{"id":"CVE-2024-40954","summary":"net: do not leave a dangling sk pointer, when socket creation fails","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not leave a dangling sk pointer, when socket creation fails\n\nIt is possible to trigger a use-after-free by:\n  * attaching an fentry probe to __sock_release() and the probe calling the\n    bpf_get_socket_cookie() helper\n  * running traceroute -I 1.1.1.1 on a freshly booted VM\n\nA KASAN enabled kernel will log something like below (decoded and stripped):\n==================================================================\nBUG: KASAN: slab-use-after-free in __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nRead of size 8 at addr ffff888007110dd8 by task traceroute/299\n\nCPU: 2 PID: 299 Comm: traceroute Tainted: G            E      6.10.0-rc2+ #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\ndump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))\nprint_report (mm/kasan/report.c:378 mm/kasan/report.c:488)\n? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nkasan_report (mm/kasan/report.c:603)\n? __sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nkasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)\n__sock_gen_cookie (./arch/x86/include/asm/atomic64_64.h:15 ./include/linux/atomic/atomic-arch-fallback.h:2583 ./include/linux/atomic/atomic-instrumented.h:1611 net/core/sock_diag.c:29)\nbpf_get_socket_ptr_cookie (./arch/x86/include/asm/preempt.h:94 ./include/linux/sock_diag.h:42 net/core/filter.c:5094 net/core/filter.c:5092)\nbpf_prog_875642cf11f1d139___sock_release+0x6e/0x8e\nbpf_trampoline_6442506592+0x47/0xaf\n__sock_release (net/socket.c:652)\n__sock_create (net/socket.c:1601)\n...\nAllocated by task 299 on cpu 2 at 78.328492s:\nkasan_save_stack (mm/kasan/common.c:48)\nkasan_save_track (mm/kasan/common.c:68)\n__kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)\nkmem_cache_alloc_noprof (mm/slub.c:3941 mm/slub.c:4000 mm/slub.c:4007)\nsk_prot_alloc (net/core/sock.c:2075)\nsk_alloc (net/core/sock.c:2134)\ninet_create (net/ipv4/af_inet.c:327 net/ipv4/af_inet.c:252)\n__sock_create (net/socket.c:1572)\n__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)\n__x64_sys_socket (net/socket.c:1718)\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFreed by task 299 on cpu 2 at 78.328502s:\nkasan_save_stack (mm/kasan/common.c:48)\nkasan_save_track (mm/kasan/common.c:68)\nkasan_save_free_info (mm/kasan/generic.c:582)\npoison_slab_object (mm/kasan/common.c:242)\n__kasan_slab_free (mm/kasan/common.c:256)\nkmem_cache_free (mm/slub.c:4437 mm/slub.c:4511)\n__sk_destruct (net/core/sock.c:2117 net/core/sock.c:2208)\ninet_create (net/ipv4/af_inet.c:397 net/ipv4/af_inet.c:252)\n__sock_create (net/socket.c:1572)\n__sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706)\n__x64_sys_socket (net/socket.c:1718)\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFix this by clearing the struct socket reference in sk_common_release() to cover\nall protocol families create functions, which may already attached the\nreference to the sk object with sock_init_data().","modified":"2026-04-02T12:17:22.151471Z","published":"2024-07-12T12:31:57.517Z","related":["ALSA-2024:5363","ALSA-2024:7000","ALSA-2024:7001","SUSE-SU-2024:2894-1","SUSE-SU-2024:2902-1","SUSE-SU-2024:2929-1","SUSE-SU-2024:2939-1","SUSE-SU-2024:2947-1","SUSE-SU-2024:3194-1","SUSE-SU-2024:3195-1","SUSE-SU-2024:3383-1","SUSE-SU-2024:3623-1","SUSE-SU-2024:3624-1","SUSE-SU-2024:3625-1","SUSE-SU-2024:3626-1","SUSE-SU-2024:3627-1","SUSE-SU-2024:3628-1","SUSE-SU-2024:3631-1","SUSE-SU-2024:3632-1","SUSE-SU-2024:3635-1","SUSE-SU-2024:3636-1","SUSE-SU-2024:3638-1","SUSE-SU-2024:3639-1","SUSE-SU-2024:3643-1","SUSE-SU-2024:3655-1","SUSE-SU-2024:3666-1","SUSE-SU-2024:3670-1","SUSE-SU-2024:3672-1","SUSE-SU-2024:3679-1","SUSE-SU-2024:3680-1","SUSE-SU-2024:3694-1","SUSE-SU-2024:3695-1","SUSE-SU-2024:3696-1","SUSE-SU-2024:3697-1","SUSE-SU-2024:3700-1","SUSE-SU-2024:3701-1","SUSE-SU-2024:3702-1","SUSE-SU-2024:3706-1","SUSE-SU-2024:3707-1","SUSE-SU-2024:3708-1","SUSE-SU-2024:3710-1","SUSE-SU-2024:3780-1","SUSE-SU-2024:3793-1","SUSE-SU-2024:3806-1","SUSE-SU-2024:3815-1","SUSE-SU-2024:3829-1","SUSE-SU-2024:3830-1","SUSE-SU-2024:3831-1","SUSE-SU-2024:3833-1","SUSE-SU-2024:3835-1","SUSE-SU-2024:3836-1","SUSE-SU-2024:3837-1","SUSE-SU-2024:3840-1","SUSE-SU-2024:3842-1","SUSE-SU-2024:3851-1","SUSE-SU-2024:3852-1","SUSE-SU-2024:3855-1","SUSE-SU-2024:3856-1","SUSE-SU-2024:3857-1","SUSE-SU-2024:3860-1","SUSE-SU-2024:3880-1","SUSE-SU-2024:3881-1","SUSE-SU-2024:3882-1","SUSE-SU-2024:3884-1","SUSE-SU-2024:4122-1","SUSE-SU-2024:4123-1","SUSE-SU-2024:4124-1","SUSE-SU-2024:4125-1","SUSE-SU-2024:4127-1","SUSE-SU-2024:4128-1","SUSE-SU-2024:4139-1","SUSE-SU-2024:4207-1","SUSE-SU-2024:4208-1","SUSE-SU-2024:4209-1","SUSE-SU-2024:4210-1","SUSE-SU-2024:4214-1","SUSE-SU-2024:4216-1","SUSE-SU-2024:4218-1","SUSE-SU-2024:4228-1","SUSE-SU-2024:4234-1","SUSE-SU-2024:4235-1","SUSE-SU-2024:4236-1","SUSE-SU-2024:4243-1","SUSE-SU-2024:4262-1","SUSE-SU-2024:4266-1","SUSE-SU-2024:4275-1","SUSE-SU-2025:0084-1","SUSE-SU-2025:0107-1","SUSE-SU-2025:0109-1","SUSE-SU-2025:0110-1","SUSE-SU-2025:0111-1","SUSE-SU-2025:0114-1","SUSE-SU-2025:0115-1","SUSE-SU-2025:0124-1","SUSE-SU-2025:0138-1","SUSE-SU-2025:0146-1","SUSE-SU-2025:0150-1","SUSE-SU-2025:0158-1","SUSE-SU-2025:0164-1","SUSE-SU-2025:0168-1","SUSE-SU-2025:0187-1","SUSE-SU-2025:0188-1","SUSE-SU-2025:0248-1","SUSE-SU-2025:0249-1","SUSE-SU-2025:0251-1","SUSE-SU-2025:0252-1","SUSE-SU-2025:0253-1","SUSE-SU-2025:0254-1","SUSE-SU-2025:0255-1","SUSE-SU-2025:0260-1","SUSE-SU-2025:0261-1","SUSE-SU-2025:0262-1","SUSE-SU-2025:0264-1","SUSE-SU-2025:0265-1","SUSE-SU-2025:0266-1","SUSE-SU-2025:0269-1","SUSE-SU-2025:20044-1","SUSE-SU-2025:20047-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40954.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/454c454ed645fed051216b79622f7cb69c1638f5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5dfe2408fd7dc4d2e7ac38a116ff0a37b1cfd3b9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/78e4aa528a7b1204219d808310524344f627d069"},{"type":"WEB","url":"https://git.kernel.org/stable/c/893eeba94c40d513cd0fe6539330ebdaea208c0e"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40954.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40954"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c5dbb89fc2ac013afe67b9e4fcb3743c02b567cd"},{"fixed":"78e4aa528a7b1204219d808310524344f627d069"},{"fixed":"893eeba94c40d513cd0fe6539330ebdaea208c0e"},{"fixed":"454c454ed645fed051216b79622f7cb69c1638f5"},{"fixed":"5dfe2408fd7dc4d2e7ac38a116ff0a37b1cfd3b9"},{"fixed":"6cd4a78d962bebbaf8beb7d2ead3f34120e3f7b2"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-40954.json"}}],"schema_version":"1.7.5"}