From: Greg Kroah-Hartman Date: Sun, 15 Dec 2024 09:28:05 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v5.4.288~48 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=dc0f6b18192fa36823280cfc471b4fa0322ee673;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: virtio-vsock-fix-accept_queue-memory-leak.patch --- diff --git a/queue-5.15/series b/queue-5.15/series index 815b1c9988a..b617a696397 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -14,3 +14,4 @@ xfs-don-t-drop-errno-values-when-we-fail-to-ficlone-the-entire-range.patch xfs-return-from-xfs_symlink_verify-early-on-v4-filesystems.patch xfs-fix-scrub-tracepoints-when-inode-rooted-btrees-are-involved.patch bpf-sockmap-fix-update-element-with-same.patch +virtio-vsock-fix-accept_queue-memory-leak.patch diff --git a/queue-5.15/virtio-vsock-fix-accept_queue-memory-leak.patch b/queue-5.15/virtio-vsock-fix-accept_queue-memory-leak.patch new file mode 100644 index 00000000000..c360f86f1bb --- /dev/null +++ b/queue-5.15/virtio-vsock-fix-accept_queue-memory-leak.patch @@ -0,0 +1,90 @@ +From d7b0ff5a866724c3ad21f2628c22a63336deec3f Mon Sep 17 00:00:00 2001 +From: Michal Luczaj +Date: Thu, 7 Nov 2024 21:46:12 +0100 +Subject: virtio/vsock: Fix accept_queue memory leak + +From: Michal Luczaj + +commit d7b0ff5a866724c3ad21f2628c22a63336deec3f upstream. + +As the final stages of socket destruction may be delayed, it is possible +that virtio_transport_recv_listen() will be called after the accept_queue +has been flushed, but before the SOCK_DONE flag has been set. As a result, +sockets enqueued after the flush would remain unremoved, leading to a +memory leak. + +vsock_release + __vsock_release + lock + virtio_transport_release + virtio_transport_close + schedule_delayed_work(close_work) + sk_shutdown = SHUTDOWN_MASK +(!) flush accept_queue + release + virtio_transport_recv_pkt + vsock_find_bound_socket + lock + if flag(SOCK_DONE) return + virtio_transport_recv_listen + child = vsock_create_connected + (!) vsock_enqueue_accept(child) + release +close_work + lock + virtio_transport_do_close + set_flag(SOCK_DONE) + virtio_transport_remove_sock + vsock_remove_sock + vsock_remove_bound + release + +Introduce a sk_shutdown check to disallow vsock_enqueue_accept() during +socket destruction. + +unreferenced object 0xffff888109e3f800 (size 2040): + comm "kworker/5:2", pid 371, jiffies 4294940105 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 28 00 0b 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............ + backtrace (crc 9e5f4e84): + [] kmem_cache_alloc_noprof+0x2c1/0x360 + [] sk_prot_alloc+0x30/0x120 + [] sk_alloc+0x2c/0x4b0 + [] __vsock_create.constprop.0+0x2a/0x310 + [] virtio_transport_recv_pkt+0x4dc/0x9a0 + [] vsock_loopback_work+0xfd/0x140 + [] process_one_work+0x20c/0x570 + [] worker_thread+0x1bf/0x3a0 + [] kthread+0xdd/0x110 + [] ret_from_fork+0x2d/0x50 + [] ret_from_fork_asm+0x1a/0x30 + +Fixes: 3fe356d58efa ("vsock/virtio: discard packets only when socket is really closed") +Reviewed-by: Stefano Garzarella +Signed-off-by: Michal Luczaj +Signed-off-by: Paolo Abeni +[ Adapted due to missing commit 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") ] +Signed-off-by: Tomas Krcka +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -1196,6 +1196,14 @@ virtio_transport_recv_listen(struct sock + return -ENOMEM; + } + ++ /* __vsock_release() might have already flushed accept_queue. ++ * Subsequent enqueues would lead to a memory leak. ++ */ ++ if (sk->sk_shutdown == SHUTDOWN_MASK) { ++ virtio_transport_reset_no_sock(t, pkt); ++ return -ESHUTDOWN; ++ } ++ + child = vsock_create_connected(sk); + if (!child) { + virtio_transport_reset_no_sock(t, pkt);