{"id":"CVE-2024-41006","summary":"netrom: Fix a memory leak in nr_heartbeat_expiry()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a memory leak in nr_heartbeat_expiry()\n\nsyzbot reported a memory leak in nr_create() [0].\n\nCommit 409db27e3a2e (\"netrom: Fix use-after-free of a listening socket.\")\nadded sock_hold() to the nr_heartbeat_expiry() function, where\na) a socket has a SOCK_DESTROY flag or\nb) a listening socket has a SOCK_DEAD flag.\n\nBut in the case \"a,\" when the SOCK_DESTROY flag is set, the file descriptor\nhas already been closed and the nr_release() function has been called.\nSo it makes no sense to hold the reference count because no one will\ncall another nr_destroy_socket() and put it as in the case \"b.\"\n\nnr_connect\n  nr_establish_data_link\n    nr_start_heartbeat\n\nnr_release\n  switch (nr-\u003estate)\n  case NR_STATE_3\n    nr-\u003estate = NR_STATE_2\n    sock_set_flag(sk, SOCK_DESTROY);\n\n                        nr_rx_frame\n                          nr_process_rx_frame\n                            switch (nr-\u003estate)\n                            case NR_STATE_2\n                              nr_state2_machine()\n                                nr_disconnect()\n                                  nr_sk(sk)-\u003estate = NR_STATE_0\n                                  sock_set_flag(sk, SOCK_DEAD)\n\n                        nr_heartbeat_expiry\n                          switch (nr-\u003estate)\n                          case NR_STATE_0\n                            if (sock_flag(sk, SOCK_DESTROY) ||\n                               (sk-\u003esk_state == TCP_LISTEN\n                                 && sock_flag(sk, SOCK_DEAD)))\n                               sock_hold()  // ( !!! )\n                               nr_destroy_socket()\n\nTo fix the memory leak, let's call sock_hold() only for a listening socket.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller.\n\n[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16","modified":"2026-04-02T12:17:24.144109Z","published":"2024-07-12T12:44:41.176Z","related":["SUSE-SU-2024:2802-1","SUSE-SU-2024:2894-1","SUSE-SU-2024:2896-1","SUSE-SU-2024:2939-1","SUSE-SU-2024:2947-1","SUSE-SU-2024:2973-1","SUSE-SU-2025:20008-1","SUSE-SU-2025:20028-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/41xxx/CVE-2024-41006.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735"},{"type":"WEB","url":"https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/41xxx/CVE-2024-41006.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41006"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"a31caf5779ace8fa98b0d454133808e082ee7a1b"},{"fixed":"d616876256b38ecf9a1a1c7d674192c5346bc69c"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"fe9b9e621cebe6b7e83f7e954c70f8bb430520e5"},{"fixed":"e07a9c2a850cdebf625e7a1b8171bd23a8554313"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"7de16d75b20ab13b75a7291f449a1b00090edfea"},{"fixed":"5391f9db2cab5ef1cb411be1ab7dbec728078fba"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d2d3ab1b1de3302de2c85769121fd4f890e47ceb"},{"fixed":"280cf1173726a7059b628c610c71050d5c0b6937"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"51e394c6f81adbfe7c34d15f58b3d4d44f144acf"},{"fixed":"a02fd5d775cf9787ee7698c797e20f2fa13d2e2b"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"409db27e3a2eb5e8ef7226ca33be33361b3ed1c9"},{"fixed":"b6ebe4fed73eedeb73f4540f8edc4871945474c8"},{"fixed":"d377f5a28332954b19e373d36823e59830ab1712"},{"fixed":"0b9130247f3b6a1122478471ff0e014ea96bb735"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"e666990abb2e42dd4ba979b4706280a3664cfae7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-41006.json"}}],"schema_version":"1.7.5"}