linux-stable

Go to file

Michal Luczaj b75722be42 af_unix: Fix garbage collector racing against connect() [ Upstream commit `47d8ac011f` ] Garbage collector does not take into account the risk of embryo getting enqueued during the garbage collection. If such embryo has a peer that carries SCM_RIGHTS, two consecutive passes of scan_children() may see a different set of children. Leading to an incorrectly elevated inflight count, and then a dangling pointer within the gc_inflight_list. sockets are AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listening in-flight socket bound to addr, not in fdtable V's fd will be passed via sendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]); close(V) __unix_gc() ---------------- ------------------------- ----------- NS = unix_create1() skb1 = sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L) unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 = sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // V count=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidate condition met for u in gc_inflight_list: if (total_refs == inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u in gc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not // reachable from L yet, so V's // inflight remains unchanged __skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates: if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1 inflight=2 (!) If there is a GC-candidate listening socket, lock/unlock its state. This makes GC wait until the end of any ongoing connect() to that socket. After flipping the lock, a possibly SCM-laden embryo is already enqueued. And if there is another embryo coming, it can not possibly carry SCM_RIGHTS. At this point, unix_inflight() can not happen because unix_gc_lock is already taken. Inflight graph remains unaffected. Fixes: `1fd05ba5a2` ("[AF_UNIX]: Rewrite garbage collector, fixes race.") Signed-off-by: Michal Luczaj <mhal@rbox.co> Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://lore.kernel.org/r/20240409201047.1032217-1-mhal@rbox.co Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>		2024-04-17 11:18:25 +02:00
Documentation	x86/bhi: Mitigate KVM by default	2024-04-10 16:28:35 +02:00
LICENSES	LICENSES/LGPL-2.1: Add LGPL-2.1-or-later as valid identifiers	2021-12-16 14:33:10 +01:00
arch	arm64: dts: imx8-ss-conn: fix usdhc wrong lpcg clock order	2024-04-17 11:18:23 +02:00
block	block: prevent division by zero in blk_rq_stat_sum()	2024-04-13 13:05:12 +02:00
certs	certs: Fix build error when PKCS#11 URI contains semicolon	2023-02-09 11:28:11 +01:00
crypto	crypto: jitter - fix CRYPTO_JITTERENTROPY help text	2024-03-26 18:20:50 -04:00
drivers	net: dsa: mt7530: trap link-local frames regardless of ST Port State	2024-04-17 11:18:25 +02:00
fs	smb3: fix Open files on server counter going negative	2024-04-17 11:18:22 +02:00
include	af_unix: Do not use atomic ops for unix_sk(sk)->inflight.	2024-04-17 11:18:25 +02:00
init	init: open /initrd.image with O_LARGEFILE	2024-04-03 15:19:47 +02:00
io_uring	io_uring: clear opcode specific data for an early failure	2024-04-13 13:05:20 +02:00
ipc	ipc: fix memory leak in init_mqueue_fs()	2022-12-31 13:32:01 +01:00
kernel	PM: s2idle: Make sure CPUs will wakeup directly on resume	2024-04-17 11:18:22 +02:00
lib	pci_iounmap(): Fix MMIO mapping leak	2024-04-03 15:19:25 +02:00
mm	x86/mm/pat: fix VM_PAT handling in COW mappings	2024-04-10 16:28:33 +02:00
net	af_unix: Fix garbage collector racing against connect()	2024-04-17 11:18:25 +02:00
rust	rust: allocator: Prevent mis-aligned allocation	2023-08-11 12:08:18 +02:00
samples	work around gcc bugs with 'asm goto' with outputs	2024-02-23 09:12:28 +01:00
scripts	gcc-plugins/stackleak: Avoid .head.text section	2024-04-13 13:05:23 +02:00
security	landlock: Warn once if a Landlock action is requested while disabled	2024-04-03 15:19:32 +02:00
sound	ASoC: soc-core.c: Skip dummy codec when adding platforms	2024-04-13 13:05:19 +02:00
tools	tools: iio: replace seekdir() in iio_generic_buffer	2024-04-13 13:05:16 +02:00
usr	usr/gen_init_cpio.c: remove unnecessary -1 values from int file	2022-10-03 14:21:44 -07:00
virt	KVM: Always flush async #PF workqueue when vCPU is being destroyed	2024-04-03 15:19:25 +02:00
.clang-format	inet: ping: use hlist_nulls rcu iterator during lookup	2022-12-01 12:42:46 +01:00
.cocciconfig	…
.get_maintainer.ignore	get_maintainer: add Alan to .get_maintainer.ignore	2022-08-20 15:17:44 -07:00
.gitattributes	…
.gitignore	Kbuild: add Rust support	2022-09-28 09:02:20 +02:00
.mailmap	9 hotfixes. 6 for MM, 3 for other areas. Four of these patches address	2022-12-10 17:10:52 -08:00
.rustfmt.toml	rust: add `.rustfmt.toml`	2022-09-28 09:02:20 +02:00
COPYING	…
CREDITS	MAINTAINERS: Remove Michal Marek from Kbuild maintainers	2022-11-16 14:53:00 +09:00
Kbuild	Kbuild updates for v6.1	2022-10-10 12:00:45 -07:00
Kconfig	kbuild: ensure full rebuild when the compiler is updated	2020-05-12 13:28:33 +09:00
MAINTAINERS	trace: Relocate event helper files	2024-03-06 14:45:17 +00:00
Makefile	Linux 6.1.86	2024-04-13 13:05:29 +02:00
README	…

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.