vsock: reset socket state when de-assigning the transport

jira VULN-80680
cve-pre CVE-2025-38461
commit-author Stefano Garzarella <[email protected]>
commit a24009b

Transport's release() and destruct() are called when de-assigning the
vsock transport. These callbacks can touch some socket state like
sock flags, sk_state, and peer_shutdown.

Since we are reassigning the socket to a new transport during
vsock_connect(), let's reset these fields to have a clean state with
the new transport.

Fixes: c0cfa2d ("vsock: add multi-transports support")
	Cc: [email protected]
	Signed-off-by: Stefano Garzarella <[email protected]>
	Reviewed-by: Luigi Leonardi <[email protected]>
	Signed-off-by: Paolo Abeni <[email protected]>

(cherry picked from commit a24009b)
	Signed-off-by: Roxana Nicolescu <[email protected]>

Author: roxanan1996

net/vmw_vsock/af_vsock.c

@@ -479,6 +479,15 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
 		 */
 		vsk->transport->release(vsk);
 		vsock_deassign_transport(vsk);
+
+		/* transport's release() and destruct() can touch some socket
+		 * state, since we are reassigning the socket to a new transport
+		 * during vsock_connect(), let's reset these fields to have a
+		 * clean state.
+		 */
+		sock_reset_flag(sk, SOCK_DONE);
+		sk->sk_state = TCP_CLOSE;
+		vsk->peer_shutdown = 0;
 	}
 
 	/* We increase the module refcnt to prevent the transport unloading