[SRU][J/N/O][PATCH 0/2] CVE-2025-21756

[Tim Whisonant]

[Impact]

vsock: Keep the binding until socket destruction

Preserve sockets bindings; this includes both resulting from an explicit
bind() and those implicitly bound through autobind during connect().

Prevents socket unbinding during a transport reassignment, which fixes a
use-after-free:

    1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)
    2. transport->release() calls vsock_remove_bound() without checking if
       sk was bound and moved to bound list (refcnt=1)
    3. vsock_bind() assumes sk is in unbound list and before
       __vsock_insert_bound(vsock_bound_sockets()) calls
       __vsock_remove_bound() which does:
           list_del_init(&vsk->bound_table); // nop
           sock_put(&vsk->sk);               // refcnt=0

vsock: Orphan socket after transport release

During socket release, sock_orphan() is called without considering that it
sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a
null pointer dereferenced in virtio_transport_wait_close().

Orphan the socket only after transport release.

Partially reverts the 'Fixes:' commit.

[Backport]

Backported from upstream.

[Fix]

Oracular: cherry picked from upstream
Noble:    applied Jammy patch
Jammy:    backported from upstream
Focal:    not affected
Bionic:   not affected
Xenial:   not affected
Trusty:   not affected

[Test Plan]

Compile and boot tested.

[Where problems could occur]

The change affects the ordering of vsock orphan versus release
to correct a NULL pointer dereference. Problems could appear in
the socket release path.

Michal Luczaj (2):
  vsock: Keep the binding until socket destruction
  vsock: Orphan socket after transport release

 net/vmw_vsock/af_vsock.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

-- 
2.43.0