niansa-misc/linux
1
0
Fork 0
mirror of synced 2025-03-06 20:59:54 +01:00
Code Issues Projects Releases Packages Wiki Activity
linux/net
History
Michal Luczaj 78dafe1cf3 vsock: Orphan socket after transport release 
During socket release, sock_orphan() is called without considering that it
sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a
null pointer dereferenced in virtio_transport_wait_close().

Orphan the socket only after transport release.

Partially reverts the 'Fixes:' commit.

KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
 lock_acquire+0x19e/0x500
 _raw_spin_lock_irqsave+0x47/0x70
 add_wait_queue+0x46/0x230
 virtio_transport_release+0x4e7/0x7f0
 __vsock_release+0xfd/0x490
 vsock_release+0x90/0x120
 __sock_release+0xa3/0x250
 sock_close+0x14/0x20
 __fput+0x35e/0xa90
 __x64_sys_close+0x78/0xd0
 do_syscall_64+0x93/0x1b0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Reported-by: syzbot+9d55b199192a4be7d02c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9d55b199192a4be7d02c
Fixes: fcdd2242c0 ("vsock: Keep the binding until socket destruction")
Tested-by: Luigi Leonardi <leonardi@redhat.com>
Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Link: https://patch.msgid.link/20250210-vsock-linger-nullderef-v3-1-ef6244d02b54@rbox.co
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2025-02-12 20:01:28 -08:00
..
6lowpan
9p net/9p/usbg: allow building as standalone module 2024-11-22 23:48:14 +09:00
802 net: 802: LLC+SNAP OID:PID lookup on start of skb data 2025-01-04 08:06:24 -08:00
8021q net: convert to nla_get_*_default() 2024-11-11 10:32:06 -08:00
appletalk net: appletalk: Drop aarp_send_probe_phase1() 2025-01-20 10:08:19 +00:00
atm
ax25 ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt 2025-02-06 17:02:40 -08:00
batman-adv Here are some batman-adv bugfixes: 2025-02-11 10:39:46 +01:00
bluetooth First batch of fixes for 6.14. Nothing really stands out, 2025-01-30 12:24:20 -08:00
bpf bpf-next-6.14 2025-01-23 08:04:07 -08:00
bridge netfilter: br_netfilter: remove unused conditional and dead code 2025-01-19 16:41:52 +01:00
caif
can can: j1939: j1939_sk_send_loop(): fix unable to send messages with data length zero 2025-02-08 11:28:57 +01:00
ceph ceph: allocate sparse_ext map only for sparse reads 2024-12-16 23:25:44 +01:00
core neighbour: use RCU protection in __neigh_notify() 2025-02-10 18:09:09 -08:00
dcb
dccp sysctl net: Remove macro checks for CONFIG_SYSCTL 2025-01-20 12:01:34 -08:00
devlink devlink: Improve the port attributes description 2025-01-02 17:10:57 -08:00
dns_resolver
dsa Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
ethernet
ethtool net: ethtool: tsconfig: Fix netlink type of hwtstamp flags 2025-02-06 16:35:21 -08:00
handshake module: Convert symbol namespace to string literal 2024-12-02 11:34:44 -08:00
hsr First batch of fixes for 6.14. Nothing really stands out, 2025-01-30 12:24:20 -08:00
ieee802154 net: convert to nla_get_*_default() 2024-11-11 10:32:06 -08:00
ife
ipv4 arp: use RCU protection in arp_xmit() 2025-02-10 18:09:09 -08:00
ipv6 ipv6: mcast: extend RCU protection in igmp6_send() 2025-02-10 18:09:10 -08:00
iucv s390/iucv: MSG_PEEK causes memory leak in iucv_sock_destruct() 2024-11-26 10:02:53 +01:00
kcm
key xfrm: Add support for per cpu xfrm state handling. 2024-10-29 11:56:00 +01:00
l2tp l2tp: Use inet_sk_init_flowi4() in l2tp_ip_sendmsg(). 2024-12-20 13:50:09 -08:00
l3mdev
lapb
llc sysctl net: Remove macro checks for CONFIG_SYSCTL 2025-01-20 12:01:34 -08:00
mac80211 Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
mac802154 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-01-09 16:11:47 -08:00
mctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-12-19 11:35:07 -08:00
mpls
mptcp mptcp: blackhole only if 1st SYN retrans w/o MPC is accepted 2025-01-30 14:02:19 +01:00
ncsi net/ncsi: use dev_set_mac_address() for Get MC MAC Address handling 2025-01-27 09:20:07 +00:00
netfilter First batch of fixes for 6.14. Nothing really stands out, 2025-01-30 12:24:20 -08:00
netlabel net: corrections for security_secid_to_secctx returns 2025-01-04 22:11:22 -05:00
netlink net: netlink: catch attempts to send empty messages 2024-12-19 18:06:28 -08:00
netrom netrom: check buffer length before accessing it 2024-12-23 10:04:55 -08:00
nfc NFC: nci: Add bounds checking in nci_hci_create_pipe() 2025-01-22 19:39:27 -08:00
nsh
openvswitch openvswitch: use RCU protection in ovs_vport_cmd_fill_info() 2025-02-10 18:09:09 -08:00
packet Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-01-03 16:29:29 -08:00
phonet phonet: do not call synchronize_rcu() from phonet_route_del() 2024-11-07 20:34:16 -08:00
psample psample: adjust size if rate_as_probability is set 2024-12-18 19:23:04 -08:00
qrtr
rds rds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current->nsproxy 2025-01-09 08:53:35 -08:00
rfkill Get rid of 'remove_new' relic from platform driver struct 2024-12-01 15:12:43 -08:00
rose net: rose: lock the socket in rose_bind() 2025-02-04 14:03:58 -08:00
rxrpc rxrpc: Fix alteration of headers whilst zerocopy pending 2025-02-11 16:53:41 -08:00
sched netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() 2025-02-05 18:14:46 -08:00
sctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-01-09 16:11:47 -08:00
shaper net: add netdev_lock() / netdev_unlock() helpers 2025-01-15 19:13:33 -08:00
smc net/smc: fix data error when recvmsg with MSG_PEEK flag 2025-01-13 18:59:00 -08:00
strparser
sunrpc assorted stuff for this merge window 2025-02-01 15:07:56 -08:00
switchdev
tipc tipc: re-order conditions in tipc_crypto_key_rcv() 2025-01-20 12:18:26 +00:00
tls tls: skip setting sk_write_space on rekey 2025-01-10 18:34:45 -08:00
unix af_unix: Use consume_skb() in connect() and sendmsg(). 2025-01-20 11:27:42 -08:00
vmw_vsock vsock: Orphan socket after transport release 2025-02-12 20:01:28 -08:00
wireless Driver core and debugfs updates 2025-01-28 12:25:12 -08:00
x25
xdp xsk: Bring back busy polling support 2025-01-10 18:07:56 -08:00
xfrm ipsec-2025-01-27 2025-01-27 15:15:12 -08:00
compat.c
devres.c
Kconfig
Kconfig.debug
Makefile
socket.c socket: Remove unused kernel_sendmsg_locked 2025-01-14 17:29:04 -08:00
sysctl_net.c