FAILED: patch "[PATCH] vsock/virtio: discard packets if the transport changes" failed to apply to 5.10-stable tree
The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 2cb7c756f605ec02ffe562fb26828e4bcc5fdfc1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to 'stable@vger.kernel.org' --in-reply-to '2025012005-supervise-armband-ab52@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 2cb7c756f605ec02ffe562fb26828e4bcc5fdfc1 Mon Sep 17 00:00:00 2001 From: Stefano Garzarella sgarzare@redhat.com Date: Fri, 10 Jan 2025 09:35:07 +0100 Subject: [PATCH] vsock/virtio: discard packets if the transport changes
If the socket has been de-assigned or assigned to another transport, we must discard any packets received because they are not expected and would cause issues when we access vsk->transport.
A possible scenario is described by Hyunwoo Kim in the attached link, where after a first connect() interrupted by a signal, and a second connect() failed, we can find `vsk->transport` at NULL, leading to a NULL pointer dereference.
Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") Cc: stable@vger.kernel.org Reported-by: Hyunwoo Kim v4bel@theori.io Reported-by: Wongi Lee qwerty@theori.io Closes: https://lore.kernel.org/netdev/Z2LvdTTQR7dBmPb5@v4bel-B760M-AORUS-ELITE-AX/ Signed-off-by: Stefano Garzarella sgarzare@redhat.com Reviewed-by: Hyunwoo Kim v4bel@theori.io Signed-off-by: Paolo Abeni pabeni@redhat.com
diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c index 9acc13ab3f82..51a494b69be8 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -1628,8 +1628,11 @@ void virtio_transport_recv_pkt(struct virtio_transport *t,
lock_sock(sk);
- /* Check if sk has been closed before lock_sock */ - if (sock_flag(sk, SOCK_DONE)) { + /* Check if sk has been closed or assigned to another transport before + * lock_sock (note: listener sockets are not assigned to any transport) + */ + if (sock_flag(sk, SOCK_DONE) || + (sk->sk_state != TCP_LISTEN && vsk->transport != &t->transport)) { (void)virtio_transport_reset_no_sock(t, skb); release_sock(sk); sock_put(sk);
On Mon, Jan 20, 2025 at 02:40:05PM +0100, gregkh@linuxfoundation.org wrote:
The patch below does not apply to the 5.10-stable tree.
As for the 5.15-stable tree, there is a "context" conflict due to the fact that we do not have the following patch:
71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
Since backporting that patch is too risky for me, I will send a version of this patch following the instructions below.
Thanks, Stefano
If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 2cb7c756f605ec02ffe562fb26828e4bcc5fdfc1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to 'stable@vger.kernel.org' --in-reply-to '2025012005-supervise-armband-ab52@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 2cb7c756f605ec02ffe562fb26828e4bcc5fdfc1 Mon Sep 17 00:00:00 2001 From: Stefano Garzarella sgarzare@redhat.com Date: Fri, 10 Jan 2025 09:35:07 +0100 Subject: [PATCH] vsock/virtio: discard packets if the transport changes
If the socket has been de-assigned or assigned to another transport, we must discard any packets received because they are not expected and would cause issues when we access vsk->transport.
A possible scenario is described by Hyunwoo Kim in the attached link, where after a first connect() interrupted by a signal, and a second connect() failed, we can find `vsk->transport` at NULL, leading to a NULL pointer dereference.
Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") Cc: stable@vger.kernel.org Reported-by: Hyunwoo Kim v4bel@theori.io Reported-by: Wongi Lee qwerty@theori.io Closes: https://lore.kernel.org/netdev/Z2LvdTTQR7dBmPb5@v4bel-B760M-AORUS-ELITE-AX/ Signed-off-by: Stefano Garzarella sgarzare@redhat.com Reviewed-by: Hyunwoo Kim v4bel@theori.io Signed-off-by: Paolo Abeni pabeni@redhat.com
diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c index 9acc13ab3f82..51a494b69be8 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -1628,8 +1628,11 @@ void virtio_transport_recv_pkt(struct virtio_transport *t,
lock_sock(sk);
- /* Check if sk has been closed before lock_sock */
- if (sock_flag(sk, SOCK_DONE)) {
- /* Check if sk has been closed or assigned to another transport before
* lock_sock (note: listener sockets are not assigned to any transport)*/- if (sock_flag(sk, SOCK_DONE) ||
(sk->sk_state != TCP_LISTEN && vsk->transport != &t->transport)) {
If the socket has been de-assigned or assigned to another transport, we must discard any packets received because they are not expected and would cause issues when we access vsk->transport.
A possible scenario is described by Hyunwoo Kim in the attached link, where after a first connect() interrupted by a signal, and a second connect() failed, we can find `vsk->transport` at NULL, leading to a NULL pointer dereference.
Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") Cc: stable@vger.kernel.org Reported-by: Hyunwoo Kim v4bel@theori.io Reported-by: Wongi Lee qwerty@theori.io Closes: https://lore.kernel.org/netdev/Z2LvdTTQR7dBmPb5@v4bel-B760M-AORUS-ELITE-AX/ Signed-off-by: Stefano Garzarella sgarzare@redhat.com Reviewed-by: Hyunwoo Kim v4bel@theori.io Signed-off-by: Paolo Abeni pabeni@redhat.com (cherry picked from commit 2cb7c756f605ec02ffe562fb26828e4bcc5fdfc1) [SG: fixed context conflict since this tree is missing commit 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")] Signed-off-by: Stefano Garzarella sgarzare@redhat.com --- net/vmw_vsock/virtio_transport_common.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c index ccbee1723b07..90ed4ccd329c 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -1158,8 +1158,11 @@ void virtio_transport_recv_pkt(struct virtio_transport *t,
lock_sock(sk);
- /* Check if sk has been closed before lock_sock */ - if (sock_flag(sk, SOCK_DONE)) { + /* Check if sk has been closed or assigned to another transport before + * lock_sock (note: listener sockets are not assigned to any transport) + */ + if (sock_flag(sk, SOCK_DONE) || + (sk->sk_state != TCP_LISTEN && vsk->transport != &t->transport)) { (void)virtio_transport_reset_no_sock(t, pkt); release_sock(sk); sock_put(sk);
[ Sasha's backport helper bot ]
Hi,
Found matching upstream commit: 2cb7c756f605ec02ffe562fb26828e4bcc5fdfc1
Status in newer kernel trees: 6.12.y | Not found 6.6.y | Not found 6.1.y | Not found 5.15.y | Not found 5.10.y | Not found
Note: The patch differs from the upstream commit: --- 1: 2cb7c756f605e ! 1: f64fe81908cab vsock/virtio: discard packets if the transport changes @@ Commit message Signed-off-by: Stefano Garzarella sgarzare@redhat.com Reviewed-by: Hyunwoo Kim v4bel@theori.io Signed-off-by: Paolo Abeni pabeni@redhat.com + (cherry picked from commit 2cb7c756f605ec02ffe562fb26828e4bcc5fdfc1) + [SG: fixed context conflict since this tree is missing commit 71dc9ec9ac7d + ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")] + Signed-off-by: Stefano Garzarella sgarzare@redhat.com
## net/vmw_vsock/virtio_transport_common.c ## @@ net/vmw_vsock/virtio_transport_common.c: void virtio_transport_recv_pkt(struct virtio_transport *t, @@ net/vmw_vsock/virtio_transport_common.c: void virtio_transport_recv_pkt(struct v + */ + if (sock_flag(sk, SOCK_DONE) || + (sk->sk_state != TCP_LISTEN && vsk->transport != &t->transport)) { - (void)virtio_transport_reset_no_sock(t, skb); + (void)virtio_transport_reset_no_sock(t, pkt); release_sock(sk); sock_put(sk); ---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-5.10.y | Success | Success |
linux-stable-mirror@lists.linaro.org
-
gregkh@linuxfoundation.org -
Sasha Levin -
Stefano Garzarella