From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Stefano Garzarella <sgarzare@redhat.com>,
Michal Luczaj <mhal@rbox.co>, Jakub Kicinski <kuba@kernel.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.1 09/88] vsock: Fix transport_{g2h,h2g} TOCTOU
Date: Tue, 15 Jul 2025 15:13:45 +0200 [thread overview]
Message-ID: <20250715130754.881089744@linuxfoundation.org> (raw)
In-Reply-To: <20250715130754.497128560@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Luczaj <mhal@rbox.co>
[ Upstream commit 209fd720838aaf1420416494c5505096478156b4 ]
vsock_find_cid() and vsock_dev_do_ioctl() may race with module unload.
transport_{g2h,h2g} may become NULL after the NULL check.
Introduce vsock_transport_local_cid() to protect from a potential
null-ptr-deref.
KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]
RIP: 0010:vsock_find_cid+0x47/0x90
Call Trace:
__vsock_bind+0x4b2/0x720
vsock_bind+0x90/0xe0
__sys_bind+0x14d/0x1e0
__x64_sys_bind+0x6e/0xc0
do_syscall_64+0x92/0x1c0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]
RIP: 0010:vsock_dev_do_ioctl.isra.0+0x58/0xf0
Call Trace:
__x64_sys_ioctl+0x12d/0x190
do_syscall_64+0x92/0x1c0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Link: https://patch.msgid.link/20250703-vsock-transports-toctou-v4-1-98f0eb530747@rbox.co
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/vmw_vsock/af_vsock.c | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index a2271da346d34..42b5ff148d80b 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -527,9 +527,25 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
}
EXPORT_SYMBOL_GPL(vsock_assign_transport);
+/*
+ * Provide safe access to static transport_{h2g,g2h,dgram,local} callbacks.
+ * Otherwise we may race with module removal. Do not use on `vsk->transport`.
+ */
+static u32 vsock_registered_transport_cid(const struct vsock_transport **transport)
+{
+ u32 cid = VMADDR_CID_ANY;
+
+ mutex_lock(&vsock_register_mutex);
+ if (*transport)
+ cid = (*transport)->get_local_cid();
+ mutex_unlock(&vsock_register_mutex);
+
+ return cid;
+}
+
bool vsock_find_cid(unsigned int cid)
{
- if (transport_g2h && cid == transport_g2h->get_local_cid())
+ if (cid == vsock_registered_transport_cid(&transport_g2h))
return true;
if (transport_h2g && cid == VMADDR_CID_HOST)
@@ -2320,18 +2336,17 @@ static long vsock_dev_do_ioctl(struct file *filp,
unsigned int cmd, void __user *ptr)
{
u32 __user *p = ptr;
- u32 cid = VMADDR_CID_ANY;
int retval = 0;
+ u32 cid;
switch (cmd) {
case IOCTL_VM_SOCKETS_GET_LOCAL_CID:
/* To be compatible with the VMCI behavior, we prioritize the
* guest CID instead of well-know host CID (VMADDR_CID_HOST).
*/
- if (transport_g2h)
- cid = transport_g2h->get_local_cid();
- else if (transport_h2g)
- cid = transport_h2g->get_local_cid();
+ cid = vsock_registered_transport_cid(&transport_g2h);
+ if (cid == VMADDR_CID_ANY)
+ cid = vsock_registered_transport_cid(&transport_h2g);
if (put_user(cid, p) != 0)
retval = -EFAULT;
--
2.39.5
next prev parent reply other threads:[~2025-07-15 13:47 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-15 13:13 [PATCH 6.1 00/88] 6.1.146-rc1 review Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.1 01/88] drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.1 02/88] platform/x86: ideapad-laptop: use usleep_range() for EC polling Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.1 03/88] ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.1 04/88] perf: Revert to requiring CAP_SYS_ADMIN for uprobes Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.1 05/88] Bluetooth: hci_sync: Fix not disabling advertising instance Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.1 06/88] fix proc_sys_compare() handling of in-lookup dentries Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.1 07/88] netlink: Fix wraparounds of sk->sk_rmem_alloc Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.1 08/88] tipc: Fix use-after-free in tipc_conn_close() Greg Kroah-Hartman
2025-07-15 13:13 ` Greg Kroah-Hartman [this message]
2025-07-15 13:13 ` [PATCH 6.1 10/88] vsock: Fix transport_* TOCTOU Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.1 11/88] vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.1 12/88] net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.1 13/88] net: phy: smsc: Fix link failure in forced mode with Auto-MDIX Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.1 14/88] atm: clip: Fix potential null-ptr-deref in to_atmarpd() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.1 15/88] atm: clip: Fix memory leak of struct clip_vcc Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.1 16/88] atm: clip: Fix infinite recursive call of clip_push() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.1 17/88] atm: clip: Fix NULL pointer dereference in vcc_sendmsg() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.1 18/88] net/sched: Abort __tc_modify_qdisc if parent class does not exist Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.1 19/88] maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.1 20/88] rxrpc: Fix oops due to non-existence of prealloc backlog struct Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.1 21/88] x86/boot: Compile boot code with -std=gnu11 too Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.1 22/88] ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() Greg Kroah-Hartman
2025-07-15 13:13 ` [PATCH 6.1 23/88] x86/mce/amd: Fix threshold limit reset Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 24/88] x86/mce: Dont remove sysfs if thresholding sysfs init fails Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 25/88] x86/mce: Make sure CMCI banks are cleared during shutdown on Intel Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 26/88] KVM: x86/xen: Allow out of range event channel ports in IRQ routing table Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 27/88] KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 28/88] gre: Fix IPv6 multicast route creation Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 29/88] md/md-bitmap: fix GPF in bitmap_get_stats() Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 30/88] pinctrl: qcom: msm: mark certain pins as invalid for interrupts Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 31/88] wifi: prevent A-MSDU attacks in mesh networks Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 32/88] drm/sched: Increment job count before swapping tail spsc queue Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 33/88] drm/ttm: fix error handling in ttm_buffer_object_transfer Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 34/88] drm/gem: Fix race in drm_gem_handle_create_tail() Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 35/88] usb: gadget: u_serial: Fix race condition in TTY wakeup Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 36/88] Revert "ACPI: battery: negate current when discharging" Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 37/88] kallsyms: fix build without execinfo Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 38/88] maple_tree: fix mt_destroy_walk() on root leaf node Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 39/88] pwm: mediatek: Ensure to disable clocks in error path Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 40/88] smb: server: make use of rdma_destroy_qp() Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 41/88] ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked() Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 42/88] netlink: Fix rmem check in netlink_broadcast_deliver() Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 43/88] netlink: make sure we allow at least one dump skb Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 44/88] fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 45/88] btrfs: propagate last_unlink_trans earlier when doing a rmdir Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 46/88] xhci: Allow RPM on the USB controller (1022:43f7) by default Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 47/88] usb: xhci: quirk for data loss in ISOC transfers Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 48/88] Input: xpad - support Acer NGR 200 Controller Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 49/88] usb:cdnsp: remove TRB_FLUSH_ENDPOINT command Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 50/88] usb: cdnsp: Replace snprintf() with the safer scnprintf() variant Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 51/88] usb: cdnsp: Fix issue with CV Bad Descriptor test Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 52/88] usb: dwc3: Abort suspend on soft disconnect failure Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 53/88] platform/x86: think-lmi: Fix sysfs group cleanup Greg Kroah-Hartman
2025-07-15 18:34 ` Kurt Borja
2025-07-15 19:06 ` Sasha Levin
2025-07-15 13:14 ` [PATCH 6.1 54/88] wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 55/88] drm/tegra: nvdec: Fix dma_alloc_coherent error check Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 56/88] md/raid1: Fix stack memory use after return in raid1_reshape Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 57/88] raid10: cleanup memleak at raid10_make_request Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 58/88] nbd: fix uaf in nbd_genl_connect() error path Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 59/88] erofs: remove the member readahead from struct z_erofs_decompress_frontend Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 60/88] erofs: clean up z_erofs_pcluster_readmore() Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 61/88] erofs: allocate extra bvec pages directly instead of retrying Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 62/88] erofs: avoid on-stack pagepool directly passed by arguments Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 63/88] erofs: adapt folios for z_erofs_read_folio() Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 64/88] erofs: fix to add missing tracepoint in erofs_read_folio() Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 65/88] netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 66/88] net: appletalk: Fix device refcount leak in atrtr_create() Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 67/88] ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 68/88] net: phy: microchip: limit 100M workaround to link-down events on LAN88xx Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 69/88] can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 70/88] net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam() Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 71/88] bnxt_en: Fix DCB ETS validation Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 72/88] bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 73/88] atm: idt77252: Add missing `dma_map_error()` Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 74/88] um: vector: Reduce stack usage in vector_eth_configure() Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 75/88] ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 76/88] ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100 Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 77/88] net: usb: qmi_wwan: add SIMCom 8230C composition Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 78/88] HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2 Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 79/88] btrfs: fix assertion when building free space tree Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 80/88] vt: add missing notification when switching back to text mode Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 81/88] HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 82/88] HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras Greg Kroah-Hartman
2025-07-15 13:14 ` [PATCH 6.1 83/88] Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID Greg Kroah-Hartman
2025-07-15 13:15 ` [PATCH 6.1 84/88] vhost-scsi: protect vq->log_used with vq->mutex Greg Kroah-Hartman
2025-07-15 13:15 ` [PATCH 6.1 85/88] x86/mm: Disable hugetlb page table sharing on 32-bit Greg Kroah-Hartman
2025-07-15 13:15 ` [PATCH 6.1 86/88] x86: Fix X86_FEATURE_VERW_CLEAR definition Greg Kroah-Hartman
2025-07-15 13:15 ` [PATCH 6.1 87/88] kasan: remove kasan_find_vm_area() to prevent possible deadlock Greg Kroah-Hartman
2025-07-15 13:15 ` [PATCH 6.1 88/88] ksmbd: fix potential use-after-free in oplock/lease break ack Greg Kroah-Hartman
2025-07-15 16:20 ` [PATCH 6.1 00/88] 6.1.146-rc1 review Naresh Kamboju
2025-07-16 14:56 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250715130754.881089744@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=kuba@kernel.org \
--cc=mhal@rbox.co \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=sgarzare@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.