[PATCH 5.15 16/51] virtio/vsock: Fix accept_queue memory leak

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev, Stefano Garzarella <sgarzare@redhat.com>,
	Michal Luczaj <mhal@rbox.co>, Paolo Abeni <pabeni@redhat.com>,
	Tomas Krcka <krckatom@amazon.de>
Subject: [PATCH 5.15 16/51] virtio/vsock: Fix accept_queue memory leak
Date: Tue, 17 Dec 2024 18:07:09 +0100	[thread overview]
Message-ID: <20241217170520.968739469@linuxfoundation.org> (raw)
In-Reply-To: <20241217170520.301972474@linuxfoundation.org>

5.15-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michal Luczaj <mhal@rbox.co>

commit d7b0ff5a866724c3ad21f2628c22a63336deec3f upstream.

As the final stages of socket destruction may be delayed, it is possible
that virtio_transport_recv_listen() will be called after the accept_queue
has been flushed, but before the SOCK_DONE flag has been set. As a result,
sockets enqueued after the flush would remain unremoved, leading to a
memory leak.

vsock_release
  __vsock_release
    lock
    virtio_transport_release
      virtio_transport_close
        schedule_delayed_work(close_work)
    sk_shutdown = SHUTDOWN_MASK
(!) flush accept_queue
    release
                                        virtio_transport_recv_pkt
                                          vsock_find_bound_socket
                                          lock
                                          if flag(SOCK_DONE) return
                                          virtio_transport_recv_listen
                                            child = vsock_create_connected
                                      (!)   vsock_enqueue_accept(child)
                                          release
close_work
  lock
  virtio_transport_do_close
    set_flag(SOCK_DONE)
    virtio_transport_remove_sock
      vsock_remove_sock
        vsock_remove_bound
  release

Introduce a sk_shutdown check to disallow vsock_enqueue_accept() during
socket destruction.

unreferenced object 0xffff888109e3f800 (size 2040):
  comm "kworker/5:2", pid 371, jiffies 4294940105
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    28 00 0b 40 00 00 00 00 00 00 00 00 00 00 00 00  (..@............
  backtrace (crc 9e5f4e84):
    [<ffffffff81418ff1>] kmem_cache_alloc_noprof+0x2c1/0x360
    [<ffffffff81d27aa0>] sk_prot_alloc+0x30/0x120
    [<ffffffff81d2b54c>] sk_alloc+0x2c/0x4b0
    [<ffffffff81fe049a>] __vsock_create.constprop.0+0x2a/0x310
    [<ffffffff81fe6d6c>] virtio_transport_recv_pkt+0x4dc/0x9a0
    [<ffffffff81fe745d>] vsock_loopback_work+0xfd/0x140
    [<ffffffff810fc6ac>] process_one_work+0x20c/0x570
    [<ffffffff810fce3f>] worker_thread+0x1bf/0x3a0
    [<ffffffff811070dd>] kthread+0xdd/0x110
    [<ffffffff81044fdd>] ret_from_fork+0x2d/0x50
    [<ffffffff8100785a>] ret_from_fork_asm+0x1a/0x30

Fixes: 3fe356d58efa ("vsock/virtio: discard packets only when socket is really closed")
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ Adapted due to missing commit 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") ]
Signed-off-by: Tomas Krcka <krckatom@amazon.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/vmw_vsock/virtio_transport_common.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -1196,6 +1196,14 @@ virtio_transport_recv_listen(struct sock
 		return -ENOMEM;
 	}
 
+	/* __vsock_release() might have already flushed accept_queue.
+	 * Subsequent enqueues would lead to a memory leak.
+	 */
+	if (sk->sk_shutdown == SHUTDOWN_MASK) {
+		virtio_transport_reset_no_sock(t, pkt);
+		return -ESHUTDOWN;
+	}
+
 	child = vsock_create_connected(sk);
 	if (!child) {
 		virtio_transport_reset_no_sock(t, pkt);

next prev parent reply	other threads:[~2024-12-17 17:14 UTC|newest]

Thread overview: 58+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-12-17 17:06 [PATCH 5.15 00/51] 5.15.175-rc1 review Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 5.15 01/51] tcp: check space before adding MPTCP SYN options Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 5.15 02/51] ALSA: usb-audio: Add implicit feedback quirk for Yamaha THR5 Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 5.15 03/51] usb: host: max3421-hcd: Correctly abort a USB request Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 5.15 04/51] ata: sata_highbank: fix OF node reference leak in highbank_initialize_phys() Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 5.15 05/51] usb: dwc2: Fix HCD resume Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 5.15 06/51] usb: dwc2: hcd: Fix GetPortStatus & SetPortFeature Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 07/51] usb: dwc2: Fix HCD port connection race Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 08/51] usb: ehci-hcd: fix call balance of clocks handling routines Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 09/51] usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 10/51] drm/i915: Fix memory leak by correcting cache object name in error handler Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 11/51] xfs: update btree keys correctly when _insrec splits an inode root block Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 12/51] xfs: dont drop errno values when we fail to ficlone the entire range Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 13/51] xfs: return from xfs_symlink_verify early on V4 filesystems Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 14/51] xfs: fix scrub tracepoints when inode-rooted btrees are involved Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 15/51] bpf, sockmap: Fix update element with same Greg Kroah-Hartman
2024-12-17 17:07 ` Greg Kroah-Hartman [this message]
2024-12-17 17:07 ` [PATCH 5.15 17/51] exfat: fix potential deadlock on __exfat_get_dentry_set Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 18/51] acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 19/51] batman-adv: Do not send uninitialized TT changes Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 20/51] batman-adv: Remove uninitialized data in full table TT response Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 21/51] batman-adv: Do not let TT changes list grows indefinitely Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 22/51] tipc: fix NULL deref in cleanup_bearer() Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 23/51] selftests: mlxsw: sharedbuffer: Remove h1 ingress test case Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 24/51] selftests: mlxsw: sharedbuffer: Remove duplicate test cases Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 25/51] ptp: kvm: Use decrypted memory in confidential guest on x86 Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 26/51] ptp: kvm: x86: Return EOPNOTSUPP instead of ENODEV from kvm_arch_ptp_init() Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 27/51] net: lapb: increase LAPB_HEADER_LEN Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 28/51] net: sparx5: fix FDMA performance issue Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 29/51] net: sparx5: fix the maximum frame length register Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 30/51] ACPI: resource: Fix memory resource type union access Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 31/51] cxgb4: use port number to set mac addr Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 32/51] qca_spi: Fix clock speed for multiple QCA7000 Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 33/51] qca_spi: Make driver probing reliable Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 34/51] Documentation: PM: Clarify pm_runtime_resume_and_get() return value Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 35/51] net/sched: netem: account for backlog updates from child qdisc Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 36/51] bonding: Fix feature propagation of NETIF_F_GSO_ENCAP_ALL Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 37/51] team: " Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 38/51] ACPICA: events/evxfregn: dont release the ContextMutex that was never acquired Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 39/51] blk-iocost: Avoid using clamp() on inuse in __propagate_weights() Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 40/51] bpf: sync_linked_regs() must preserve subreg_def Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 41/51] tracing/kprobes: Skip symbol counting logic for module symbols in create_local_trace_kprobe() Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 42/51] Revert "parisc: fix a possible DMA corruption" Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 43/51] xen/netfront: fix crash when removing device Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 44/51] x86: make get_cpu_vendor() accessible from Xen code Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 45/51] objtool/x86: allow syscall instruction Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 46/51] x86/static-call: provide a way to do very early static-call updates Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 47/51] x86/xen: dont do PV iret hypercall through hypercall page Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 48/51] x86/xen: add central hypercall functions Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 49/51] x86/xen: use new hypercall functions instead of hypercall page Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 50/51] x86/xen: remove " Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 51/51] ALSA: usb-audio: Fix a DMA to stack memory bug Greg Kroah-Hartman
2024-12-17 19:42 ` [PATCH 5.15 00/51] 5.15.175-rc1 review Florian Fainelli
2024-12-17 23:06 ` Shuah Khan
2024-12-18  7:03 ` Ron Economos
2024-12-18 12:38 ` Mark Brown
2024-12-18 17:20 ` Jon Hunter
2024-12-18 17:50 ` Naresh Kamboju

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241217170520.968739469@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=krckatom@amazon.de \
    --cc=mhal@rbox.co \
    --cc=pabeni@redhat.com \
    --cc=patches@lists.linux.dev \
    --cc=sgarzare@redhat.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.