mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
1,068,048 Commits 103 Branches 5,007 Tags 5.4 GiB
C 97.6%
Assembly 1%
Shell 0.5%
Python 0.3%
Makefile 0.3%
Go to file
Michal Luczaj e76c267822 af_unix: Fix garbage collector racing against connect() 
[ Upstream commit 47d8ac011f ]

Garbage collector does not take into account the risk of embryo getting
enqueued during the garbage collection. If such embryo has a peer that
carries SCM_RIGHTS, two consecutive passes of scan_children() may see a
different set of children. Leading to an incorrectly elevated inflight
count, and then a dangling pointer within the gc_inflight_list.

sockets are AF_UNIX/SOCK_STREAM
S is an unconnected socket
L is a listening in-flight socket bound to addr, not in fdtable
V's fd will be passed via sendmsg(), gets inflight count bumped

connect(S, addr)	sendmsg(S, [V]); close(V)	__unix_gc()
----------------	-------------------------	-----------

NS = unix_create1()
skb1 = sock_wmalloc(NS)
L = unix_find_other(addr)
unix_state_lock(L)
unix_peer(S) = NS
			// V count=1 inflight=0

 			NS = unix_peer(S)
 			skb2 = sock_alloc()
			skb_queue_tail(NS, skb2[V])

			// V became in-flight
			// V count=2 inflight=1

			close(V)

			// V count=1 inflight=1
			// GC candidate condition met

						for u in gc_inflight_list:
						  if (total_refs == inflight_refs)
						    add u to gc_candidates

						// gc_candidates={L, V}

						for u in gc_candidates:
						  scan_children(u, dec_inflight)

						// embryo (skb1) was not
						// reachable from L yet, so V's
						// inflight remains unchanged
__skb_queue_tail(L, skb1)
unix_state_unlock(L)
						for u in gc_candidates:
						  if (u.inflight)
						    scan_children(u, inc_inflight_move_tail)

						// V count=1 inflight=2 (!)

If there is a GC-candidate listening socket, lock/unlock its state. This
makes GC wait until the end of any ongoing connect() to that socket. After
flipping the lock, a possibly SCM-laden embryo is already enqueued. And if
there is another embryo coming, it can not possibly carry SCM_RIGHTS. At
this point, unix_inflight() can not happen because unix_gc_lock is already
taken. Inflight graph remains unaffected.

Fixes: 1fd05ba5a2 ("[AF_UNIX]: Rewrite garbage collector, fixes race.")
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20240409201047.1032217-1-mhal@rbox.co
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2024-04-17 11:15:15 +02:00
Documentation x86/bhi: Mitigate KVM by default 2024-04-10 16:19:44 +02:00
LICENSES
arch arm64: dts: imx8-ss-conn: fix usdhc wrong lpcg clock order 2024-04-17 11:15:13 +02:00
block block: prevent division by zero in blk_rq_stat_sum() 2024-04-13 13:01:45 +02:00
certs
crypto exit: Rename module_put_and_exit to module_put_and_kthread_exit 2024-04-10 16:18:55 +02:00
drivers net: dsa: mt7530: trap link-local frames regardless of ST Port State 2024-04-17 11:15:15 +02:00
fs ext4: forbid commit inconsistent quota data when errors=remount-ro 2024-04-13 13:01:45 +02:00
include af_unix: Do not use atomic ops for unix_sk(sk)->inflight. 2024-04-17 11:15:15 +02:00
init init: open /initrd.image with O_LARGEFILE 2024-04-10 16:19:31 +02:00
io_uring io_uring: ensure '0' is returned on file registration success 2024-04-10 16:19:37 +02:00
ipc
kernel ring-buffer: Only update pages_touched when a new page is touched 2024-04-17 11:15:13 +02:00
lib arch: Introduce CONFIG_FUNCTION_ALIGNMENT 2024-04-10 16:18:49 +02:00
mm x86/mm/pat: fix VM_PAT handling in COW mappings 2024-04-13 13:01:47 +02:00
net af_unix: Fix garbage collector racing against connect() 2024-04-17 11:15:15 +02:00
samples samples/hw_breakpoint: fix building without module unloading 2023-09-23 11:10:01 +02:00
scripts gcc-plugins/stackleak: Avoid .head.text section 2024-04-13 13:01:47 +02:00
security landlock: Warn once if a Landlock action is requested while disabled 2024-04-10 16:18:39 +02:00
sound ASoC: soc-core.c: Skip dummy codec when adding platforms 2024-04-13 13:01:46 +02:00
tools tools: iio: replace seekdir() in iio_generic_buffer 2024-04-13 13:01:46 +02:00
usr
virt KVM: Always flush async #PF workqueue when vCPU is being destroyed 2024-04-10 16:18:34 +02:00
.clang-format
.cocciconfig
.get_maintainer.ignore
.gitattributes
.gitignore
.mailmap
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS trace: Relocate event helper files 2024-04-10 16:19:24 +02:00
Makefile Linux 5.15.155 2024-04-13 13:01:48 +02:00
README

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.