Description
In the Linux kernel, the following vulnerability has been resolved: vsock: fix lock inversion in vsock_assign_transport() Syzbot reported a potential lock inversion deadlock between vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. The issue was introduced by commit 687aa0c5581b ("vsock: Fix transport_* TOCTOU") which added vsock_register_mutex locking in vsock_assign_transport() around the transport->release() call, that can call vsock_linger(). vsock_assign_transport() can be called with sk_lock held. vsock_linger() calls sk_wait_event() that temporarily releases and re-acquires sk_lock. During this window, if another thread hold vsock_register_mutex while trying to acquire sk_lock, a circular dependency is created. Fix this by releasing vsock_register_mutex before calling transport->release() and vsock_deassign_transport(). This is safe because we don't need to hold vsock_register_mutex while releasing the old transport, and we ensure the new transport won't disappear by obtaining a module reference first via try_module_get().
Product status
8667e8d0eb46bc54fdae30ba2f4786407d3d88eb (git) before ce4f856c64f0bc30e29302a0ce41f4295ca391c5
36a439049b34cca0b3661276049b84a1f76cc21a (git) before 09bba278ccde25a14b6e5088a9e65a8717d0cccf
9ce53e744f18e73059d3124070e960f3aa9902bf (git) before b44182c116778feaa05da52a426aeb9da1878dcf
9d24bb6780282b0255b9929abe5e8f98007e2c6e (git) before 42ed0784d11adebf748711e503af0eb9f1e6d81d
ae2c712ba39c7007de63cb0c75b51ce1caaf1da5 (git) before 251caee792a21eb0b781aab91362b422c945e162
687aa0c5581b8d4aa87fd92973e4ee576b550cdf (git) before a2a4346eea8b4cb75037dbcb20b98cb454324f80
687aa0c5581b8d4aa87fd92973e4ee576b550cdf (git) before f7c877e7535260cc7a21484c994e8ce7e8cb6780
7b73bddf54777fb62d4d8c7729d0affe6df04477 (git)
6.16
Any version before 6.16
5.10.246 (semver)
5.15.196 (semver)
6.1.158 (semver)
6.6.115 (semver)
6.12.56 (semver)
6.17.6 (semver)
6.18 (original_commit_for_fix)
References
git.kernel.org/...c/ce4f856c64f0bc30e29302a0ce41f4295ca391c5
git.kernel.org/...c/09bba278ccde25a14b6e5088a9e65a8717d0cccf
git.kernel.org/...c/b44182c116778feaa05da52a426aeb9da1878dcf
git.kernel.org/...c/42ed0784d11adebf748711e503af0eb9f1e6d81d
git.kernel.org/...c/251caee792a21eb0b781aab91362b422c945e162
git.kernel.org/...c/a2a4346eea8b4cb75037dbcb20b98cb454324f80
git.kernel.org/...c/f7c877e7535260cc7a21484c994e8ce7e8cb6780
