Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]bpf, sockmap: Avoid using sk_socket after free when sending[EOL][EOL]The sk->sk_socket is not locked or referenced in backlog thread, and[EOL]during the call to skb_send_sock(), there is a race condition with[EOL]the release of sk_socket. All types of sockets(tcp/udp/unix/vsock)[EOL]will be affected.[EOL][EOL]Race conditions:[EOL]'''[EOL]CPU0                               CPU1[EOL][EOL]backlog::skb_send_sock[EOL]  sendmsg_unlocked[EOL]    sock_sendmsg[EOL]      sock_sendmsg_nosec[EOL]                                   close(fd):[EOL]                                     ...[EOL]                                     ops->release() -> sock_map_close()[EOL]                                     sk_socket->ops = NULL[EOL]                                     free(socket)[EOL]      sock->ops->sendmsg[EOL]            ^[EOL]            panic here[EOL]'''[EOL][EOL]The ref of psock become 0 after sock_map_close() executed.[EOL]'''[EOL]void sock_map_close()[EOL]{[EOL]    ...[EOL]    if (likely(psock)) {[EOL]    ...[EOL]    // !! here we remove psock and the ref of psock become 0[EOL]    sock_map_remove_links(sk, psock)[EOL]    psock = sk_psock_get(sk);[EOL]    if (unlikely(!psock))[EOL]        goto no_psock; <=== Control jumps here via goto[EOL]        ...[EOL]        cancel_delayed_work_sync(&psock->work); <=== not executed[EOL]        sk_psock_put(sk, psock);[EOL]        ...[EOL]}[EOL]'''[EOL][EOL]Based on the fact that we already wait for the workqueue to finish in[EOL]sock_map_close() if psock is held, we simply increase the psock[EOL]reference count to avoid race conditions.[EOL][EOL]With this patch, if the backlog thread is running, sock_map_close() will[EOL]wait for the backlog thread to complete and cancel all pending work.[EOL][EOL]If no backlog running, any pending work that hasn't started by then will[EOL]fail when invoked by sk_psock_get(), as the psock reference count have[EOL]been zeroed, and sk_psock_drop() will cancel all jobs via[EOL]cancel_delayed_work_sync().[EOL][EOL]In summary, we require synchronization to coordinate the backlog thread[EOL]and close() thread.[EOL][EOL]The panic I catched:[EOL]'''[EOL]Workqueue: events sk_psock_backlog[EOL]RIP: 0010:sock_sendmsg+0x21d/0x440[EOL]RAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001[EOL]...[EOL]Call Trace:[EOL] <TASK>[EOL] ? die_addr+0x40/0xa0[EOL] ? exc_general_protection+0x14c/0x230[EOL] ? asm_exc_general_protection+0x26/0x30[EOL] ? sock_sendmsg+0x21d/0x440[EOL] ? sock_sendmsg+0x3e0/0x440[EOL] ? __pfx_sock_sendmsg+0x10/0x10[EOL] __skb_send_sock+0x543/0xb70[EOL] sk_psock_backlog+0x247/0xb80[EOL]...[EOL]'''

CREATE(Triage):(User=lchen-cn) [CVE-2025-38154 (https://nvd.nist.gov/vuln/detail/CVE-2025-38154)