From nobody Mon May 25 01:58:49 2026
Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com
 [209.85.216.44])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6220D4BCACD
	for <linux-kernel@vger.kernel.org>; Tue, 19 May 2026 10:23:25 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.44
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779186208; cv=none;
 b=u5xyJeLxkekwLkDcvU42WXj04GnWR5drteIBMZKCJDtf1Rs2czSiFYTbA9EM7KPx7hwOTY6gXQXawa7sNl2q0+s4FO2tVEwdfEIsvlcihp0W0Ezw9niXYLDFydH/vMHlmIcY3yTz9kgSzxFsTCE1LeXZQBoPqFrH8ePdrOqixUw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779186208; c=relaxed/simple;
	bh=DO0Gh9yEyPAdPj/ANVn8igAk2S/1BupY7L+OcOzpdyU=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=nKsLB5rqVB/KyXj3bE3+0HO6VY52EUOGoFw4i7sK7yGp31bS6cwqu+N0vmJUn4vHPda1KfDOQftyi3vMhgmzDQ3MF/2/4GSlKasa7p30leJklSQamNzE5aF2LqN1WsYj9WstJKQIjokS+5JBoHMKfUyeLjTznXE5h+XM6BNW72Q=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=dw0uXmx8; arc=none smtp.client-ip=209.85.216.44
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="dw0uXmx8"
Received: by mail-pj1-f44.google.com with SMTP id
 98e67ed59e1d1-36974221f93so1602388a91.2
        for <linux-kernel@vger.kernel.org>;
 Tue, 19 May 2026 03:23:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779186205; x=1779791005;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=wI00RqYwNVXaarsJLcvON/gPH4U7fY7Oeb6rc01MfGw=;
        b=dw0uXmx8wfhvQErBnHKHsyXQmIHBpuoHrvL8TmqDp6nVpzUDm+BgeFRVfEX808Ufr9
         gsO/JCrPk2ijFo0+nlgSyVDB1VEIodsDol1ss/gybvby+jGmdT2oKEMSiEIZXi66JgU1
         ZwJ1g1/oHI0Qyks7ewwGrnWR+bwwjUwQpJebi5Oit0CmgjUx9gm4RnX6W3p5eFm7caXB
         iXWTdAcIVphJdAc7uJXHTbl0mbGRKRSoGmJYEA+V+zx0NwAxElx+PNtxyVRZGdgVTRDA
         S8Z8nY1OzbZj9TUmvGzQI4iIDOG6hxj4LkjoxBk0pqXfxDPmyVgQ17ExUvkaB/3+488O
         lgow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779186205; x=1779791005;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=wI00RqYwNVXaarsJLcvON/gPH4U7fY7Oeb6rc01MfGw=;
        b=ZPwdU4aXvHPwc64Bsi8Afq9fY5Vew6tgkCJjQ+y5ly7KikoyzZeU1744WXNt/e+BS4
         MJbg+2o+7HPPHGrRp/vvXFLHe1q2o9SMjAg96eS+Rud/fTmDORNxdRRhfrAjEhcc9fRX
         dVaqVLUeQPZLOPEhs3AWaFnI6E35fpZnGudnAQWbXbR6kqHuh3p4sQ1/9mmyZmzeuZGA
         HeJzDrdjLaVGr+w9zfR7PpN1+Hnt72mQ7365iLy30KpGrjnFPHwqiUZxyna+P+AawFBr
         yLVZ5eSvn5qm1ku/0UP7WOZBkp/trhtgamsvklYO44i58ZtrS9W//4PTxy7R2Ff3g42l
         0mpA==
X-Forwarded-Encrypted: i=1;
 AFNElJ/+d/QnPUu4UNevtA889RerUChAYuiXjEIryZ8QxDJiGb8pVIEWZbmVA1Ru542E6rwK76ZkQ4RWLr4PyI0=@vger.kernel.org
X-Gm-Message-State: AOJu0Yxx7zl9EXnnHb8KXIMJzTOTHfV6pgG5oMbTIwXwlj2v3f+yV2Os
	lUwkvndhCVt55bomJjgjbE3dWaYAjjtynhnCtHSx8qKA9E6mHyjkzH7/UaWwwLcK+lU=
X-Gm-Gg: Acq92OHvDZdJLFGt94XoXWTsuqOYezn7ztdSGW3zz4czvdyEwJmGqOGGNjpMmFamQBd
	U/OJmmg76+n10JyzbHsutLtTJIFcB7nHa+kOPYRKutEUXjmpeZ+aQ5j1in1EdUviXHYPogyJfxD
	Fx5nxfKVgWQwDAs6puifvigH4u+LxvBGa6qFQfujPVmPVXGH5VjAGwxZvYYN2rYlmY3qGA+k5PV
	CBZUp1oiUgO7VKWoq6sPG3NCwdp6ETI8IpnVbyRyTvmvLEDQ1OQrb8MH+4TV2avvbGPa/65lla3
	rjwOdqFY8h7eaoaKiaNHX/rw1kSEVv6nWMJP+RxrGTmCIFLRLxWY5PbrEjSBZX3NTW0+6MW78by
	STYs35PAEzAHmg8g/LBx2SdVbqh3tBBoJ00abA6D/j5AOI3DN8XBlPdAElR+Gh1ug5SG6Ml0VJ3
	JxYe6RmoonWbGzb91wjzizDKiNAQ==
X-Received: by 2002:a17:90b:5290:b0:366:1bab:c3d6 with SMTP id
 98e67ed59e1d1-36951a02b73mr18385801a91.10.1779186205288;
        Tue, 19 May 2026 03:23:25 -0700 (PDT)
Received: from fedora ([171.243.49.69])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-3695148d53asm13708947a91.15.2026.05.19.03.23.21
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 19 May 2026 03:23:24 -0700 (PDT)
From: Minh Nguyen <minhnguyen.080505@gmail.com>
To: pabeni@redhat.com,
	bryan-bt.tan@broadcom.com
Cc: sgarzare@redhat.com,
	vishnu.dasa@broadcom.com,
	davem@davemloft.net,
	edumazet@google.com,
	kuba@kernel.org,
	horms@kernel.org,
	bcm-kernel-feedback-list@broadcom.com,
	netdev@vger.kernel.org,
	virtualization@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Subject: [PATCH net v4] vsock/vmci: fix UAF when peer resets connection during
 handshake
Date: Tue, 19 May 2026 17:23:10 +0700
Message-ID: <20260519102310.237181-1-minhnguyen.080505@gmail.com>
X-Mailer: git-send-email 2.54.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

vmci_transport_recv_connecting_server() returned err =3D 0 for a peer
RST in its default switch arm:

	err =3D pkt->type =3D=3D VMCI_TRANSPORT_PACKET_TYPE_RST ? 0 : -EINVAL;

That made vmci_transport_recv_listen() skip vsock_remove_pending(),
leaving the pending socket on the listener's pending_links with
sk_state =3D TCP_CLOSE while destroy: still dropped the explicit
reference taken before schedule_delayed_work().

One second later vsock_pending_work() observed is_pending=3Dtrue and
performed full cleanup: vsock_remove_pending() then the two trailing
sock_put(sk) calls -- the first reached refcount 0 and __sk_freed
the socket, and the second wrote into the freed object:

  BUG: KASAN: slab-use-after-free in refcount_warn_saturate
  Write of size 4 at addr ffff88800b1cac80 by task kworker
  Workqueue: events vsock_pending_work

Treat peer RST like any other unexpected packet type (err =3D -EINVAL).
All destroy: arms now return err < 0, so vmci_transport_recv_listen()
removes pending from pending_links synchronously and
vsock_pending_work() takes the is_pending=3Dfalse / !rejected branch,
dropping only its own work reference.  This also closes the
multi-packet race Sashiko reported on v2: pending is removed from
the list before any subsequent packet can find it.

The pre-existing sk_acceptq_removed() gap on the err < 0 path of
vmci_transport_recv_listen() that Sashiko also noted is not
introduced or changed by this patch.

Tested on lts-6.12.79 with KASAN: 52/100 unpatched -> 0/100 patched.

Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Cc: stable@vger.kernel.org
Signed-off-by: Minh Nguyen <minhnguyen.080505@gmail.com>
Assisted-by: Claude:claude-opus-4-7
Acked-by: Bryan Tan <bryan-bt.tan@broadcom.com>
---
v4:
  - Resend as an independent thread per netdev workflow (v3 was
    incorrectly posted in-reply-to the v2 thread).
  - Drop the inline comment expansion; keep the original
    /* Close and cleanup the connection. */.  No functional change.

v3:
  - Different approach to Sashiko/Paolo's "trading UAF for leak"
    concern: normalize RST to err =3D -EINVAL so all destroy: arms
    take the same err < 0 cleanup path -- no special case, no
    multi-packet race.
  - Sashiko's secondary observation ("while not introduced by this
    patch, does this error path leak sk_ack_backlog slots on failed
    handshakes?") is correct: the sk_acceptq_removed() gap on the
    err < 0 branch of vmci_transport_recv_listen() is pre-existing
    and is not introduced or changed by this patch.  A separate fix
    for that gap is needed and would be welcome.

v2: https://lore.kernel.org/netdev/20260512025851.189140-1-minhnguyen.08050=
5@gmail.com/

v1 was sent to security@kernel.org on 2026-05-10 (not on lore).

 net/vmw_vsock/vmci_transport.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
index 4296ca1..d257938 100644
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -1164,7 +1164,7 @@ vmci_transport_recv_connecting_server(struct sock *li=
stener,
 		/* Close and cleanup the connection. */
 		vmci_transport_send_reset(pending, pkt);
 		skerr =3D EPROTO;
-		err =3D pkt->type =3D=3D VMCI_TRANSPORT_PACKET_TYPE_RST ? 0 : -EINVAL;
+		err =3D -EINVAL;
 		goto destroy;
 	}
=20

base-commit: be48e5fe51a5864566307998286a699d6b986934
--=20
2.54.0