From nobody Mon Jun 8 06:38:02 2026 Received: from mail-pj1-f43.google.com (mail-pj1-f43.google.com [209.85.216.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D95073AA4E1 for ; Fri, 5 Jun 2026 19:19:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780687193; cv=none; b=bXycE1zxJAki48Y2mmF9SF/mWactXitVqro9qVF1619/Tmvanu2Ra/tJ2Ku3vtlsfEYThLWLmfREqA+YArQKBGpifprwPpzCIw5g7Qllp0zQvvIBUWkqrhoC3ngBLfn0HiXfNFPWJfE3ELnvvPC8s5wWd9AOTXm4bcfhm6rulqQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780687193; c=relaxed/simple; bh=lQyeoEHvPDcTd8UBfI28l1PrKOeUuXwWGO6rNePL3aM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=r6I00x9leb1hsYXtlQAkjkevb2iN/taF12t5aEzvd9hOb0HzlXk1vmw3NGulhqJh82SrpxsAifFLBQZheP+qgZqFQox1HCIb/J9oEEfGWCZh/XwHsCycXFD3fi/4HJQy+auggVbI5ePZbWcUzgVRD7SDzVZGd7sVjwG8+Y37H2k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=cs.unc.edu; spf=pass smtp.mailfrom=cs.unc.edu; dkim=pass (2048-bit key) header.d=cs.unc.edu header.i=@cs.unc.edu header.b=eCcGzrJ4; arc=none smtp.client-ip=209.85.216.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=cs.unc.edu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cs.unc.edu Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cs.unc.edu header.i=@cs.unc.edu header.b="eCcGzrJ4" Received: by mail-pj1-f43.google.com with SMTP id 98e67ed59e1d1-36b7b802299so291018a91.1 for ; Fri, 05 Jun 2026 12:19:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.unc.edu; s=google; t=1780687184; x=1781291984; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=B0vJH8NNd0RF41K/4FCBtez2ytaf4nIFe3x4aSA4G5w=; b=eCcGzrJ4DDhZBO/s4Ntwd+hvBl/td6H2K4Kz8xGIIvcHauLoogijSjsyweD7TG1jZK A2RmBx2Xkz8DtAhduy5k2tPwehKJki2ZV1RfRiYlEEVWG3lYihK/rxbHmjRoCWYr0UPD Syj9Qv0wW2Sy9yKSfEQ3F0NQMg3esKIhBp2GmmgTgInWW/9dBiG9155fivTKff9bn9y5 AtYVksSDXPWAowQNxjP0Yd1Un6Onp4O10g1C6liujsxCho+Hf7VJVpgmJxr0KzFmHEfN TPcKdaOZ68pVbgbeQpH/LIkUSr2UFKuUQEa/EvwIXE+bCB5fVkE3Jpe1Y5IuMCU26pXC 0O2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780687184; x=1781291984; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=B0vJH8NNd0RF41K/4FCBtez2ytaf4nIFe3x4aSA4G5w=; b=Fqihq8QZWIbOtu4Y0Y+dNwNSgja/2QN2gogieJtD8/tJOh3t6cdpbiESdbczac1eWi XAANY6oV5pHKVflrXrzX/aqRU5hiykbznS9wwLBXcYhb2HyHxfrKR14XR7GB2gI/3HGy yZmC0/QGzHOrLZHkCosv3756CLH3T4YsdpCZRk0Vj72R+xgLhHzCsO0IgFB/WFpSqQxg 6C6WKMfergYzG6ptsCmWUbq2rpMrYbnhU/n6JLRXexvYa5ai8ygKP8JvFgDys06rOqqm 2bNnHHDRiKuTLwoGV3cO6Y/NKFIkx67TTf5JaFCkb+S1qet2rdgb09QydwOf3mqPJSel /0pQ== X-Forwarded-Encrypted: i=1; AFNElJ8tbXJ0R6j7ltoWHt3B2XVwQSq689+NO3/XKl1HVfs6x4aTlbZj06NuSLzhvWu48NpMUakbjBiyCkidt4Y=@vger.kernel.org X-Gm-Message-State: AOJu0YyPGKxFZUhVmDWIpdRtFd6j/Dn7HooiOkepG7NWJHvUHTp7hH8j 2S0l1vr1qgRXJxicRvq4PkTv50Sb7dtqSSkwjefWEi20QZ/XqUj/b8kuWMrGydl38g== X-Gm-Gg: Acq92OEQovlokjEiOfG4VCkTF5CoFP0TzPbpHYj0SW+l9kC5RWVWN52Riq/UY2kun5C 15HQbEyGU5I26dWM1O8WJX0Y8EG+h/zG9NwAZ0y4ylGv7ejmvZzV/OcxwuAGmuN0kC0nmWz2zui rsrz/9dH1CRF9svmRYggbcYfn/7R6WXMKCaMmPiPxUkpvonX0IiDcgceNW9xAl4h7oywblITwHa Y5NqOgc7cb9Xu/rk4g1kTgtfN9GABbBnghhBJs5pfloLbB+oeqeOT1cLej0z8i+tO1uN61xqs4A OXLwsuoxyM465e7lySMZAn27yVA/6v37pR2VD4aCkUDzyxZQ7JdQNF/fE3mq5GZxzPXV9jnoBHQ X1uLjwkm5DzOy8wvGPZUiM44/JmsEuTYddYhijdU4eQQx0qOlADTEh2rXOv/5eW1sJvjwI1V7Pd GvsbPWGy4GeL+CREbdzlXeuiCLQVli9L1ywy8C5C1T+/awQrCwtn/G5m6ATbwKnw== X-Received: by 2002:a17:90b:3dcf:b0:36b:3ecd:88d7 with SMTP id 98e67ed59e1d1-370ef0f50ffmr2677491a91.2.1780687183832; Fri, 05 Jun 2026 12:19:43 -0700 (PDT) Received: from localhost.localdomain ([106.51.195.148]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-842820e8e6asm9757737b3a.0.2026.06.05.12.19.39 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Fri, 05 Jun 2026 12:19:43 -0700 (PDT) From: Divya Mankani X-Google-Original-From: Divya Mankani To: kuba@kernel.org, pabeni@redhat.com Cc: horms@kernel.org, virtualization@lists.linux.dev, kvm@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+1b2c9c4a0f8708082678@syzkaller.appspotmail.com, Divya Mankani Subject: [PATCH] vsock/virtio: fix memory leak in virtio_transport_recv_listen Date: Sat, 6 Jun 2026 00:49:22 +0530 Message-ID: <20260605191922.12720-1-divyakm@unc.edu> X-Mailer: git-send-email 2.50.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Syzbot reported a memory leak inside virtio_transport_recv_listen caused by a race condition when the parent listener socket shuts down while an incoming packet is being enqueued. Fix this by locking the parent socket and verifying its shutdown state under the lock before executing vsock_enqueue_accept(). Fixes: a478546a782a ("vsock/virtio: add support for listen sockets") Reported-by: syzbot+1b2c9c4a0f8708082678@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D1b2c9c4a0f8708082678 Signed-off-by: Divya Mankani --- net/vmw_vsock/virtio_transport_common.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio= _transport_common.c index 3b294164b..8006a13bb 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -1571,15 +1571,20 @@ virtio_transport_recv_listen(struct sock *sk, struc= t sk_buff *skb, vsock_addr_init(&vchild->remote_addr, le64_to_cpu(hdr->src_cid), le32_to_cpu(hdr->src_port)); =20 - ret =3D vsock_assign_transport(vchild, vsk); - /* Transport assigned (looking at remote_addr) must be the same - * where we received the request. + /* Lock the parent listener socket to synchronize with a potential + * simultaneous shutdown thread running __vsock_release(). */ - if (ret || vchild->transport !=3D &t->transport) { + lock_sock(sk); + + /* Check if the listener socket was shut down while we were + * creating and configuring the child socket. + */ + if (sk->sk_shutdown =3D=3D SHUTDOWN_MASK) { + release_sock(sk); release_sock(child); virtio_transport_reset_no_sock(t, skb, sock_net(sk)); sock_put(child); - return ret; + return -ESHUTDOWN; } =20 sk_acceptq_added(sk); @@ -1590,6 +1595,8 @@ virtio_transport_recv_listen(struct sock *sk, struct = sk_buff *skb, vsock_enqueue_accept(sk, child); virtio_transport_send_response(vchild, skb); =20 + /* Safely release both locked objects */ + release_sock(sk); release_sock(child); =20 sk->sk_data_ready(sk); --=20 2.50.1 (Apple Git-155)