[lts8_6] CVE-2025-38461 #687
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jira VULN-80680 cve-pre CVE-2025-38461 commit-author Stefano Garzarella <[email protected]> commit a24009b Transport's release() and destruct() are called when de-assigning the vsock transport. These callbacks can touch some socket state like sock flags, sk_state, and peer_shutdown. Since we are reassigning the socket to a new transport during vsock_connect(), let's reset these fields to have a clean state with the new transport. Fixes: c0cfa2d ("vsock: add multi-transports support") Cc: [email protected] Signed-off-by: Stefano Garzarella <[email protected]> Reviewed-by: Luigi Leonardi <[email protected]> Signed-off-by: Paolo Abeni <[email protected]> (cherry picked from commit a24009b) Signed-off-by: Roxana Nicolescu <[email protected]>
jira VULN-80680 cve CVE-2025-38461 commit-author Michal Luczaj <[email protected]> commit 687aa0c Transport assignment may race with module unload. Protect new_transport from becoming a stale pointer. This also takes care of an insecure call in vsock_use_local_transport(); add a lockdep assert. BUG: unable to handle page fault for address: fffffbfff8056000 Oops: Oops: 0000 [#1] SMP KASAN RIP: 0010:vsock_assign_transport+0x366/0x600 Call Trace: vsock_connect+0x59c/0xc40 __sys_connect+0xe8/0x100 __x64_sys_connect+0x6e/0xc0 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Fixes: c0cfa2d ("vsock: add multi-transports support") Reviewed-by: Stefano Garzarella <[email protected]> Signed-off-by: Michal Luczaj <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit 687aa0c) Signed-off-by: Roxana Nicolescu <[email protected]>
jira VULN-80680 cve-bf CVE-2025-38461 commit-author Michal Luczaj <[email protected]> commit f7c877e upstream-diff | Adjusted context due to missing SEQPACKET support Syzbot reported a potential lock inversion deadlock between vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. The issue was introduced by commit 687aa0c ("vsock: Fix transport_* TOCTOU") which added vsock_register_mutex locking in vsock_assign_transport() around the transport->release() call, that can call vsock_linger(). vsock_assign_transport() can be called with sk_lock held. vsock_linger() calls sk_wait_event() that temporarily releases and re-acquires sk_lock. During this window, if another thread hold vsock_register_mutex while trying to acquire sk_lock, a circular dependency is created. Fix this by releasing vsock_register_mutex before calling transport->release() and vsock_deassign_transport(). This is safe because we don't need to hold vsock_register_mutex while releasing the old transport, and we ensure the new transport won't disappear by obtaining a module reference first via try_module_get(). Reported-by: [email protected] Tested-by: [email protected] Fixes: 687aa0c ("vsock: Fix transport_* TOCTOU") Cc: [email protected] Cc: [email protected] Signed-off-by: Stefano Garzarella <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Paolo Abeni <[email protected]> (cherry picked from commit f7c877e) Signed-off-by: Roxana Nicolescu <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
DESCRIPTION
Commit
is the CVE fix and it was cherry picked cleanly.
This is a cve-bf dependency.
NOTES
was added to make the last patch diff the same. otherwise it would
have been 2 separate hunks, even though the changes were the same.
Moreover, this fixes
The same commit that the CVE fix addresses. So it's also a bug fix.
It was added as cve-pre because in mainline is before
was not a clean cherry pick because of missing SEQPACKET
support. I went down that road of adding it but it turned out
to be a lot of code refactor.
Moreover, even though the kernel version is not the same,
it follows the same approach as stable v5.10
https://lore.kernel.org/stable/[email protected]/
COMMITS
TESTING
BUILD
kernel-build-after.log
kernel-build-before.log
Kselftests
kselftest-after.log
kselftest-before.log
Check_kernel_commits including interdiff