.12.13"}]},{"events":[{"introduced":"0"},{"last_affected":"5.13-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.13-rc2"}]},{"events":[{"introduced":"0"},{"last_affected":"5.13-rc3"}]},{"events":[{"introduced":"0"},{"last_affected":"5.13-rc4"}]},{"events":[{"introduced":"0"},{"last_affected":"5.13-rc5"}]},{"events":[{"introduced":"0"},{"last_affected":"5.13-rc6"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}