[lts9_2] Add dependency for CVE-2025-38461 #686

roxanan1996 · 2025-11-13T10:10:02Z

DESCRIPTION

Commit

vsock: Fix transport_* TOCTOU

was cherry picked without its dependency.

vsock: fix lock inversion in vsock_assign_transport()

This will add the dependency to avoid any issues in the future.

NOTES

First commit

vsock: reset socket state when de-assigning the transport

was added to make the second patch diff the same. otherwise it would
have been 2 separate hunks, even though the changes were the same.
Moreover, this fixes

c0cfa2d8a788 ("vsock: add multi-transports support")

The same commit that the CVE fix addresses. So it's also a bug fix.

The order of the commit is not 100% the same as in mainline,

vsock: reset socket state when de-assigning the transport

should have been before

vsock: Fix transport_* TOCTOU

but, it's too late for that. And implementation wise, it is fine.

I tested the changes and right before creating the merge, I realized the jira tickets were not correct. Hence the sha diff.
I did not test again since I just changed the commit description.

COMMITS

vsock: reset socket state when de-assigning the transport

jira VULN-80684
cve-bf CVE-2025-38461
commit-author Stefano Garzarella <sgarzare@redhat.com>
commit a24009bc9be60242651a21702609381b5092459e

vsock: fix lock inversion in vsock_assign_transport()

jira VULN-80684
cve-bf CVE-2025-38461
commit-author Stefano Garzarella <sgarzare@redhat.com>
commit f7c877e7535260cc7a21484c994e8ce7e8cb6780

TESTING

BUILD

> grep -E -B 5 -A 5 '\[TIMER\]|^Starting Build' /home/rnicolescu/ciq/kernels/lts-9.2/kernel-build-after.log
/home/rnicolescu/ciq/kernels/lts-9.2/kernel-src-tree
Running make mrproper...
  CLEAN   .config
[TIMER]{MRPROPER}: 3s
x86_64 architecture detected, copying config
'configs/kernel-x86_64-rhel.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-rnicolescu_ciqlts9_2-f59d382483dc"
Making olddefconfig
--
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#
Starting Build
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_x32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_64_x32.h
--
  LD [M]  sound/xen/snd_xen_front.ko
  LD [M]  virt/lib/irqbypass.ko
  BTF [M] sound/xen/snd_xen_front.ko
  BTF [M] virt/lib/irqbypass.ko
  BTF [M] sound/x86/snd-hdmi-lpe-audio.ko
[TIMER]{BUILD}: 1394s
Making Modules
  INSTALL /lib/modules/5.14.0-rnicolescu_ciqlts9_2-f59d382483dc+/kernel/arch/x86/crypto/blake2s-x86_64.ko
  INSTALL /lib/modules/5.14.0-rnicolescu_ciqlts9_2-f59d382483dc+/kernel/arch/x86/crypto/blowfish-x86_64.ko
  INSTALL /lib/modules/5.14.0-rnicolescu_ciqlts9_2-f59d382483dc+/kernel/arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL /lib/modules/5.14.0-rnicolescu_ciqlts9_2-f59d382483dc+/kernel/arch/x86/crypto/camellia-x86_64.ko
--
  STRIP   /lib/modules/5.14.0-rnicolescu_ciqlts9_2-f59d382483dc+/kernel/sound/xen/snd_xen_front.ko
  SIGN    /lib/modules/5.14.0-rnicolescu_ciqlts9_2-f59d382483dc+/kernel/sound/xen/snd_xen_front.ko
  STRIP   /lib/modules/5.14.0-rnicolescu_ciqlts9_2-f59d382483dc+/kernel/drivers/hid/hid-petalynx.ko
  SIGN    /lib/modules/5.14.0-rnicolescu_ciqlts9_2-f59d382483dc+/kernel/drivers/hid/hid-petalynx.ko
  DEPMOD  /lib/modules/5.14.0-rnicolescu_ciqlts9_2-f59d382483dc+
[TIMER]{MODULES}: 8s
Making Install
sh ./arch/x86/boot/install.sh \
	5.14.0-rnicolescu_ciqlts9_2-f59d382483dc+ arch/x86/boot/bzImage \
	System.map "/boot"
sed: can't read /boot/.vmlinuz-5.14.0-rnicolescu_ciqlts9_2-f59d382483dc+.hmac: No such file or directory
Can't create '/boot/.vmlinuz-0-rescue-a27d562fc3dd42e9b544c772080952e5.hmac' from '/boot/.vmlinuz-5.14.0-rnicolescu_ciqlts9_2-f59d382483dc+.hmac'!
[TIMER]{INSTALL}: 41s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-5.14.0-rnicolescu_ciqlts9_2-f59d382483dc+ and Index to 2
The default is /boot/loader/entries/a27d562fc3dd42e9b544c772080952e5-5.14.0-rnicolescu_ciqlts9_2-f59d382483dc+.conf with index 2 and kernel /boot/vmlinuz-5.14.0-rnicolescu_ciqlts9_2-f59d382483dc+
The default is /boot/loader/entries/a27d562fc3dd42e9b544c772080952e5-5.14.0-rnicolescu_ciqlts9_2-f59d382483dc+.conf with index 2 and kernel /boot/vmlinuz-5.14.0-rnicolescu_ciqlts9_2-f59d382483dc+
Generating grub configuration file ...
Adding boot menu entry for UEFI Firmware Settings ...
done
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 3s
[TIMER]{BUILD}: 1394s
[TIMER]{MODULES}: 8s
[TIMER]{INSTALL}: 41s
[TIMER]{TOTAL} 1452s
Rebooting in 10 seconds

kernel-build-after.log
kernel-build-before.log

Kselftests

> /home/rnicolescu/ciq/kernel-tools/kselftest-diff.sh /home/rnicolescu/ciq/kernels/lts-9.2
/home/rnicolescu/ciq/kernels/lts-9.2/kselftest-after.log
307
/home/rnicolescu/ciq/kernels/lts-9.2/kselftest-before.log
306
Before: /home/rnicolescu/ciq/kernels/lts-9.2/kselftest-after.log
After: /home/rnicolescu/ciq/kernels/lts-9.2/kselftest-before.log
Diff:
-ok 6 selftests: timers: inconsistency-check
-ok 7 selftests: timers: raw_skew # SKIP
+ok 7 selftests: timers: raw_skew

kselftest-after.log
kselftest-before.log

Check_kernel_commits including interdiff

> python3 /home/rnicolescu/ciq/kernel-src-tree-tools/check_kernel_commits.py --repo /home/rnicolescu/ciq/kernels/lts-9.2/kernel-src-tree --pr_branch {rnicolescu}_ciqlts9_2_fix --base_branch origin/ciqlts9_2
All referenced commits exist upstream and have no Fixes: tags.

jira VULN-80684 cve-bf CVE-2025-38461 commit-author Stefano Garzarella <sgarzare@redhat.com> commit a24009b Transport's release() and destruct() are called when de-assigning the vsock transport. These callbacks can touch some socket state like sock flags, sk_state, and peer_shutdown. Since we are reassigning the socket to a new transport during vsock_connect(), let's reset these fields to have a clean state with the new transport. Fixes: c0cfa2d ("vsock: add multi-transports support") Cc: stable@vger.kernel.org Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Luigi Leonardi <leonardi@redhat.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit a24009b) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>

jira VULN-80684 cve-bf CVE-2025-38461 commit-author Stefano Garzarella <sgarzare@redhat.com> commit f7c877e Syzbot reported a potential lock inversion deadlock between vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. The issue was introduced by commit 687aa0c ("vsock: Fix transport_* TOCTOU") which added vsock_register_mutex locking in vsock_assign_transport() around the transport->release() call, that can call vsock_linger(). vsock_assign_transport() can be called with sk_lock held. vsock_linger() calls sk_wait_event() that temporarily releases and re-acquires sk_lock. During this window, if another thread hold vsock_register_mutex while trying to acquire sk_lock, a circular dependency is created. Fix this by releasing vsock_register_mutex before calling transport->release() and vsock_deassign_transport(). This is safe because we don't need to hold vsock_register_mutex while releasing the old transport, and we ensure the new transport won't disappear by obtaining a module reference first via try_module_get(). Reported-by: syzbot+10e35716f8e4929681fa@syzkaller.appspotmail.com Tested-by: syzbot+10e35716f8e4929681fa@syzkaller.appspotmail.com Fixes: 687aa0c ("vsock: Fix transport_* TOCTOU") Cc: mhal@rbox.co Cc: stable@vger.kernel.org Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Link: https://patch.msgid.link/20251021121718.137668-1-sgarzare@redhat.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit f7c877e) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>

roxanan1996 added 2 commits November 13, 2025 10:46

roxanan1996 requested a review from a team November 13, 2025 12:15

roxanan1996 self-assigned this Nov 13, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[lts9_2] Add dependency for CVE-2025-38461 #686

[lts9_2] Add dependency for CVE-2025-38461 #686

Uh oh!

roxanan1996 commented Nov 13, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants

[lts9_2] Add dependency for CVE-2025-38461 #686

Are you sure you want to change the base?

[lts9_2] Add dependency for CVE-2025-38461 #686

Uh oh!

Conversation

roxanan1996 commented Nov 13, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

DESCRIPTION

NOTES

COMMITS

TESTING

BUILD

Kselftests

Check_kernel_commits including interdiff

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants

roxanan1996 commented Nov 13, 2025 •

edited

Loading