U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

Vulnerability Change Records for CVE-2024-54680

Change History

CVE Modified by kernel.org 4/02/2025 12:15:35 PM

Action Type Old Value New Value
Changed Description 
In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix TCP timers deadlock after rmmod

Commit ef7134c7fc48 ("smb: client: Fix use-after-free of network namespace.")
fixed a netns UAF by manually enabled socket refcounting
(sk->sk_net_refcnt=1 and sock_inuse_add(net, 1)).

The reason the patch worked for that bug was because we now hold
references to the netns (get_net_track() gets a ref internally)
and they're properly released (internally, on __sk_destruct()),
but only because sk->sk_net_refcnt was set.

Problem:
(this happens regardless of CONFIG_NET_NS_REFCNT_TRACKER and regardless
if init_net or other)

Setting sk->sk_net_refcnt=1 *manually* and *after* socket creation is not
only out of cifs scope, but also technically wrong -- it's set conditionally
based on user (=1) vs kernel (=0) sockets.  And net/ implementations
seem to base their user vs kernel space operations on it.

e.g. upon TCP socket close, the TCP timers are not cleared because
sk->sk_net_refcnt=1:
(cf. commit 151c9c724d05 ("tcp: properly terminate timers for kernel sockets"))

net/ipv4/tcp.c:
    void tcp_close(struct sock *sk, long timeout)
    {
    	lock_sock(sk);
    	__tcp_close(sk, timeout);
    	release_sock(sk);
    	if (!sk->sk_net_refcnt)
    		inet_csk_clear_xmit_timers_sync(sk);
    	sock_put(sk);
    }

Which will throw a lockdep warning and then, as expected, deadlock on
tcp_write_timer().

A way to reproduce this is by running the reproducer from ef7134c7fc48
and then 'rmmod cifs'.  A few seconds later, the deadlock/lockdep
warning shows up.

Fix:
We shouldn't mess with socket internals ourselves, so do not set
sk_net_refcnt manually.

Also change __sock_create() to sock_create_kern() for explicitness.

As for non-init_net network namespaces, we deal with it the best way
we can -- hold an extra netns reference for server->ssocket and drop it
when it's released.  This ensures that the netns still exists whenever
we need to create/destroy server->ssocket, but is not directly tied to
it.
 
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Removed CVSS V3.1 
CISA-ADP: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
 

								
								
					

					

						Removed
						CVSS V3.1
						
							
							
								
							
								
NIST: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

								
							
							
								
							
						
								
							
								

								
								
					

					

						Removed
						CWE
						
							
							
								
							
								
CISA-ADP: CWE-416

								
							
							
								
							
						
								
							
								

								
								
					

					

						Removed
						CWE
						
							
							
								
							
								
NIST: CWE-667

								
							
							
								
							
						
								
							
								

								
								
					

					

						Removed
						CPE Configuration
						
							
							
								
							
								
OR
          *cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.11.9 up to (excluding) 6.12.7
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.6.62 up to (excluding) 6.6.68

								
							
							
								
							
						
								
							
								

								
								
					

					

						Removed
						Reference
						
							
							
								
							
								
kernel.org: https://git.kernel.org/stable/c/127e907e11ccd54b59bb78fc22c43ccb76c71079

								
							
							
								
							
						
								
							
								

								
								
					

					

						Removed
						Reference
						
							
							
								
							
								
kernel.org: https://git.kernel.org/stable/c/906807c734ed219dcb2e7bbfde5c4168ed72a3d0

								
							
							
								
							
						
								
							
								

								
								
					

					

						Removed
						Reference
						
							
							
								
							
								
kernel.org: https://git.kernel.org/stable/c/e9f2517a3e18a54a3943c098d2226b245d488801

								
							
							
								
							
						
								
							
								

								
								
					

					

						Removed
						Reference Type
						
							
							
								
							
								
kernel.org: https://git.kernel.org/stable/c/127e907e11ccd54b59bb78fc22c43ccb76c71079 Types: Patch

								
							
							
								
							
						
								
							
								

								
								
					

					

						Removed
						Reference Type
						
							
							
								
							
								
kernel.org: https://git.kernel.org/stable/c/906807c734ed219dcb2e7bbfde5c4168ed72a3d0 Types: Patch

								
							
							
								
							
						
								
							
								

								
								
					

					

						Removed
						Reference Type
						
							
							
								
							
								
kernel.org: https://git.kernel.org/stable/c/e9f2517a3e18a54a3943c098d2226b245d488801 Types: Patch

								
							
							
								
							
						
								
							
								

								
								
					

				
			




		

	
		

			 
			

				CVE Rejected by kernel.org 4/02/2025 12:15:35 PM
			



			

				 
					

						Action
						Type
						Old Value
						New Value