UPSTREAM: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans

ImV4bel · ExactExampl · commit 76582760427a · 2026-02-25T20:51:16.000+02:00
commit 6ca575374dd9a507cdd16dfa0e78c2e9e20bd05f upstream. During loopback communication, a dangling pointer can be created in vsk->trans, potentially leading to a Use-After-Free condition. This issue is resolved by initializing vsk->trans to NULL. Bug: 378870958 Cc: stable <stable@kernel.org> Fixes: 06a8fc7 ("VSOCK: Introduce virtio_vsock_common.ko") Signed-off-by: Hyunwoo Kim <v4bel@theori.io> Signed-off-by: Wongi Lee <qwerty@theori.io> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Message-Id: <2024102245-strive-crib-c8d3@gregkh> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit b110196fec44fe966952004bd426967c2a8fd358) Signed-off-by: Lee Jones <joneslee@google.com> Change-Id: I5eb7b5ccf7f0d96644cc4313548c0114e8836149
diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
@@ -580,6 +580,7 @@ void virtio_transport_destruct(struct vsock_sock *vsk)
 	struct virtio_vsock_sock *vvs = vsk->trans;
 
 	kfree(vvs);
+	vsk->trans = NULL;
 }
 EXPORT_SYMBOL_GPL(virtio_transport_destruct);
 

Original file line number	Diff line number	Diff line change
`@@ -580,6 +580,7 @@ void virtio_transport_destruct(struct vsock_sock *vsk)`
`580`	`580`	`struct virtio_vsock_sock *vvs = vsk->trans;`
`581`	`581`
`582`	`582`	`kfree(vvs);`
	`583`	`+ vsk->trans = NULL;`
`583`	`584`	`}`
`584`	`585`	`EXPORT_SYMBOL_GPL(virtio_transport_destruct);`
`585`	`586`