Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/net
History
Michal Luczaj cf919ca7db virtio/vsock: Fix accept_queue memory leak 
commit d7b0ff5a866724c3ad21f2628c22a63336deec3f upstream.

As the final stages of socket destruction may be delayed, it is possible
that virtio_transport_recv_listen() will be called after the accept_queue
has been flushed, but before the SOCK_DONE flag has been set. As a result,
sockets enqueued after the flush would remain unremoved, leading to a
memory leak.

vsock_release
  __vsock_release
    lock
    virtio_transport_release
      virtio_transport_close
        schedule_delayed_work(close_work)
    sk_shutdown = SHUTDOWN_MASK
(!) flush accept_queue
    release
                                        virtio_transport_recv_pkt
                                          vsock_find_bound_socket
                                          lock
                                          if flag(SOCK_DONE) return
                                          virtio_transport_recv_listen
                                            child = vsock_create_connected
                                      (!)   vsock_enqueue_accept(child)
                                          release
close_work
  lock
  virtio_transport_do_close
    set_flag(SOCK_DONE)
    virtio_transport_remove_sock
      vsock_remove_sock
        vsock_remove_bound
  release

Introduce a sk_shutdown check to disallow vsock_enqueue_accept() during
socket destruction.

unreferenced object 0xffff888109e3f800 (size 2040):
  comm "kworker/5:2", pid 371, jiffies 4294940105
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    28 00 0b 40 00 00 00 00 00 00 00 00 00 00 00 00  (..@............
  backtrace (crc 9e5f4e84):
    [<ffffffff81418ff1>] kmem_cache_alloc_noprof+0x2c1/0x360
    [<ffffffff81d27aa0>] sk_prot_alloc+0x30/0x120
    [<ffffffff81d2b54c>] sk_alloc+0x2c/0x4b0
    [<ffffffff81fe049a>] __vsock_create.constprop.0+0x2a/0x310
    [<ffffffff81fe6d6c>] virtio_transport_recv_pkt+0x4dc/0x9a0
    [<ffffffff81fe745d>] vsock_loopback_work+0xfd/0x140
    [<ffffffff810fc6ac>] process_one_work+0x20c/0x570
    [<ffffffff810fce3f>] worker_thread+0x1bf/0x3a0
    [<ffffffff811070dd>] kthread+0xdd/0x110
    [<ffffffff81044fdd>] ret_from_fork+0x2d/0x50
    [<ffffffff8100785a>] ret_from_fork_asm+0x1a/0x30

Fixes: 3fe356d58efa ("vsock/virtio: discard packets only when socket is really closed")
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ Adapted due to missing commit 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") ]
Signed-off-by: Tomas Krcka <krckatom@amazon.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-01-02 17:00:49 +01:00
..
6lowpan
9p 9p/xen: fix release of IRQ 2024-12-17 13:24:22 +01:00
802
8021q Revert "gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers" 2024-11-24 00:23:41 +01:00
appletalk
atm
ax25 Revert "Make more sysctl constants read-only" 2024-12-03 19:56:17 +01:00
batman-adv batman-adv: fix random jitter calculation 2024-11-19 17:55:48 +01:00
bluetooth Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create() 2024-12-17 13:24:30 +01:00
bpf
bpfilter
bridge net: bridge: xmit: make sure we have at least eth header len bytes 2024-11-30 02:33:25 +01:00
caif
can net: af_can: do not leave a dangling sk pointer in can_create() 2024-12-17 13:24:30 +01:00
ceph libceph: fix race between delayed_work() and ceph_monc_stop() 2024-11-19 14:19:45 +01:00
core bpf, sockmap: Fix update element with same 2025-01-02 17:00:49 +01:00
dcb
dccp dccp: Fix memory leak in dccp_feat_change_recv 2024-12-17 13:24:26 +01:00
decnet
dns_resolver
dsa
ethernet Revert "gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers" 2024-11-24 00:23:41 +01:00
ethtool ethtool: Fix wrong mod state in case of verbose and no_mask bitset 2024-12-17 13:24:27 +01:00
hsr net: hsr: avoid potential out-of-bound access in fill_frame_info() 2024-12-17 13:24:26 +01:00
ieee802154 net: ieee802154: do not leave a dangling sk pointer in ieee802154_create() 2024-12-17 13:24:30 +01:00
ife
ipv4 tcp: check space before adding MPTCP SYN options 2025-01-02 17:00:49 +01:00
ipv6 Revert "tcp: add accessors to read/set tp->snd_cwnd" 2024-12-18 15:30:18 +01:00
iucv Revert "net/iucv: fix use after free in iucv_sock_close()" 2024-11-24 00:23:55 +01:00
kcm kcm: Serialise kcm_sendmsg() for the same socket. 2024-11-23 23:20:48 +01:00
key
l2tp genetlink: hold RCU in genlmsg_mcast() 2024-11-23 23:21:59 +01:00
l3mdev net: Add l3mdev index to flow struct and avoid oif reset for port devices 2024-11-23 23:21:52 +01:00
lapb
llc
mac80211 mac80211: fix user-power when emulating chanctx 2024-12-17 13:23:57 +01:00
mac802154 Revert "net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD()" 2024-11-19 14:52:14 +01:00
mpls
mptcp Revert "mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size" 2024-11-24 00:23:53 +01:00
ncm
ncsi net/ncsi: Fix the multi thread manner of NCSI driver 2024-11-19 14:19:00 +01:00
netfilter netfilter: nft_set_hash: skip duplicated elements pending gc run 2024-12-17 13:24:26 +01:00
netlabel
netlink netlink: terminate outstanding dump on socket close 2024-12-17 13:20:50 +01:00
netrom Revert "Make more sysctl constants read-only" 2024-12-03 19:56:17 +01:00
nfc nfc: nci: Fix handling of zero-length payload packets in nci_rx_work() 2024-11-19 12:27:10 +01:00
nsh nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment(). 2024-11-19 11:32:42 +01:00
openvswitch openvswitch: Set the skbuff pkt_type for proper pmtud support. 2024-11-19 12:27:09 +01:00
packet af_packet: avoid erroring out after sock_init_data() in packet_create() 2024-12-17 13:24:30 +01:00
phonet Revert "Make more sysctl constants read-only" 2024-12-03 19:56:17 +01:00
psample
qrtr Revert "net: qrtr: Update packets cloning when broadcasting" 2024-11-24 00:23:18 +01:00
rds Revert "net:rds: Fix possible deadlock in rds_message_put" 2024-11-24 00:23:49 +01:00
rfkill net: rfkill: gpio: Add check for clk_enable() 2024-12-17 13:24:07 +01:00
rose Revert "Make more sysctl constants read-only" 2024-12-03 19:56:17 +01:00
rxrpc
sched net/sched: cbs: Fix integer overflow in cbs_set_port_rate() 2024-12-17 13:24:30 +01:00
sctp Revert "Make more sysctl constants read-only" 2024-12-03 19:56:17 +01:00
skb_tracer
smc Revert "net/smc: Allow SMC-D 1MB DMB allocations" 2024-11-24 00:23:56 +01:00
strparser
sunrpc sunrpc: clear XPRT_SOCK_UPD_TIMEOUT when reset transport 2024-12-17 13:24:23 +01:00
switchdev
tipc tipc: Fix use-after-free of kernel socket in cleanup_bearer(). 2024-12-17 13:24:26 +01:00
tls tls: fix missing memory barrier in tls_init 2024-11-19 12:27:09 +01:00
unix Revert "af_unix: Remove put_pid()/put_cred() in copy_peercred()." 2024-11-24 00:23:43 +01:00
vmw_vsock virtio/vsock: Fix accept_queue memory leak 2025-01-02 17:00:49 +01:00
wimax
wireless Revert "wifi: nl80211: don't give key data to userspace" 2024-11-24 00:23:55 +01:00
x25 Revert "Make more sysctl constants read-only" 2024-12-03 19:56:17 +01:00
xdp xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING 2024-11-19 11:32:19 +01:00
xfrm xfrm: store and rely on direction to construct offload flags 2024-12-17 13:24:04 +01:00
compat.c
devres.c
Kconfig
Makefile
socket.c
sysctl_net.c
TEST_MAPPING