mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-07-19 03:59:45 +02:00

Go to file

Michal Luczaj e48fcb403c vsock: Keep the binding until socket destruction commit fcdd2242c0231032fc84e1404315c245ae56322a upstream. Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2) 2. transport->release() calls vsock_remove_bound() without checking if sk was bound and moved to bound list (refcnt=1) 3. vsock_bind() assumes sk is in unbound list and before __vsock_insert_bound(vsock_bound_sockets()) calls __vsock_remove_bound() which does: list_del_init(&vsk->bound_table); // nop sock_put(&vsk->sk); // refcnt=0 BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730 Read of size 4 at addr ffff88816b46a74c by task a.out/2057 dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 __vsock_bind+0x62e/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 __vsock_create.constprop.0+0x2e/0xb60 vsock_create+0xe4/0x420 __sock_create+0x241/0x650 __sys_socket+0xf2/0x1a0 __x64_sys_socket+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 2057: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 __vsock_bind+0x5e1/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: addition on 0; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150 RIP: 0010:refcount_warn_saturate+0xce/0x150 __vsock_bind+0x66d/0x730 vsock_bind+0x97/0xe0 __sys_bind+0x154/0x1f0 __x64_sys_bind+0x6e/0xb0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e refcount_t: underflow; use-after-free. WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150 RIP: 0010:refcount_warn_saturate+0xee/0x150 vsock_remove_bound+0x187/0x1e0 __vsock_release+0x383/0x4a0 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x359/0xa80 task_work_run+0x107/0x1d0 do_exit+0x847/0x2560 do_group_exit+0xb8/0x250 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0xfec/0x14f0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fixes: `c0cfa2d8a7` ("vsock: add multi-transports support") Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: Michal Luczaj <mhal@rbox.co> Link: https://patch.msgid.link/20250128-vsock-transport-vs-autobind-v3-1-1cf57065b770@rbox.co Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Luigi Leonardi <leonardi@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2025-03-13 12:51:12 +01:00
arch	x86/sgx: Fix size overflows in sgx_encl_create()	2025-03-13 12:51:06 +01:00
block	block: fix conversion of GPT partition name to 7-bit	2025-03-13 12:51:03 +01:00
certs
crypto	crypto: testmgr - some more fixes to RSA test vectors	2025-03-13 12:50:48 +01:00
Documentation	kfence: allow use of a deferrable timer	2025-03-13 12:50:49 +01:00
drivers	media: uvcvideo: Remove dangling pointers	2025-03-13 12:51:12 +01:00
fs	nilfs2: handle errors that nilfs_prepare_chunk() may return	2025-03-13 12:51:12 +01:00
include	vmlinux.lds: Ensure that const vars with relocations are mapped R/O	2025-03-13 12:51:00 +01:00
init	initramfs: avoid filename buffer overrun	2024-12-14 19:50:42 +01:00
io_uring	io_uring: fix possible deadlock in io_register_iowq_max_workers()	2024-11-17 15:06:25 +01:00
ipc
kernel	sched/fair: Fix potential memory corruption in child_cfs_rq_on_list	2025-03-13 12:51:07 +01:00
lib	kfence: allow use of a deferrable timer	2025-03-13 12:50:49 +01:00
LICENSES
mm	mm: don't skip arch_sync_kernel_mappings() in error paths	2025-03-13 12:51:03 +01:00
net	vsock: Keep the binding until socket destruction	2025-03-13 12:51:12 +01:00
samples	samples/landlock: Fix possible NULL dereference in parse_path()	2025-03-13 12:49:57 +01:00
scripts	kbuild: Move -Wenum-enum-conversion to W=2	2025-03-13 12:50:29 +01:00
security	tomoyo: don't emit warning in tomoyo_write_control()	2025-03-13 12:50:18 +01:00
sound	ALSA: usx2y: validate nrpacks module parameter on probe	2025-03-13 12:51:05 +01:00
tools	selftests: rtnetlink: update netdevsim ipsec output format	2025-03-13 12:50:46 +01:00
usr
virt	KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()	2024-10-22 15:40:41 +02:00
.clang-format
.cocciconfig
.get_maintainer.ignore
.gitattributes
.gitignore	Remove *.orig pattern from .gitignore	2024-10-17 15:11:10 +02:00
.mailmap
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS	trace: Relocate event helper files	2024-04-10 16:19:24 +02:00
Makefile	Linux 5.15.178	2025-02-01 18:24:02 +01:00
README

README

Linux kernel

There are several guides for kernel developers and users. These guides can be rendered in a number of formats, like HTML and PDF. Please read Documentation/admin-guide/README.rst first.

In order to build the documentation, use make htmldocs or make pdfdocs. The formatted documentation can also be read online at:

https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory, several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the requirements for building and running the kernel, and information about the problems which may result by upgrading your kernel.