UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity
OpenCloudOS-Kernel/net
History
Michal Luczaj f3b8e9d341 vsock: Orphan socket after transport release 
commit 78dafe1cf3afa02ed71084b350713b07e72a18fb upstream.

During socket release, sock_orphan() is called without considering that it
sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a
null pointer dereferenced in virtio_transport_wait_close().

Orphan the socket only after transport release.

Partially reverts the 'Fixes:' commit.

KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
 lock_acquire+0x19e/0x500
 _raw_spin_lock_irqsave+0x47/0x70
 add_wait_queue+0x46/0x230
 virtio_transport_release+0x4e7/0x7f0
 __vsock_release+0xfd/0x490
 vsock_release+0x90/0x120
 __sock_release+0xa3/0x250
 sock_close+0x14/0x20
 __fput+0x35e/0xa90
 __x64_sys_close+0x78/0xd0
 do_syscall_64+0x93/0x1b0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Reported-by: syzbot+9d55b199192a4be7d02c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9d55b199192a4be7d02c
Fixes: fcdd2242c023 ("vsock: Keep the binding until socket destruction")
Tested-by: Luigi Leonardi <leonardi@redhat.com>
Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Link: https://patch.msgid.link/20250210-vsock-linger-nullderef-v3-1-ef6244d02b54@rbox.co
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2025-02-21 13:57:27 +01:00
..
6lowpan
9p 9p/xen: fix release of IRQ 2024-12-09 10:32:57 +01:00
802 net: 802: LLC+SNAP OID:PID lookup on start of skb data 2025-01-17 13:36:11 +01:00
8021q net: gro: fix udp bad offset in socket lookup by adding {inner_}network_offset to napi_gro_cb 2024-05-17 12:02:07 +02:00
appletalk appletalk: Fix Use-After-Free in atalk_ioctl 2023-12-20 17:01:50 +01:00
atm atm: Fix Use-After-Free in do_vcc_ioctl 2023-12-20 17:01:48 +01:00
ax25 ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt 2025-02-21 13:57:06 +01:00
batman-adv batman-adv: Drop unmanaged ELP metric worker 2025-02-21 13:57:13 +01:00
bluetooth Bluetooth: L2CAP: accept zero as a special value for MTU auto-selection 2025-02-17 09:40:18 +01:00
bpf bpf, test_run: Fix LIVE_FRAME frame update after a page has been recycled 2024-11-08 16:28:19 +01:00
bpfilter net: Use umd_cleanup_helper() 2023-05-31 13:06:57 +02:00
bridge bridge: Handle error of rtnl_register_module(). 2024-10-17 15:24:29 +02:00
caif sock: Remove ->sendpage*() in favour of sendmsg(MSG_SPLICE_PAGES) 2023-06-24 15:50:13 -07:00
can can: j1939: j1939_sk_send_loop(): fix unable to send messages with data length zero 2025-02-21 13:57:16 +01:00
ceph ceph: allocate sparse_ext map only for sparse reads 2025-01-02 10:32:00 +01:00
core neighbour: use RCU protection in __neigh_notify() 2025-02-21 13:57:23 +01:00
dcb net: dcb: choose correct policy to parse DCB_ATTR_BCN 2023-08-01 21:07:46 -07:00
dccp net: fix data-races around sk->sk_forward_alloc 2025-01-23 17:21:19 +01:00
devlink devlink: fix port new reply cmd type 2024-03-26 18:20:11 -04:00
dns_resolver keys, dns: Fix size check of V1 server-list header 2024-01-25 15:35:41 -08:00
dsa net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events 2024-10-10 11:58:07 +02:00
ethernet ethernet: Add helper for assigning packet type when dest address does not match device address 2024-05-02 16:32:46 +02:00
ethtool net: avoid race between device unregistration and ethnl ops 2025-02-08 09:52:03 +01:00
handshake net/handshake: Fix handshake_req_destroy_test1 2024-02-23 09:24:50 +01:00
hsr net: hsr: fix fill_frame_info() regression vs VLAN packets 2025-02-08 09:52:32 +01:00
ieee802154 net: ieee802154: do not leave a dangling sk pointer in ieee802154_create() 2024-12-14 20:00:04 +01:00
ife net: sched: ife: fix potential use-after-free 2024-01-01 12:42:30 +00:00
ipv4 arp: use RCU protection in arp_xmit() 2025-02-21 13:57:23 +01:00
ipv6 ipv6: mcast: add RCU protection to mld_newpack() 2025-02-21 13:57:24 +01:00
iucv s390/iucv: MSG_PEEK causes memory leak in iucv_sock_destruct() 2024-12-09 10:32:33 +01:00
kcm kcm: Serialise kcm_sendmsg() for the same socket. 2024-08-29 17:33:46 +02:00
key Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-08-18 12:44:56 -07:00
l2tp ipv6: introduce dst_rt6_info() helper 2024-12-14 19:59:35 +01:00
l3mdev
lapb
llc net: llc: reset skb->transport_header 2025-01-09 13:32:01 +01:00
mac80211 wifi: mac80211: don't flush non-uploaded STAs 2025-02-08 09:51:58 +01:00
mac802154 mac802154: check local interfaces before deleting sdata list 2025-01-23 17:21:13 +01:00
mctp net: mctp: handle skb cleanup on sock_queue failures 2025-01-09 13:31:54 +01:00
mpls ipv6: introduce dst_rt6_info() helper 2024-12-14 19:59:35 +01:00
mptcp mptcp: prevent excessive coalescing on receive 2025-02-17 09:40:42 +01:00
ncsi net/ncsi: use dev_set_mac_address() for Get MC MAC Address handling 2025-02-17 09:40:41 +01:00
netfilter netfilter: nf_tables: reject mismatching sum of field_len with set key length 2025-02-08 09:52:35 +01:00
netlabel calipso: fix memory leak in netlbl_calipso_add_pass() 2024-01-25 15:35:14 -08:00
netlink sock_diag: add module pointer to "struct sock_diag_handler" 2024-12-09 10:32:09 +01:00
netrom netrom: check buffer length before accessing it 2025-01-09 13:32:00 +01:00
nfc NFC: nci: Add bounds checking in nci_hci_create_pipe() 2025-02-17 09:40:38 +01:00
nsh nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment(). 2024-05-17 12:02:02 +02:00
openvswitch openvswitch: use RCU protection in ovs_vport_cmd_fill_info() 2025-02-21 13:57:23 +01:00
packet af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK 2025-01-09 13:32:02 +01:00
phonet phonet: Handle error of rtnl_register_module(). 2024-10-17 15:24:30 +02:00
psample psample: Require 'CAP_NET_ADMIN' when joining "packets" group 2023-12-13 18:45:10 +01:00
qrtr net: qrtr: Update packets cloning when broadcasting 2024-10-04 16:29:41 +02:00
rds net:rds: Fix possible deadlock in rds_message_put 2024-08-19 06:04:27 +02:00
rfkill net: rfkill: gpio: Add check for clk_enable() 2024-12-09 10:32:11 +01:00
rose net: rose: lock the socket in rose_bind() 2025-02-17 09:40:13 +01:00
rxrpc rxrpc: Fix call state set to not include the SERVER_SECURING state 2025-02-17 09:40:14 +01:00
sched netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() 2025-02-17 09:40:14 +01:00
sctp sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy 2025-01-17 13:36:18 +01:00
smc net/smc: fix data error when recvmsg with MSG_PEEK flag 2025-02-08 09:51:58 +01:00
strparser
sunrpc Revert "SUNRPC: Reduce thread wake-up rate when receiving large RPC messages" 2025-02-08 09:52:35 +01:00
switchdev net: bridge: switchdev: Skip MDB replays of deferred events on offload 2024-03-01 13:35:06 +01:00
tipc tipc: re-order conditions in tipc_crypto_key_rcv() 2025-02-17 09:40:09 +01:00
tls tls: Fix tls_sw_sendmsg error handling 2025-01-17 13:36:13 +01:00
unix splice: do not checksum AF_UNIX sockets 2024-12-19 18:11:21 +01:00
vmw_vsock vsock: Orphan socket after transport release 2025-02-21 13:57:27 +01:00
wireless wifi: cfg80211: adjust allocation of colocated AP data 2025-02-08 09:52:01 +01:00
x25 net/x25: fix incorrect parameter validation in the x25_getsockopt() function 2024-03-26 18:19:41 -04:00
xdp xsk: fix OOB map writes when deleting elements 2024-12-14 19:59:57 +01:00
xfrm xfrm: replay: Fix the update of replay_esn->oseq_hi for GSO 2025-02-08 09:52:28 +01:00
Kconfig bpf: Add fd-based tcx multi-prog infra with link support 2023-07-19 10:07:27 -07:00
Kconfig.debug
Makefile net/handshake: Create a NETLINK service for handling handshake requests 2023-04-19 18:48:48 -07:00
compat.c
devres.c
socket.c net: explicitly clear the sk pointer, when pf->create fails 2024-10-17 15:24:35 +02:00
sysctl_net.c sysctl: treewide: drop unused argument ctl_table_root::set_ownership(table) 2024-08-11 12:47:13 +02:00