5.4-stable patches

added patches:
	hv_sock-initializing-vsk-trans-to-null-to-prevent-a-dangling-pointer.patch
	vsock-virtio-initialization-of-the-dangling-pointer-occurring-in-vsk-trans.patch

diff --git a/queue-5.4/hv_sock-initializing-vsk-trans-to-null-to-prevent-a-dangling-pointer.patch b/queue-5.4/hv_sock-initializing-vsk-trans-to-null-to-prevent-a-dangling-pointer.patch
new file mode 100644 (file)
index 0000000..e0adbe0
--- /dev/null
+++ b/queue-5.4/hv_sock-initializing-vsk-trans-to-null-to-prevent-a-dangling-pointer.patch
@@ -0,0 +1,33 @@
+From e629295bd60abf4da1db85b82819ca6a4f6c1e79 Mon Sep 17 00:00:00 2001
+From: Hyunwoo Kim <v4bel@theori.io>
+Date: Wed, 6 Nov 2024 04:36:04 -0500
+Subject: hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer
+
+From: Hyunwoo Kim <v4bel@theori.io>
+
+commit e629295bd60abf4da1db85b82819ca6a4f6c1e79 upstream.
+
+When hvs is released, there is a possibility that vsk->trans may not
+be initialized to NULL, which could lead to a dangling pointer.
+This issue is resolved by initializing vsk->trans to NULL.
+
+Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Link: https://patch.msgid.link/Zys4hCj61V+mQfX2@v4bel-B760M-AORUS-ELITE-AX
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/hyperv_transport.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/vmw_vsock/hyperv_transport.c
++++ b/net/vmw_vsock/hyperv_transport.c
+@@ -531,6 +531,7 @@ static void hvs_destruct(struct vsock_so
+               vmbus_hvsock_device_unregister(chan);
+ 
+       kfree(hvs);
++      vsk->trans = NULL;
+ }
+ 
+ static int hvs_dgram_bind(struct vsock_sock *vsk, struct sockaddr_vm *addr)

diff --git a/queue-5.4/series b/queue-5.4/series
index 4f36bbc19cedab0059a32c343bf3c7655132674f..670082f8f939f7865b3f7e5bccf755dc510f144c 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -48,3 +48,5 @@ alsa-usb-audio-support-jack-detection-on-dell-dock.patch
 alsa-usb-audio-add-quirks-for-dell-wd19-dock.patch
 nfsd-fix-nfsv4-s-putpubfh-operation.patch
 ftrace-fix-possible-use-after-free-issue-in-ftrace_location.patch
+hv_sock-initializing-vsk-trans-to-null-to-prevent-a-dangling-pointer.patch
+vsock-virtio-initialization-of-the-dangling-pointer-occurring-in-vsk-trans.patch

diff --git a/queue-5.4/vsock-virtio-initialization-of-the-dangling-pointer-occurring-in-vsk-trans.patch b/queue-5.4/vsock-virtio-initialization-of-the-dangling-pointer-occurring-in-vsk-trans.patch
new file mode 100644 (file)
index 0000000..5042480
--- /dev/null
+++ b/queue-5.4/vsock-virtio-initialization-of-the-dangling-pointer-occurring-in-vsk-trans.patch
@@ -0,0 +1,35 @@
+From 6ca575374dd9a507cdd16dfa0e78c2e9e20bd05f Mon Sep 17 00:00:00 2001
+From: Hyunwoo Kim <v4bel@theori.io>
+Date: Tue, 22 Oct 2024 09:32:56 +0200
+Subject: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans
+
+From: Hyunwoo Kim <v4bel@theori.io>
+
+commit 6ca575374dd9a507cdd16dfa0e78c2e9e20bd05f upstream.
+
+During loopback communication, a dangling pointer can be created in
+vsk->trans, potentially leading to a Use-After-Free condition.  This
+issue is resolved by initializing vsk->trans to NULL.
+
+Cc: stable <stable@kernel.org>
+Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko")
+Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
+Signed-off-by: Wongi Lee <qwerty@theori.io>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Message-Id: <2024102245-strive-crib-c8d3@gregkh>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -680,6 +680,7 @@ void virtio_transport_destruct(struct vs
+       struct virtio_vsock_sock *vvs = vsk->trans;
+ 
+       kfree(vvs);
++      vsk->trans = NULL;
+ }
+ EXPORT_SYMBOL_GPL(virtio_transport_destruct);
+