Skip to content

[lts9_4] Add dependency for CVE-2025-38461#685

Merged
roxanan1996 merged 2 commits intociqlts9_4from
{rnicolescu}_ciqlts9_4
Nov 17, 2025
Merged

[lts9_4] Add dependency for CVE-2025-38461#685
roxanan1996 merged 2 commits intociqlts9_4from
{rnicolescu}_ciqlts9_4

Conversation

@roxanan1996
Copy link
Contributor

@roxanan1996 roxanan1996 commented Nov 13, 2025
edited
Loading

DESCRIPTION

Commit

vsock: Fix transport_* TOCTOU

was cherry picked without its dependency.

vsock: fix lock inversion in vsock_assign_transport()

This will add the dependency to avoid any issues in the future.

NOTES

  1. First commit
vsock: reset socket state when de-assigning the transport

was added to make the second patch diff the same. otherwise it would
have been 2 separate hunks, even though the changes were the same.
Moreover, this fixes

c0cfa2d8a788 ("vsock: add multi-transports support")

The same commit that the CVE fix addresses. So it's also a bug fix.

  1. The order of the commit is not 100% the same as in mainline,
vsock: reset socket state when de-assigning the transport

should have been before

vsock: Fix transport_* TOCTOU

but, it's too late for that. And implementation wise, it is fine.

  1. I tested the changes and right before creating the merge, I realized the jira tickets were not correct. Hence the sha diff.
    I did not test again since I just changed the commit description.

COMMITS

vsock: reset socket state when de-assigning the transport

jira VULN-80685
cve-bf CVE-2025-38461
commit-author Stefano Garzarella <[email protected]>
commit a24009bc9be60242651a21702609381b5092459e

vsock: fix lock inversion in vsock_assign_transport()

jira VULN-80685
cve-bf CVE-2025-38461
commit-author Stefano Garzarella <[email protected]>
commit f7c877e7535260cc7a21484c994e8ce7e8cb6780

TESTING

BUILD

> grep -E -B 5 -A 5 '\[TIMER\]|^Starting Build' /home/rnicolescu/ciq/kernels/lts-9.4/kernel-build-after.log
/home/rnicolescu/ciq/kernels/lts-9.4/kernel-src-tree
Running make mrproper...
[TIMER]{MRPROPER}: 4s
x86_64 architecture detected, copying config
'configs/kernel-x86_64-rhel.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-rnicolescu_ciqlts9_4-cf8c18fafc48"
Making olddefconfig
--
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#
Starting Build
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_x32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
--
  BTF [M] sound/xen/snd_xen_front.ko
  BTF [M] sound/x86/snd-hdmi-lpe-audio.ko
  BTF [M] sound/usb/snd-usb-audio.ko
  LD [M]  virt/lib/irqbypass.ko
  BTF [M] virt/lib/irqbypass.ko
[TIMER]{BUILD}: 1462s
Making Modules
  INSTALL /lib/modules/5.14.0-rnicolescu_ciqlts9_4-cf8c18fafc48+/kernel/arch/x86/crypto/blake2s-x86_64.ko
  INSTALL /lib/modules/5.14.0-rnicolescu_ciqlts9_4-cf8c18fafc48+/kernel/arch/x86/crypto/blowfish-x86_64.ko
  INSTALL /lib/modules/5.14.0-rnicolescu_ciqlts9_4-cf8c18fafc48+/kernel/arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL /lib/modules/5.14.0-rnicolescu_ciqlts9_4-cf8c18fafc48+/kernel/arch/x86/crypto/camellia-aesni-avx2.ko
--
  SIGN    /lib/modules/5.14.0-rnicolescu_ciqlts9_4-cf8c18fafc48+/kernel/sound/xen/snd_xen_front.ko
  INSTALL /lib/modules/5.14.0-rnicolescu_ciqlts9_4-cf8c18fafc48+/kernel/crypto/cast6_generic.ko
  STRIP   /lib/modules/5.14.0-rnicolescu_ciqlts9_4-cf8c18fafc48+/kernel/crypto/cast6_generic.ko
  SIGN    /lib/modules/5.14.0-rnicolescu_ciqlts9_4-cf8c18fafc48+/kernel/crypto/cast6_generic.ko
  DEPMOD  /lib/modules/5.14.0-rnicolescu_ciqlts9_4-cf8c18fafc48+
[TIMER]{MODULES}: 10s
Making Install
sh ./arch/x86/boot/install.sh 5.14.0-rnicolescu_ciqlts9_4-cf8c18fafc48+ \
	arch/x86/boot/bzImage System.map "/boot"
[TIMER]{INSTALL}: 20s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-5.14.0-rnicolescu_ciqlts9_4-cf8c18fafc48+ and Index to 2
The default is /boot/loader/entries/a1f034bfa0ff4640a933385fcfbb21ec-5.14.0-rnicolescu_ciqlts9_4-cf8c18fafc48+.conf with index 2 and kernel /boot/vmlinuz-5.14.0-rnicolescu_ciqlts9_4-cf8c18fafc48+
The default is /boot/loader/entries/a1f034bfa0ff4640a933385fcfbb21ec-5.14.0-rnicolescu_ciqlts9_4-cf8c18fafc48+.conf with index 2 and kernel /boot/vmlinuz-5.14.0-rnicolescu_ciqlts9_4-cf8c18fafc48+
Generating grub configuration file ...
Adding boot menu entry for UEFI Firmware Settings ...
done
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 4s
[TIMER]{BUILD}: 1462s
[TIMER]{MODULES}: 10s
[TIMER]{INSTALL}: 20s
[TIMER]{TOTAL} 1502s
Rebooting in 10 seconds

kernel-build-before.log
kernel-build-after.log

Kselftests

> /home/rnicolescu/ciq/kernel-tools/kselftest-diff.sh /home/rnicolescu/ciq/kernels/lts-9.4
/home/rnicolescu/ciq/kernels/lts-9.4/kselftest-before.log
368
/home/rnicolescu/ciq/kernels/lts-9.4/kselftest-after.log
368
Before: /home/rnicolescu/ciq/kernels/lts-9.4/kselftest-before.log
After: /home/rnicolescu/ciq/kernels/lts-9.4/kselftest-after.log
Diff:
No differences found.

kselftest-before.log
kselftest-after.log

Check_kernel_commits including interdiff

> python3 /home/rnicolescu/ciq/kernel-src-tree-tools/check_kernel_commits.py --repo /home/rnicolescu/ciq/kernels/lts-9.4/kernel-src-tree --pr_branch {rnicolescu}_ciqlts9_4 --base_branch origin/ciqlts9_4
All referenced commits exist upstream and have no Fixes: tags.

@roxanan1996
vsock: reset socket state when de-assigning the transport
524575b 
jira VULN-80685
cve-bf CVE-2025-38461
commit-author Stefano Garzarella <[email protected]>
commit a24009b

Transport's release() and destruct() are called when de-assigning the
vsock transport. These callbacks can touch some socket state like
sock flags, sk_state, and peer_shutdown.

Since we are reassigning the socket to a new transport during
vsock_connect(), let's reset these fields to have a clean state with
the new transport.

Fixes: c0cfa2d ("vsock: add multi-transports support")
	Cc: [email protected]
	Signed-off-by: Stefano Garzarella <[email protected]>
	Reviewed-by: Luigi Leonardi <[email protected]>
	Signed-off-by: Paolo Abeni <[email protected]>

(cherry picked from commit a24009b)
	Signed-off-by: Roxana Nicolescu <[email protected]>
@roxanan1996
vsock: fix lock inversion in vsock_assign_transport()
19e651a 
jira VULN-80685
cve-bf CVE-2025-38461
commit-author Stefano Garzarella <[email protected]>
commit f7c877e

Syzbot reported a potential lock inversion deadlock between
vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called.

The issue was introduced by commit 687aa0c ("vsock: Fix
transport_* TOCTOU") which added vsock_register_mutex locking in
vsock_assign_transport() around the transport->release() call, that can
call vsock_linger(). vsock_assign_transport() can be called with sk_lock
held. vsock_linger() calls sk_wait_event() that temporarily releases and
re-acquires sk_lock. During this window, if another thread hold
vsock_register_mutex while trying to acquire sk_lock, a circular
dependency is created.

Fix this by releasing vsock_register_mutex before calling
transport->release() and vsock_deassign_transport(). This is safe
because we don't need to hold vsock_register_mutex while releasing the
old transport, and we ensure the new transport won't disappear by
obtaining a module reference first via try_module_get().

	Reported-by: [email protected]
	Tested-by: [email protected]
Fixes: 687aa0c ("vsock: Fix transport_* TOCTOU")
	Cc: [email protected]
	Cc: [email protected]
	Signed-off-by: Stefano Garzarella <[email protected]>
Link: https://patch.msgid.link/[email protected]
	Signed-off-by: Paolo Abeni <[email protected]>

(cherry picked from commit f7c877e)
	Signed-off-by: Roxana Nicolescu <[email protected]>
@roxanan1996 roxanan1996 changed the title [lts9_2] Add dependency for CVE-2025-38461 [lts9_4] Add dependency for CVE-2025-38461 Nov 13, 2025
@roxanan1996 roxanan1996 requested a review from a team November 13, 2025 12:16
@roxanan1996 roxanan1996 self-assigned this Nov 13, 2025
bmastbergen
bmastbergen approved these changes Nov 14, 2025
View reviewed changes
Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

PlaidCat
PlaidCat approved these changes Nov 14, 2025
View reviewed changes
Copy link
Collaborator

@PlaidCat PlaidCat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@roxanan1996 roxanan1996 merged commit 6b7dadb into ciqlts9_4 Nov 17, 2025
5 checks passed
@roxanan1996 roxanan1996 mentioned this pull request Nov 24, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PlaidCat PlaidCat PlaidCat approved these changes

@bmastbergen bmastbergen bmastbergen approved these changes

Assignees

@roxanan1996 roxanan1996

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@roxanan1996 @PlaidCat @bmastbergen