vsock: reset socket state when de-assigning the transport

jira VULN-80682
jira VULN-80681
cve-bf CVE-2025-38461
commit-author Stefano Garzarella <sgarzare@redhat.com>
commit a24009b

Transport's release() and destruct() are called when de-assigning the
vsock transport. These callbacks can touch some socket state like
sock flags, sk_state, and peer_shutdown.

Since we are reassigning the socket to a new transport during
vsock_connect(), let's reset these fields to have a clean state with
the new transport.

Fixes: c0cfa2d ("vsock: add multi-transports support")
	Cc: stable@vger.kernel.org
	Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
	Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
	Signed-off-by: Paolo Abeni <pabeni@redhat.com>

(cherry picked from commit a24009b)
	Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>

Author: roxanan1996

net/vmw_vsock/af_vsock.c

@@ -491,6 +491,15 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
 		 */
 		vsk->transport->release(vsk);
 		vsock_deassign_transport(vsk);
+
+		/* transport's release() and destruct() can touch some socket
+		 * state, since we are reassigning the socket to a new transport
+		 * during vsock_connect(), let's reset these fields to have a
+		 * clean state.
+		 */
+		sock_reset_flag(sk, SOCK_DONE);
+		sk->sk_state = TCP_CLOSE;
+		vsk->peer_shutdown = 0;
 	}
 
 	/* We increase the module refcnt to prevent the transport unloading