vsock: Orphan socket after transport release
During socket release, sock_orphan() is called without considering that it sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a null pointer dereferenced in virtio_transport_wait_close(). Orphan the socket only after transport release. Partially reverts the 'Fixes:' commit. KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] lock_acquire+0x19e/0x500 _raw_spin_lock_irqsave+0x47/0x70 add_wait_queue+0x46/0x230 virtio_transport_release+0x4e7/0x7f0 __vsock_release+0xfd/0x490 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x35e/0xa90 __x64_sys_close+0x78/0xd0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Reported-by:<syzbot+9d55b199192a4be7d02c@syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=9d55b199192a4be7d02c Fixes: fcdd2242 ("vsock: Keep the binding until socket destruction") Tested-by:
Luigi Leonardi <leonardi@redhat.com> Reviewed-by:
Michal Luczaj <mhal@rbox.co> Link: https://patch.msgid.link/20250210-vsock-linger-nullderef-v3-1-ef6244d02b54@rbox.co Signed-off-by:
Jakub Kicinski <kuba@kernel.org>
Loading
-
mentioned in commit f0826289
-
mentioned in commit 23481453
-
mentioned in commit 41c8e1be
-
mentioned in commit 7a6b3bdf
-
mentioned in commit ce77b958
-
mentioned in commit 2387d220
-
mentioned in commit 075eb84d
-
mentioned in commit d9cd1874
-
mentioned in commit 38e15ed7
-
mentioned in commit 970b7d77
-
mentioned in commit 208cef3e
-
mentioned in commit e99cf82c
-
mentioned in commit 98df49b0
-
mentioned in commit 71693a3d
-
mentioned in commit 6557166a
-
mentioned in commit 7460bfac
-
mentioned in commit 0f3cba28
-
mentioned in commit 971ed8e6
-
mentioned in commit aa3c957a
-
mentioned in commit bf0a81a7
-
mentioned in commit 285aaeeb
-
mentioned in commit 527617f4
-
mentioned in commit d9f9b360
-
mentioned in commit 956d8c1a
-
mentioned in commit c4064751
-
mentioned in commit 06237d12
-
mentioned in commit dd596d0c
-
mentioned in commit 8f7f6099
-
mentioned in commit 9eeb7214
-
mentioned in commit bedab455
-
mentioned in commit c920d985
-
mentioned in commit 878e157a
-
mentioned in commit f0a0e93f
-
mentioned in commit 38c770fa
-
mentioned in commit 197c2df8
-
mentioned in commit 66ed62e8
-
mentioned in commit 2f346740
-
mentioned in commit 47a07e28
-
mentioned in commit c421116a
-
mentioned in commit e4ce6196
-
mentioned in commit a63a6494
-
mentioned in commit a4ea0468
-
mentioned in commit 213d628e
-
mentioned in commit cd0ebcd1
-
mentioned in commit 631e00fd
-
mentioned in commit 53d6743c
-
mentioned in commit eb5422d1
-
mentioned in commit 016d7e02
-
mentioned in commit cfb990a1
-
mentioned in commit 4cf5364f
-
mentioned in commit 9327bd95
-
mentioned in commit e105df01
-
mentioned in commit 879723aa
Please sign in to comment