From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Stefano Garzarella <sgarzare@redhat.com>,
Michal Luczaj <mhal@rbox.co>, Paolo Abeni <pabeni@redhat.com>,
Tomas Krcka <krckatom@amazon.de>
Subject: [PATCH 5.15 16/51] virtio/vsock: Fix accept_queue memory leak
Date: Tue, 17 Dec 2024 18:07:09 +0100 [thread overview]
Message-ID: <20241217170520.968739469@linuxfoundation.org> (raw)
In-Reply-To: <20241217170520.301972474@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Luczaj <mhal@rbox.co>
commit d7b0ff5a866724c3ad21f2628c22a63336deec3f upstream.
As the final stages of socket destruction may be delayed, it is possible
that virtio_transport_recv_listen() will be called after the accept_queue
has been flushed, but before the SOCK_DONE flag has been set. As a result,
sockets enqueued after the flush would remain unremoved, leading to a
memory leak.
vsock_release
__vsock_release
lock
virtio_transport_release
virtio_transport_close
schedule_delayed_work(close_work)
sk_shutdown = SHUTDOWN_MASK
(!) flush accept_queue
release
virtio_transport_recv_pkt
vsock_find_bound_socket
lock
if flag(SOCK_DONE) return
virtio_transport_recv_listen
child = vsock_create_connected
(!) vsock_enqueue_accept(child)
release
close_work
lock
virtio_transport_do_close
set_flag(SOCK_DONE)
virtio_transport_remove_sock
vsock_remove_sock
vsock_remove_bound
release
Introduce a sk_shutdown check to disallow vsock_enqueue_accept() during
socket destruction.
unreferenced object 0xffff888109e3f800 (size 2040):
comm "kworker/5:2", pid 371, jiffies 4294940105
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
28 00 0b 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............
backtrace (crc 9e5f4e84):
[<ffffffff81418ff1>] kmem_cache_alloc_noprof+0x2c1/0x360
[<ffffffff81d27aa0>] sk_prot_alloc+0x30/0x120
[<ffffffff81d2b54c>] sk_alloc+0x2c/0x4b0
[<ffffffff81fe049a>] __vsock_create.constprop.0+0x2a/0x310
[<ffffffff81fe6d6c>] virtio_transport_recv_pkt+0x4dc/0x9a0
[<ffffffff81fe745d>] vsock_loopback_work+0xfd/0x140
[<ffffffff810fc6ac>] process_one_work+0x20c/0x570
[<ffffffff810fce3f>] worker_thread+0x1bf/0x3a0
[<ffffffff811070dd>] kthread+0xdd/0x110
[<ffffffff81044fdd>] ret_from_fork+0x2d/0x50
[<ffffffff8100785a>] ret_from_fork_asm+0x1a/0x30
Fixes: 3fe356d58efa ("vsock/virtio: discard packets only when socket is really closed")
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ Adapted due to missing commit 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") ]
Signed-off-by: Tomas Krcka <krckatom@amazon.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/virtio_transport_common.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -1196,6 +1196,14 @@ virtio_transport_recv_listen(struct sock
return -ENOMEM;
}
+ /* __vsock_release() might have already flushed accept_queue.
+ * Subsequent enqueues would lead to a memory leak.
+ */
+ if (sk->sk_shutdown == SHUTDOWN_MASK) {
+ virtio_transport_reset_no_sock(t, pkt);
+ return -ESHUTDOWN;
+ }
+
child = vsock_create_connected(sk);
if (!child) {
virtio_transport_reset_no_sock(t, pkt);
next prev parent reply other threads:[~2024-12-17 17:14 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-17 17:06 [PATCH 5.15 00/51] 5.15.175-rc1 review Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 5.15 01/51] tcp: check space before adding MPTCP SYN options Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 5.15 02/51] ALSA: usb-audio: Add implicit feedback quirk for Yamaha THR5 Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 5.15 03/51] usb: host: max3421-hcd: Correctly abort a USB request Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 5.15 04/51] ata: sata_highbank: fix OF node reference leak in highbank_initialize_phys() Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 5.15 05/51] usb: dwc2: Fix HCD resume Greg Kroah-Hartman
2024-12-17 17:06 ` [PATCH 5.15 06/51] usb: dwc2: hcd: Fix GetPortStatus & SetPortFeature Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 07/51] usb: dwc2: Fix HCD port connection race Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 08/51] usb: ehci-hcd: fix call balance of clocks handling routines Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 09/51] usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 10/51] drm/i915: Fix memory leak by correcting cache object name in error handler Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 11/51] xfs: update btree keys correctly when _insrec splits an inode root block Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 12/51] xfs: dont drop errno values when we fail to ficlone the entire range Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 13/51] xfs: return from xfs_symlink_verify early on V4 filesystems Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 14/51] xfs: fix scrub tracepoints when inode-rooted btrees are involved Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 15/51] bpf, sockmap: Fix update element with same Greg Kroah-Hartman
2024-12-17 17:07 ` Greg Kroah-Hartman [this message]
2024-12-17 17:07 ` [PATCH 5.15 17/51] exfat: fix potential deadlock on __exfat_get_dentry_set Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 18/51] acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 19/51] batman-adv: Do not send uninitialized TT changes Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 20/51] batman-adv: Remove uninitialized data in full table TT response Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 21/51] batman-adv: Do not let TT changes list grows indefinitely Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 22/51] tipc: fix NULL deref in cleanup_bearer() Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 23/51] selftests: mlxsw: sharedbuffer: Remove h1 ingress test case Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 24/51] selftests: mlxsw: sharedbuffer: Remove duplicate test cases Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 25/51] ptp: kvm: Use decrypted memory in confidential guest on x86 Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 26/51] ptp: kvm: x86: Return EOPNOTSUPP instead of ENODEV from kvm_arch_ptp_init() Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 27/51] net: lapb: increase LAPB_HEADER_LEN Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 28/51] net: sparx5: fix FDMA performance issue Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 29/51] net: sparx5: fix the maximum frame length register Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 30/51] ACPI: resource: Fix memory resource type union access Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 31/51] cxgb4: use port number to set mac addr Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 32/51] qca_spi: Fix clock speed for multiple QCA7000 Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 33/51] qca_spi: Make driver probing reliable Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 34/51] Documentation: PM: Clarify pm_runtime_resume_and_get() return value Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 35/51] net/sched: netem: account for backlog updates from child qdisc Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 36/51] bonding: Fix feature propagation of NETIF_F_GSO_ENCAP_ALL Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 37/51] team: " Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 38/51] ACPICA: events/evxfregn: dont release the ContextMutex that was never acquired Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 39/51] blk-iocost: Avoid using clamp() on inuse in __propagate_weights() Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 40/51] bpf: sync_linked_regs() must preserve subreg_def Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 41/51] tracing/kprobes: Skip symbol counting logic for module symbols in create_local_trace_kprobe() Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 42/51] Revert "parisc: fix a possible DMA corruption" Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 43/51] xen/netfront: fix crash when removing device Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 44/51] x86: make get_cpu_vendor() accessible from Xen code Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 45/51] objtool/x86: allow syscall instruction Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 46/51] x86/static-call: provide a way to do very early static-call updates Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 47/51] x86/xen: dont do PV iret hypercall through hypercall page Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 48/51] x86/xen: add central hypercall functions Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 49/51] x86/xen: use new hypercall functions instead of hypercall page Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 50/51] x86/xen: remove " Greg Kroah-Hartman
2024-12-17 17:07 ` [PATCH 5.15 51/51] ALSA: usb-audio: Fix a DMA to stack memory bug Greg Kroah-Hartman
2024-12-17 19:42 ` [PATCH 5.15 00/51] 5.15.175-rc1 review Florian Fainelli
2024-12-17 23:06 ` Shuah Khan
2024-12-18 7:03 ` Ron Economos
2024-12-18 12:38 ` Mark Brown
2024-12-18 17:20 ` Jon Hunter
2024-12-18 17:50 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241217170520.968739469@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=krckatom@amazon.de \
--cc=mhal@rbox.co \
--cc=pabeni@redhat.com \
--cc=patches@lists.linux.dev \
--cc=sgarzare@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox