forked from Minki/linux
685703b497
There is a race condition for an established connection that is being closed
by the guest: the refcnt is 4 at the end of hvs_release() (Note: here the
'remove_sock' is false):
1 for the initial value;
1 for the sk being in the bound list;
1 for the sk being in the connected list;
1 for the delayed close_work.
After hvs_release() finishes, __vsock_release() -> sock_put(sk) *may*
decrease the refcnt to 3.
Concurrently, hvs_close_connection() runs in another thread:
calls vsock_remove_sock() to decrease the refcnt by 2;
call sock_put() to decrease the refcnt to 0, and free the sk;
next, the "release_sock(sk)" may hang due to use-after-free.
In the above, after hvs_release() finishes, if hvs_close_connection() runs
faster than "__vsock_release() -> sock_put(sk)", then there is not any issue,
because at the beginning of hvs_close_connection(), the refcnt is still 4.
The issue can be resolved if an extra reference is taken when the
connection is established.
Fixes:
|
||
---|---|---|
.. | ||
af_vsock_tap.c | ||
af_vsock.c | ||
diag.c | ||
hyperv_transport.c | ||
Kconfig | ||
Makefile | ||
virtio_transport_common.c | ||
virtio_transport.c | ||
vmci_transport_notify_qstate.c | ||
vmci_transport_notify.c | ||
vmci_transport_notify.h | ||
vmci_transport.c | ||
vmci_transport.h | ||
vsock_addr.c |