{"id":"CVE-2024-41010","summary":"bpf: Fix too early release of tcx_entry","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix too early release of tcx_entry\n\nPedro Pinto and later independently also Hyunwoo Kim and Wongi Lee reported\nan issue that the tcx_entry can be released too early leading to a use\nafter free (UAF) when an active old-style ingress or clsact qdisc with a\nshared tc block is later replaced by another ingress or clsact instance.\n\nEssentially, the sequence to trigger the UAF (one example) can be as follows:\n\n  1. A network namespace is created\n  2. An ingress qdisc is created. This allocates a tcx_entry, and\n     &tcx_entry-\u003eminiq is stored in the qdisc's miniqp-\u003ep_miniq. At the\n     same time, a tcf block with index 1 is created.\n  3. chain0 is attached to the tcf block. chain0 must be connected to\n     the block linked to the ingress qdisc to later reach the function\n     tcf_chain0_head_change_cb_del() which triggers the UAF.\n  4. Create and graft a clsact qdisc. This causes the ingress qdisc\n     created in step 1 to be removed, thus freeing the previously linked\n     tcx_entry:\n\n     rtnetlink_rcv_msg()\n       =\u003e tc_modify_qdisc()\n         =\u003e qdisc_create()\n           =\u003e clsact_init() [a]\n         =\u003e qdisc_graft()\n           =\u003e qdisc_destroy()\n             =\u003e __qdisc_destroy()\n               =\u003e ingress_destroy() [b]\n                 =\u003e tcx_entry_free()\n                   =\u003e kfree_rcu() // tcx_entry freed\n\n  5. Finally, the network namespace is closed. This registers the\n     cleanup_net worker, and during the process of releasing the\n     remaining clsact qdisc, it accesses the tcx_entry that was\n     already freed in step 4, causing the UAF to occur:\n\n     cleanup_net()\n       =\u003e ops_exit_list()\n         =\u003e default_device_exit_batch()\n           =\u003e unregister_netdevice_many()\n             =\u003e unregister_netdevice_many_notify()\n               =\u003e dev_shutdown()\n                 =\u003e qdisc_put()\n                   =\u003e clsact_destroy() [c]\n                     =\u003e tcf_block_put_ext()\n                       =\u003e tcf_chain0_head_change_cb_del()\n                         =\u003e tcf_chain_head_change_item()\n                           =\u003e clsact_chain_head_change()\n                             =\u003e mini_qdisc_pair_swap() // UAF\n\nThere are also other variants, the gist is to add an ingress (or clsact)\nqdisc with a specific shared block, then to replace that qdisc, waiting\nfor the tcx_entry kfree_rcu() to be executed and subsequently accessing\nthe current active qdisc's miniq one way or another.\n\nThe correct fix is to turn the miniq_active boolean into a counter. What\ncan be observed, at step 2 above, the counter transitions from 0-\u003e1, at\nstep [a] from 1-\u003e2 (in order for the miniq object to remain active during\nthe replacement), then in [b] from 2-\u003e1 and finally [c] 1-\u003e0 with the\neventual release. The reference counter in general ranges from [0,2] and\nit does not need to be atomic since all access to the counter is protected\nby the rtnl mutex. With this in place, there is no longer a UAF happening\nand the tcx_entry is freed at the correct time.","modified":"2026-04-02T09:45:46.183573Z","published":"2024-07-17T06:10:12.051Z","related":["SUSE-SU-2024:3194-1","SUSE-SU-2024:3195-1","SUSE-SU-2024:3383-1","SUSE-SU-2025:20044-1","SUSE-SU-2025:20047-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/41xxx/CVE-2024-41010.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1cb6f0bae50441f4b4b32a28315853b279c7404e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/230bb13650b0f186f540500fd5f5f7096a822a2a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f61ecf1bd5b562ebfd7d430ccb31619857e80857"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/41xxx/CVE-2024-41010.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41010"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e420bed025071a623d2720a92bc2245c84757ecb"},{"fixed":"230bb13650b0f186f540500fd5f5f7096a822a2a"},{"fixed":"f61ecf1bd5b562ebfd7d430ccb31619857e80857"},{"fixed":"1cb6f0bae50441f4b4b32a28315853b279c7404e"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-41010.json"}}],"schema_version":"1.7.5"}