linux/net
Stefano Garzarella 1980c05844 vsock: fix potential null pointer dereference in vsock_poll()
syzbot reported this issue where in the vsock_poll() we find the
socket state at TCP_ESTABLISHED, but 'transport' is null:
  general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN
  KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]
  CPU: 0 PID: 8227 Comm: syz-executor.2 Not tainted 5.8.0-rc7-syzkaller #0
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
  RIP: 0010:vsock_poll+0x75a/0x8e0 net/vmw_vsock/af_vsock.c:1038
  Call Trace:
   sock_poll+0x159/0x460 net/socket.c:1266
   vfs_poll include/linux/poll.h:90 [inline]
   do_pollfd fs/select.c:869 [inline]
   do_poll fs/select.c:917 [inline]
   do_sys_poll+0x607/0xd40 fs/select.c:1011
   __do_sys_poll fs/select.c:1069 [inline]
   __se_sys_poll fs/select.c:1057 [inline]
   __x64_sys_poll+0x18c/0x440 fs/select.c:1057
   do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
   entry_SYSCALL_64_after_hwframe+0x44/0xa9

This issue can happen if the TCP_ESTABLISHED state is set after we read
the vsk->transport in the vsock_poll().

We could put barriers to synchronize, but this can only happen during
connection setup, so we can simply check that 'transport' is valid.

Fixes: c0cfa2d8a7 ("vsock: add multi-transports support")
Reported-and-tested-by: syzbot+a61bac2fcc1a7c6623fe@syzkaller.appspotmail.com
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Jorgen Hansen <jhansen@vmware.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-08-12 12:56:06 -07:00
..
6lowpan treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
9p Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-08-02 01:02:12 -07:00
802
8021q net: get rid of lockdep_set_class_and_subclass() 2020-06-28 21:37:23 -07:00
appletalk appletalk: Fix atalk_proc_init() return path 2020-08-03 15:48:32 -07:00
atm Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-08-05 20:13:21 -07:00
ax25 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-07-25 17:49:04 -07:00
batman-adv batman-adv: Introduce a configurable per interface hop penalty 2020-06-26 10:37:11 +02:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-08-02 01:02:12 -07:00
bpf bpf: Allow to specify ifindex for skb in bpf_prog_test_run_skb 2020-08-03 23:32:23 +02:00
bpfilter Merge branch 'exec-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2020-08-04 14:27:25 -07:00
bridge Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-08-05 20:13:21 -07:00
caif net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
can net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
ceph libceph: don't omit used_replica in target_copy() 2020-06-16 16:02:08 +02:00
core net: Fix potential memory leak in proto_register() 2020-08-11 15:36:14 -07:00
dcb dcb_doit: remove redundant skb check 2020-06-23 20:27:09 -07:00
dccp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-08-05 20:13:21 -07:00
decnet Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2020-08-03 16:03:18 -07:00
dns_resolver
dsa net: dsa: stop overriding master's ndo_get_phys_port_name 2020-07-23 15:14:58 -07:00
ethernet net: move devres helpers into a separate source file 2020-05-23 16:56:17 -07:00
ethtool mlx5-updates-2020-08-03 2020-08-03 18:24:30 -07:00
hsr hsr: Use %pM format specifier for MAC addresses 2020-07-31 16:46:26 -07:00
ieee802154 net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
ife
ipv4 net: initialize fastreuse on inet_inherit_port 2020-08-11 15:49:08 -07:00
ipv6 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-08-05 20:13:21 -07:00
iucv Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-08-05 20:13:21 -07:00
kcm net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
key Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-08-02 01:02:12 -07:00
l2tp l2tp: improve API documentation in l2tp_core.h 2020-07-30 16:45:31 -07:00
l3mdev l3mdev: add infrastructure for table to VRF mapping 2020-06-20 17:22:22 -07:00
lapb treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
llc net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
mac80211 mac80211: Do not report beacon loss if beacon filtering enabled 2020-08-03 13:02:06 +02:00
mac802154 treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
mpls net: Removed the device type check to add mpls support for devices 2020-07-27 11:40:47 -07:00
mptcp mptcp: fix warn at shutdown time for unaccepted msk sockets 2020-08-07 17:26:16 -07:00
ncsi net/ncsi: use eth_zero_addr() to clear mac address 2020-07-23 11:49:41 -07:00
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-08-05 20:13:21 -07:00
netlabel net: netlabel: kerneldoc fixes 2020-07-13 17:20:40 -07:00
netlink bpf: Refactor bpf_iter_reg to have separate seq_info member 2020-07-25 20:16:32 -07:00
netrom net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
nfc net/nfc/rawsock.c: add CAP_NET_RAW check. 2020-08-11 10:34:30 -07:00
nsh treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
openvswitch net: openvswitch: silence suspicious RCU usage warning 2020-08-05 12:11:46 -07:00
packet net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
phonet net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
psample net: psample: fix build error when CONFIG_INET is not enabled 2020-05-23 16:36:05 -07:00
qrtr Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-07-25 17:49:04 -07:00
rds Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-08-02 01:02:12 -07:00
rfkill
rose net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
rxrpc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-08-02 01:02:12 -07:00
sched Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-08-05 20:13:21 -07:00
sctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-07-25 17:49:04 -07:00
smc net/smc: unique reason code for exceeded max dmb count 2020-07-27 10:30:01 -07:00
strparser
sunrpc Remove uninitialized_var() macro for v5.9-rc1 2020-08-04 13:49:43 -07:00
switchdev net: switchdev: kerneldoc fixes 2020-07-13 17:20:40 -07:00
tipc tipc: set ub->ifindex for local ipv6 address 2020-08-05 12:19:52 -07:00
tls net/tls: Fix kmap usage 2020-08-11 10:20:34 -07:00
unix net: make ->{get,set}sockopt in proto_ops optional 2020-07-19 18:16:41 -07:00
vmw_vsock vsock: fix potential null pointer dereference in vsock_poll() 2020-08-12 12:56:06 -07:00
wimax
wireless nl80211: use eth_zero_addr() to clear mac address 2020-08-03 10:56:22 +02:00
x25 net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
xdp xdp: Prevent kernel-infoleak in xsk_getsockopt() 2020-07-28 12:50:15 +02:00
xfrm Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-08-02 01:02:12 -07:00
compat.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-08-05 20:13:21 -07:00
devres.c net: devres: rename the release callback of devm_register_netdev() 2020-06-30 15:57:34 -07:00
Kconfig net: ethtool: Remove PHYLIB direct dependency 2020-07-07 15:41:05 -07:00
Makefile net: move devres helpers into a separate source file 2020-05-23 16:56:17 -07:00
socket.c net: Revert "net: optimize the sockptr_t for unified kernel/user address spaces" 2020-08-10 12:06:44 -07:00
sysctl_net.c