CVE-2024-41006

In the Linux kernel, the following vulnerability has been resolved:

netrom: Fix a memory leak in nrheartbeatexpiry()

syzbot reported a memory leak in nr_create() [0].

Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") added sockhold() to the nrheartbeatexpiry() function, where a) a socket has a SOCKDESTROY flag or b) a listening socket has a SOCK_DEAD flag.

But in the case "a," when the SOCKDESTROY flag is set, the file descriptor has already been closed and the nrrelease() function has been called. So it makes no sense to hold the reference count because no one will call another nrdestroysocket() and put it as in the case "b."

nrconnect nrestablishdatalink nrstartheartbeat

nrrelease switch (nr->state) case NRSTATE3 nr->state = NRSTATE2 socksetflag(sk, SOCKDESTROY);

                    nr_rx_frame
                      nr_process_rx_frame
                        switch (nr->state)
                        case NR_STATE_2
                          nr_state2_machine()
                            nr_disconnect()
                              nr_sk(sk)->state = NR_STATE_0
                              sock_set_flag(sk, SOCK_DEAD)

                    nr_heartbeat_expiry
                      switch (nr->state)
                      case NR_STATE_0
                        if (sock_flag(sk, SOCK_DESTROY) ||
                           (sk->sk_state == TCP_LISTEN
                             && sock_flag(sk, SOCK_DEAD)))
                           sock_hold()  // ( !!! )
                           nr_destroy_socket()

To fix the memory leak, let's call sock_hold() only for a listening socket.

Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller.