{"id":"CVE-2024-26782","summary":"mptcp: fix double-free on socket dismantle","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix double-free on socket dismantle\n\nwhen MPTCP server accepts an incoming connection, it clones its listener\nsocket. However, the pointer to 'inet_opt' for the new socket has the same\nvalue as the original one: as a consequence, on program exit it's possible\nto observe the following splat:\n\n  BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0\n  Free of addr ffff888485950880 by task swapper/25/0\n\n  CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609\n  Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0  07/26/2013\n  Call Trace:\n   \u003cIRQ\u003e\n   dump_stack_lvl+0x32/0x50\n   print_report+0xca/0x620\n   kasan_report_invalid_free+0x64/0x90\n   __kasan_slab_free+0x1aa/0x1f0\n   kfree+0xed/0x2e0\n   inet_sock_destruct+0x54f/0x8b0\n   __sk_destruct+0x48/0x5b0\n   rcu_do_batch+0x34e/0xd90\n   rcu_core+0x559/0xac0\n   __do_softirq+0x183/0x5a4\n   irq_exit_rcu+0x12d/0x170\n   sysvec_apic_timer_interrupt+0x6b/0x80\n   \u003c/IRQ\u003e\n   \u003cTASK\u003e\n   asm_sysvec_apic_timer_interrupt+0x16/0x20\n  RIP: 0010:cpuidle_enter_state+0x175/0x300\n  Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed \u003c0f\u003e 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b\n  RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202\n  RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000\n  RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588\n  RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080\n  R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0\n  R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80\n   cpuidle_enter+0x4a/0xa0\n   do_idle+0x310/0x410\n   cpu_startup_entry+0x51/0x60\n   start_secondary+0x211/0x270\n   secondary_startup_64_no_verify+0x184/0x18b\n   \u003c/TASK\u003e\n\n  Allocated by task 6853:\n   kasan_save_stack+0x1c/0x40\n   kasan_save_track+0x10/0x30\n   __kasan_kmalloc+0xa6/0xb0\n   __kmalloc+0x1eb/0x450\n   cipso_v4_sock_setattr+0x96/0x360\n   netlbl_sock_setattr+0x132/0x1f0\n   selinux_netlbl_socket_post_create+0x6c/0x110\n   selinux_socket_post_create+0x37b/0x7f0\n   security_socket_post_create+0x63/0xb0\n   __sock_create+0x305/0x450\n   __sys_socket_create.part.23+0xbd/0x130\n   __sys_socket+0x37/0xb0\n   __x64_sys_socket+0x6f/0xb0\n   do_syscall_64+0x83/0x160\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n  Freed by task 6858:\n   kasan_save_stack+0x1c/0x40\n   kasan_save_track+0x10/0x30\n   kasan_save_free_info+0x3b/0x60\n   __kasan_slab_free+0x12c/0x1f0\n   kfree+0xed/0x2e0\n   inet_sock_destruct+0x54f/0x8b0\n   __sk_destruct+0x48/0x5b0\n   subflow_ulp_release+0x1f0/0x250\n   tcp_cleanup_ulp+0x6e/0x110\n   tcp_v4_destroy_sock+0x5a/0x3a0\n   inet_csk_destroy_sock+0x135/0x390\n   tcp_fin+0x416/0x5c0\n   tcp_data_queue+0x1bc8/0x4310\n   tcp_rcv_state_process+0x15a3/0x47b0\n   tcp_v4_do_rcv+0x2c1/0x990\n   tcp_v4_rcv+0x41fb/0x5ed0\n   ip_protocol_deliver_rcu+0x6d/0x9f0\n   ip_local_deliver_finish+0x278/0x360\n   ip_local_deliver+0x182/0x2c0\n   ip_rcv+0xb5/0x1c0\n   __netif_receive_skb_one_core+0x16e/0x1b0\n   process_backlog+0x1e3/0x650\n   __napi_poll+0xa6/0x500\n   net_rx_action+0x740/0xbb0\n   __do_softirq+0x183/0x5a4\n\n  The buggy address belongs to the object at ffff888485950880\n   which belongs to the cache kmalloc-64 of size 64\n  The buggy address is located 0 bytes inside of\n   64-byte region [ffff888485950880, ffff8884859508c0)\n\n  The buggy address belongs to the physical page:\n  page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950\n  flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff)\n  page_type: 0xffffffff()\n  raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006\n  raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000\n  page dumped because: kasan: bad access detected\n\n  Memory state around the buggy address:\n   ffff888485950780: fa fb fb\n---truncated---","modified":"2026-04-02T10:05:55.697088Z","published":"2024-04-04T08:20:16.472Z","related":["SUSE-SU-2024:4314-1","SUSE-SU-2024:4315-1","SUSE-SU-2024:4316-1","SUSE-SU-2024:4318-1","SUSE-SU-2024:4345-1","SUSE-SU-2024:4346-1","SUSE-SU-2024:4364-1","SUSE-SU-2024:4376-1","SUSE-SU-2024:4387-1","SUSE-SU-2025:20163-1","SUSE-SU-2025:20164-1","SUSE-SU-2025:20246-1","SUSE-SU-2025:20247-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26782.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/10048689def7e40a4405acda16fdc6477d4ecc5c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4a4eeb6912538c2d0b158e8d11b62d96c1dada4e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/85933e80d077c9ae2227226beb86c22f464059cc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ce0809ada38dca8d6d41bb57ab40494855c30582"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d93fd40c62397326046902a2c5cb75af50882a85"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f74362a004225df935863dea6eb7d82daaa5b16e"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26782.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26782"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"cf7da0d66cc1a2a19fc5930bb746ffbb2d4cd1be"},{"fixed":"f74362a004225df935863dea6eb7d82daaa5b16e"},{"fixed":"4a4eeb6912538c2d0b158e8d11b62d96c1dada4e"},{"fixed":"d93fd40c62397326046902a2c5cb75af50882a85"},{"fixed":"ce0809ada38dca8d6d41bb57ab40494855c30582"},{"fixed":"85933e80d077c9ae2227226beb86c22f464059cc"},{"fixed":"10048689def7e40a4405acda16fdc6477d4ecc5c"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26782.json"}}],"schema_version":"1.7.5"}