From: "Michael S. Tsirkin" <mst@redhat.com>
To: Stefano Garzarella <sgarzare@redhat.com>
Cc: netdev@vger.kernel.org, "Simon Horman" <horms@kernel.org>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
linux-kernel@vger.kernel.org,
"Eric Dumazet" <edumazet@google.com>,
"Xuan Zhuo" <xuanzhuo@linux.alibaba.com>,
"Wongi Lee" <qwerty@theori.io>,
"David S. Miller" <davem@davemloft.net>,
"Paolo Abeni" <pabeni@redhat.com>,
"Jason Wang" <jasowang@redhat.com>,
"Bobby Eshleman" <bobby.eshleman@bytedance.com>,
virtualization@lists.linux.dev,
"Eugenio Pérez" <eperezma@redhat.com>,
"Luigi Leonardi" <leonardi@redhat.com>,
bpf@vger.kernel.org, "Jakub Kicinski" <kuba@kernel.org>,
"Hyunwoo Kim" <v4bel@theori.io>, "Michal Luczaj" <mhal@rbox.co>,
kvm@vger.kernel.org
Subject: Re: [PATCH net 2/2] vsock/bpf: return early if transport is not assigned
Date: Thu, 9 Jan 2025 04:07:03 -0500 [thread overview]
Message-ID: <20250109040628-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <20250108180617.154053-3-sgarzare@redhat.com>
On Wed, Jan 08, 2025 at 07:06:17PM +0100, Stefano Garzarella wrote:
> Some of the core functions can only be called if the transport
> has been assigned.
>
> As Michal reported, a socket might have the transport at NULL,
> for example after a failed connect(), causing the following trace:
>
> BUG: kernel NULL pointer dereference, address: 00000000000000a0
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 12faf8067 P4D 12faf8067 PUD 113670067 PMD 0
> Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
> CPU: 15 UID: 0 PID: 1198 Comm: a.out Not tainted 6.13.0-rc2+
> RIP: 0010:vsock_connectible_has_data+0x1f/0x40
> Call Trace:
> vsock_bpf_recvmsg+0xca/0x5e0
> sock_recvmsg+0xb9/0xc0
> __sys_recvfrom+0xb3/0x130
> __x64_sys_recvfrom+0x20/0x30
> do_syscall_64+0x93/0x180
> entry_SYSCALL_64_after_hwframe+0x76/0x7e
>
> So we need to check the `vsk->transport` in vsock_bpf_recvmsg(),
> especially for connected sockets (stream/seqpacket) as we already
> do in __vsock_connectible_recvmsg().
>
> Fixes: 634f1a7110b4 ("vsock: support sockmap")
> Reported-by: Michal Luczaj <mhal@rbox.co>
> Closes: https://lore.kernel.org/netdev/5ca20d4c-1017-49c2-9516-f6f75fd331e9@rbox.co/
> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
> ---
> net/vmw_vsock/vsock_bpf.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/net/vmw_vsock/vsock_bpf.c b/net/vmw_vsock/vsock_bpf.c
> index 4aa6e74ec295..f201d9eca1df 100644
> --- a/net/vmw_vsock/vsock_bpf.c
> +++ b/net/vmw_vsock/vsock_bpf.c
> @@ -77,6 +77,7 @@ static int vsock_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
> size_t len, int flags, int *addr_len)
> {
> struct sk_psock *psock;
> + struct vsock_sock *vsk;
> int copied;
>
> psock = sk_psock_get(sk);
> @@ -84,6 +85,13 @@ static int vsock_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
> return __vsock_recvmsg(sk, msg, len, flags);
>
> lock_sock(sk);
> + vsk = vsock_sk(sk);
> +
> + if (!vsk->transport) {
> + copied = -ENODEV;
> + goto out;
> + }
> +
> if (vsock_has_data(sk, psock) && sk_psock_queue_empty(psock)) {
> release_sock(sk);
> sk_psock_put(sk, psock);
> @@ -108,6 +116,7 @@ static int vsock_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
> copied = sk_msg_recvmsg(sk, psock, msg, len, flags);
> }
>
> +out:
> release_sock(sk);
> sk_psock_put(sk, psock);
>
> --
> 2.47.1
next prev parent reply other threads:[~2025-01-09 9:07 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-08 18:06 [PATCH net 0/2] vsock: some fixes due to transport de-assignment Stefano Garzarella
2025-01-08 18:06 ` [PATCH net 1/2] vsock/virtio: discard packets if the transport changes Stefano Garzarella
2025-01-08 19:31 ` Hyunwoo Kim
2025-01-09 9:01 ` Stefano Garzarella
2025-01-09 9:06 ` Michael S. Tsirkin
2025-01-09 9:13 ` Hyunwoo Kim
2025-01-09 10:59 ` Stefano Garzarella
2025-01-09 11:10 ` Hyunwoo Kim
2025-01-09 13:34 ` Michal Luczaj
2025-01-09 13:42 ` Stefano Garzarella
2025-01-09 15:27 ` Michal Luczaj
2025-01-10 8:39 ` Stefano Garzarella
2025-01-21 17:30 ` Luigi Leonardi
2025-01-21 18:06 ` Michal Luczaj
2025-01-08 18:06 ` [PATCH net 2/2] vsock/bpf: return early if transport is not assigned Stefano Garzarella
2025-01-08 19:37 ` Hyunwoo Kim
2025-01-09 9:07 ` Michael S. Tsirkin [this message]
2025-01-09 9:24 ` Luigi Leonardi
2025-01-09 13:14 ` Michal Luczaj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250109040628-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=bobby.eshleman@bytedance.com \
--cc=bpf@vger.kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eperezma@redhat.com \
--cc=horms@kernel.org \
--cc=jasowang@redhat.com \
--cc=kuba@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=leonardi@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mhal@rbox.co \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=qwerty@theori.io \
--cc=sgarzare@redhat.com \
--cc=stefanha@redhat.com \
--cc=v4bel@theori.io \
--cc=virtualization@lists.linux.dev \
--cc=xuanzhuo@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.