vsock: Keep the binding until socket destruction
Preserve sockets bindings; this includes both resulting from an explicit
bind() and those implicitly bound through autobind during connect().
Prevents socket unbinding during a transport reassignment, which fixes a
use-after-free:
1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)
2. transport->release() calls vsock_remove_bound() without checking if
sk was bound and moved to bound list (refcnt=1)
3. vsock_bind() assumes sk is in unbound list and before
__vsock_insert_bound(vsock_bound_sockets()) calls
__vsock_remove_bound() which does:
list_del_init(&vsk->bound_table); // nop
sock_put(&vsk->sk); // refcnt=0
BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730
Read of size 4 at addr ffff88816b46a74c by task a.out/2057
dump_stack_lvl+0x68/0x90
print_report+0x174/0x4f6
kasan_report+0xb9/0x190
__vsock_bind+0x62e/0x730
vsock_bind+0x97/0xe0
__sys_bind+0x154/0x1f0
__x64_sys_bind+0x6e/0xb0
do_syscall_64+0x93/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Allocated by task 2057:
kasan_save_stack+0x1e/0x40
kasan_save_track+0x10/0x30
__kasan_slab_alloc+0x85/0x90
kmem_cache_alloc_noprof+0x131/0x450
sk_prot_alloc+0x5b/0x220
sk_alloc+0x2c/0x870
__vsock_create.constprop.0+0x2e/0xb60
vsock_create+0xe4/0x420
__sock_create+0x241/0x650
__sys_socket+0xf2/0x1a0
__x64_sys_socket+0x6e/0xb0
do_syscall_64+0x93/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 2057:
kasan_save_stack+0x1e/0x40
kasan_save_track+0x10/0x30
kasan_save_free_info+0x37/0x60
__kasan_slab_free+0x4b/0x70
kmem_cache_free+0x1a1/0x590
__sk_destruct+0x388/0x5a0
__vsock_bind+0x5e1/0x730
vsock_bind+0x97/0xe0
__sys_bind+0x154/0x1f0
__x64_sys_bind+0x6e/0xb0
do_syscall_64+0x93/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150
RIP: 0010:refcount_warn_saturate+0xce/0x150
__vsock_bind+0x66d/0x730
vsock_bind+0x97/0xe0
__sys_bind+0x154/0x1f0
__x64_sys_bind+0x6e/0xb0
do_syscall_64+0x93/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
refcount_t: underflow; use-after-free.
WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150
RIP: 0010:refcount_warn_saturate+0xee/0x150
vsock_remove_bound+0x187/0x1e0
__vsock_release+0x383/0x4a0
vsock_release+0x90/0x120
__sock_release+0xa3/0x250
sock_close+0x14/0x20
__fput+0x359/0xa80
task_work_run+0x107/0x1d0
do_exit+0x847/0x2560
do_group_exit+0xb8/0x250
__x64_sys_exit_group+0x3a/0x50
x64_sys_call+0xfec/0x14f0
do_syscall_64+0x93/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fixes: c0cfa2d8 ("vsock: add multi-transports support")
Reviewed-by: 
Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: 
Michal Luczaj <mhal@rbox.co>
Link: https://patch.msgid.link/20250128-vsock-transport-vs-autobind-v3-1-1cf57065b770@rbox.co
Signed-off-by: 
Jakub Kicinski <kuba@kernel.org>
Loading
-
mentioned in commit 189b48eb
-
mentioned in commit 1ac85986
-
mentioned in commit f0826289
-
mentioned in commit 23481453
-
mentioned in commit c0effb7b
-
mentioned in commit 94f94a2a
-
mentioned in commit c9eb5b33
-
mentioned in commit 41c8e1be
-
mentioned in commit d1892008
-
mentioned in commit 6aaee44d
-
mentioned in commit 7a6b3bdf
-
mentioned in commit 53476b65
-
mentioned in commit 0da2761b
-
mentioned in commit 9513a1a6
-
mentioned in commit fa74ea17
-
mentioned in commit ce77b958
-
mentioned in commit bfbc2691
-
mentioned in commit 0bab0dd7
-
mentioned in commit 2387d220
-
mentioned in commit d4cd55a7
-
mentioned in commit 075eb84d
-
mentioned in commit d9cd1874
-
mentioned in commit 3b0d2c5f
-
mentioned in commit 8fe20b2e
-
mentioned in commit 38e15ed7
-
mentioned in commit 6bb17a12
-
mentioned in commit 970b7d77
-
mentioned in commit 9427b47e
-
mentioned in commit 208cef3e
-
mentioned in commit c76e8416
-
mentioned in commit a0cedc52
-
mentioned in commit 1e8ad034
-
mentioned in commit 4fe50186
-
mentioned in commit e99cf82c
-
mentioned in commit e7499da5
-
mentioned in commit 62572926
-
mentioned in commit 98df49b0
-
mentioned in commit f4eb07fe
-
mentioned in commit 58c5ec9d
-
mentioned in commit 170a3a76
-
mentioned in commit 71693a3d
-
mentioned in commit c5bc2ea4
-
mentioned in commit 6647f324
-
mentioned in commit 6557166a
-
mentioned in commit 784ec791
-
mentioned in commit 7460bfac
-
mentioned in commit 4a17771f
-
mentioned in commit 0f3cba28
-
mentioned in commit a674906b
-
mentioned in commit 971ed8e6
-
mentioned in commit 57bfaa51
-
mentioned in commit e707077e
-
mentioned in commit aa3c957a
-
mentioned in commit 41a92788
-
mentioned in commit bf0a81a7
-
mentioned in commit bf495f58
-
mentioned in commit ce858031
-
mentioned in commit 285aaeeb
-
mentioned in commit 7b5f9895
-
mentioned in commit 527617f4
-
mentioned in commit d1ca95c3
-
mentioned in commit 3cb68f6d
-
mentioned in commit ae8e3828
-
mentioned in commit 912ecfa1
-
mentioned in commit d9c9cc17
-
mentioned in commit d9f9b360
-
mentioned in commit 4a68cb75
-
mentioned in commit 52d4f063
-
mentioned in commit 956d8c1a
-
mentioned in commit c4064751
-
mentioned in commit 7213e684
-
mentioned in commit 06237d12
-
mentioned in commit d8f4b0c1
-
mentioned in commit dd596d0c
-
mentioned in commit fe1ae586
-
mentioned in commit 8f7f6099
-
mentioned in commit 145e7a65
-
mentioned in commit 7f19bd32
-
mentioned in commit d4a74955
-
mentioned in commit 9eeb7214
-
mentioned in commit f3464c74
-
mentioned in commit 77ccafa3
-
mentioned in commit dfe3830d
-
mentioned in commit bedab455
-
mentioned in commit 317ab41c
-
mentioned in commit c920d985
-
mentioned in commit b33a860d
-
mentioned in commit d0ed0deb
-
mentioned in commit 3515af78
-
mentioned in commit 1af18e1d
-
mentioned in commit 793270a2
-
mentioned in commit 878e157a
-
mentioned in commit ad5fe039
-
mentioned in commit f0a0e93f
-
mentioned in commit 09def0a7
-
mentioned in commit 38c770fa
-
mentioned in commit 197c2df8
-
mentioned in commit 180756eb
-
mentioned in commit 9e4bf61d
-
mentioned in commit 66ed62e8
-
mentioned in commit d894ec93
-
mentioned in commit 2f346740
-
mentioned in commit 3c035bf3
-
mentioned in commit 053212d5
-
mentioned in commit 47a07e28
-
mentioned in commit 2d2f6b40
-
mentioned in commit 0beed5fd
-
mentioned in commit c421116a
-
mentioned in commit e46a8dff
-
mentioned in commit a2a0ab30
-
mentioned in commit e4ce6196
-
mentioned in commit ade21e10
-
mentioned in commit a63a6494
-
mentioned in commit 2a0763b4
-
mentioned in commit d9687c69
-
mentioned in commit 52920931
-
mentioned in commit a4ea0468
-
mentioned in commit 87038201
-
mentioned in commit 66ac26b4
-
mentioned in commit 213d628e
-
mentioned in commit b788051b
-
mentioned in commit 7f11cc02
-
mentioned in commit cd0ebcd1
-
mentioned in commit 9a1583a0
-
mentioned in commit 8467da20
-
mentioned in commit 4066d362
-
mentioned in commit 32ef9e55
-
mentioned in commit 2d3ce146
-
mentioned in commit 09f1c007
-
mentioned in commit 631e00fd
-
mentioned in commit 42b33381
-
mentioned in commit 2d9fd1b2
-
mentioned in commit 53d6743c
-
mentioned in commit fb00d6bd
-
mentioned in commit eb5422d1
-
mentioned in commit 016d7e02
-
mentioned in commit f2c9d205
-
mentioned in commit a6ff9f9f
-
mentioned in commit cbe3e74d
-
mentioned in commit cfb990a1
-
mentioned in commit 5fe19d2f
-
mentioned in commit 8b8bc0c7
-
mentioned in commit 4cf5364f
-
mentioned in commit 6b2ee251
-
mentioned in commit fc4cca04
-
mentioned in commit 8aa54cde
-
mentioned in commit 9327bd95
-
mentioned in commit e105df01
-
mentioned in commit 91335d9b
-
mentioned in commit eb1f2b4f
-
mentioned in commit be0bea89
-
mentioned in commit 879723aa
-
mentioned in commit 1373f1ba
-
mentioned in commit ad10d6a4
-
mentioned in commit c594dc56
-
mentioned in commit 29fa2cd7
-
mentioned in commit ff67fc1d
-
mentioned in commit b9e7e376
-
mentioned in commit 7eb10d8d
-
mentioned in commit b1a9368b
-
mentioned in commit 1ccd273c
-
mentioned in commit 388a89b2
-
mentioned in commit e9705159
-
mentioned in commit d8150689
-
mentioned in commit 2b859d54
Please sign in to comment