{"id":"CVE-2024-56664","summary":"bpf, sockmap: Fix race between element replace and close()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix race between element replace and close()\n\nElement replace (with a socket different from the one stored) may race\nwith socket's close() link popping & unlinking. __sock_map_delete()\nunconditionally unrefs the (wrong) element:\n\n// set map[0] = s0\nmap_update_elem(map, 0, s0)\n\n// drop fd of s0\nclose(s0)\n  sock_map_close()\n    lock_sock(sk)               (s0!)\n    sock_map_remove_links(sk)\n      link = sk_psock_link_pop()\n      sock_map_unlink(sk, link)\n        sock_map_delete_from_link\n                                        // replace map[0] with s1\n                                        map_update_elem(map, 0, s1)\n                                          sock_map_update_elem\n                                (s1!)       lock_sock(sk)\n                                            sock_map_update_common\n                                              psock = sk_psock(sk)\n                                              spin_lock(&stab-\u003elock)\n                                              osk = stab-\u003esks[idx]\n                                              sock_map_add_link(..., &stab-\u003esks[idx])\n                                              sock_map_unref(osk, &stab-\u003esks[idx])\n                                                psock = sk_psock(osk)\n                                                sk_psock_put(sk, psock)\n                                                  if (refcount_dec_and_test(&psock))\n                                                    sk_psock_drop(sk, psock)\n                                              spin_unlock(&stab-\u003elock)\n                                            unlock_sock(sk)\n          __sock_map_delete\n            spin_lock(&stab-\u003elock)\n            sk = *psk                        // s1 replaced s0; sk == s1\n            if (!sk_test || sk_test == sk)   // sk_test (s0) != sk (s1); no branch\n              sk = xchg(psk, NULL)\n            if (sk)\n              sock_map_unref(sk, psk)        // unref s1; sks[idx] will dangle\n                psock = sk_psock(sk)\n                sk_psock_put(sk, psock)\n                  if (refcount_dec_and_test())\n                    sk_psock_drop(sk, psock)\n            spin_unlock(&stab-\u003elock)\n    release_sock(sk)\n\nThen close(map) enqueues bpf_map_free_deferred, which finally calls\nsock_map_free(). This results in some refcount_t warnings along with\na KASAN splat [1].\n\nFix __sock_map_delete(), do not allow sock_map_unref() on elements that\nmay have been replaced.\n\n[1]:\nBUG: KASAN: slab-use-after-free in sock_map_free+0x10e/0x330\nWrite of size 4 at addr ffff88811f5b9100 by task kworker/u64:12/1063\n\nCPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Not tainted 6.12.0+ #125\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\nWorkqueue: events_unbound bpf_map_free_deferred\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x68/0x90\n print_report+0x174/0x4f6\n kasan_report+0xb9/0x190\n kasan_check_range+0x10f/0x1e0\n sock_map_free+0x10e/0x330\n bpf_map_free_deferred+0x173/0x320\n process_one_work+0x846/0x1420\n worker_thread+0x5b3/0xf80\n kthread+0x29e/0x360\n ret_from_fork+0x2d/0x70\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nAllocated by task 1202:\n kasan_save_stack+0x1e/0x40\n kasan_save_track+0x10/0x30\n __kasan_slab_alloc+0x85/0x90\n kmem_cache_alloc_noprof+0x131/0x450\n sk_prot_alloc+0x5b/0x220\n sk_alloc+0x2c/0x870\n unix_create1+0x88/0x8a0\n unix_create+0xc5/0x180\n __sock_create+0x241/0x650\n __sys_socketpair+0x1ce/0x420\n __x64_sys_socketpair+0x92/0x100\n do_syscall_64+0x93/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 46:\n kasan_save_stack+0x1e/0x40\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x37/0x60\n __kasan_slab_free+0x4b/0x70\n kmem_cache_free+0x1a1/0x590\n __sk_destruct+0x388/0x5a0\n sk_psock_destroy+0x73e/0xa50\n process_one_work+0x846/0x1420\n worker_thread+0x5b3/0xf80\n kthread+0x29e/0x360\n ret_from_fork+0x2d/0x70\n ret_from_fork_asm+0x1a/0x30\n\nThe bu\n---truncated---","modified":"2026-04-16T04:33:19.298054866Z","published":"2024-12-27T15:06:26.276Z","related":["SUSE-SU-2025:0236-1","SUSE-SU-2025:02601-1","SUSE-SU-2025:02604-1","SUSE-SU-2025:02607-1","SUSE-SU-2025:02610-1","SUSE-SU-2025:02618-1","SUSE-SU-2025:02627-1","SUSE-SU-2025:02632-1","SUSE-SU-2025:02636-1","SUSE-SU-2025:02638-1","SUSE-SU-2025:02648-1","SUSE-SU-2025:02652-1","SUSE-SU-2025:02673-1","SUSE-SU-2025:02688-1","SUSE-SU-2025:02691-1","SUSE-SU-2025:02697-1","SUSE-SU-2025:02698-1","SUSE-SU-2025:0289-1","SUSE-SU-2025:0428-1","SUSE-SU-2025:0499-1","SUSE-SU-2025:0555-1","SUSE-SU-2025:0556-1","SUSE-SU-2025:0557-1","SUSE-SU-2025:0576-1","SUSE-SU-2025:0577-1","SUSE-SU-2025:0577-2","SUSE-SU-2025:0771-1","SUSE-SU-2025:0867-1","SUSE-SU-2025:20165-1","SUSE-SU-2025:20166-1","SUSE-SU-2025:20248-1","SUSE-SU-2025:20249-1","SUSE-SU-2025:20568-1","SUSE-SU-2025:20575-1","SUSE-SU-2025:20576-1","SUSE-SU-2025:20578-1","SUSE-SU-2025:20579-1","SUSE-SU-2025:20584-1","SUSE-SU-2025:20610-1","SUSE-SU-2025:20611-1","SUSE-SU-2025:20620-1","SUSE-SU-2025:20625-1","SUSE-SU-2025:4123-1","USN-7379-2","USN-7380-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56664.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/6deb9e85dc9a2ba4414b91c1b5b00b8415910890"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b015f19fedd2e12283a8450dd0aefce49ec57015"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b79a0d1e9a374d1b376933a354c4fcd01fce0365"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bf2318e288f636a882eea39f7e1015623629f168"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ed1fc5d76b81a4d681211333c026202cad4d5649"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fdb2cd8957ac51f84c9e742ba866087944bb834b"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56664.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56664"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"604326b41a6fb9b4a78b6179335decee0365cd8c"},{"fixed":"6deb9e85dc9a2ba4414b91c1b5b00b8415910890"},{"fixed":"fdb2cd8957ac51f84c9e742ba866087944bb834b"},{"fixed":"b79a0d1e9a374d1b376933a354c4fcd01fce0365"},{"fixed":"b015f19fedd2e12283a8450dd0aefce49ec57015"},{"fixed":"bf2318e288f636a882eea39f7e1015623629f168"},{"fixed":"ed1fc5d76b81a4d681211333c026202cad4d5649"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56664.json"}}],"schema_version":"1.7.5"}