{"id":"CVE-2024-44991","summary":"tcp: prevent concurrent execution of tcp_sk_exit_batch","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: prevent concurrent execution of tcp_sk_exit_batch\n\nIts possible that two threads call tcp_sk_exit_batch() concurrently,\nonce from the cleanup_net workqueue, once from a task that failed to clone\na new netns.  In the latter case, error unwinding calls the exit handlers\nin reverse order for the 'failed' netns.\n\ntcp_sk_exit_batch() calls tcp_twsk_purge().\nProblem is that since commit b099ce2602d8 (\"net: Batch inet_twsk_purge\"),\nthis function picks up twsk in any dying netns, not just the one passed\nin via exit_batch list.\n\nThis means that the error unwind of setup_net() can \"steal\" and destroy\ntimewait sockets belonging to the exiting netns.\n\nThis allows the netns exit worker to proceed to call\n\nWARN_ON_ONCE(!refcount_dec_and_test(&net-\u003eipv4.tcp_death_row.tw_refcount));\n\nwithout the expected 1 -\u003e 0 transition, which then splats.\n\nAt same time, error unwind path that is also running inet_twsk_purge()\nwill splat as well:\n\nWARNING: .. at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210\n...\n refcount_dec include/linux/refcount.h:351 [inline]\n inet_twsk_kill+0x758/0x9c0 net/ipv4/inet_timewait_sock.c:70\n inet_twsk_deschedule_put net/ipv4/inet_timewait_sock.c:221\n inet_twsk_purge+0x725/0x890 net/ipv4/inet_timewait_sock.c:304\n tcp_sk_exit_batch+0x1c/0x170 net/ipv4/tcp_ipv4.c:3522\n ops_exit_list+0x128/0x180 net/core/net_namespace.c:178\n setup_net+0x714/0xb40 net/core/net_namespace.c:375\n copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508\n create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110\n\n... because refcount_dec() of tw_refcount unexpectedly dropped to 0.\n\nThis doesn't seem like an actual bug (no tw sockets got lost and I don't\nsee a use-after-free) but as erroneous trigger of debug check.\n\nAdd a mutex to force strict ordering: the task that calls tcp_twsk_purge()\nblocks other task from doing final _dec_and_test before mutex-owner has\nremoved all tw sockets of dying netns.","modified":"2026-03-20T12:38:56.852629Z","published":"2024-09-04T19:54:38.206Z","related":["MGASA-2024-0309","MGASA-2024-0310","SUSE-SU-2024:3551-1","SUSE-SU-2024:3553-1","SUSE-SU-2024:3561-1","SUSE-SU-2024:3564-1","SUSE-SU-2025:20073-1","SUSE-SU-2025:20077-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/44xxx/CVE-2024-44991.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/565d121b69980637f040eb4d84289869cdaabedf"},{"type":"WEB","url":"https://git.kernel.org/stable/c/99580ae890ec8bd98b21a2a9c6668f8f1555b62e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e3d9de3742f4d5c47ae35f888d3023a5b54fcd2f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f6fd2dbf584a4047ba88d1369ff91c9851261ec1"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/44xxx/CVE-2024-44991.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-44991"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e9bd0cca09d13ac2f08d25e195203e42d4ad1ce8"},{"fixed":"e3d9de3742f4d5c47ae35f888d3023a5b54fcd2f"},{"fixed":"99580ae890ec8bd98b21a2a9c6668f8f1555b62e"},{"fixed":"f6fd2dbf584a4047ba88d1369ff91c9851261ec1"},{"fixed":"565d121b69980637f040eb4d84289869cdaabedf"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-44991.json"}}],"schema_version":"1.7.5"}