Unverified Commit 38e239fd authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!6807 CVE-2024-26923 

Merge Pull Request from: @ci-robot 
 
PR sync from: Liu Jian <liujian56@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/K447VS4W3BJ3KSKPTRXGFIDDIPZ7DVTJ/ 
CVE-2024-26923

Kuniyuki Iwashima (1):
  af_unix: Suppress false-positive lockdep splat for spin_lock() in
    __unix_gc().

Michal Luczaj (1):
  af_unix: Fix garbage collector racing against connect()


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/I9JFG0 
 
Link:https://gitee.com/openeuler/kernel/pulls/6807

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Reviewed-by: default avatarLiu YongQiang <liuyongqiang13@huawei.com>
Signed-off-by: default avatarZhang Changzhong <zhangchangzhong@huawei.com>
parents 72b58d4a 88c161a5

include/net/af_unix.h

+3 −0
Original line number Diff line number Diff line
@@ -72,6 +72,9 @@ enum unix_socket_lock_class { 
	U_LOCK_NORMAL,

	U_LOCK_SECOND,	/* for double locking, see unix_state_double_lock(). */

	U_LOCK_DIAG, /* used while dumping icons, see sk_diag_dump_icons(). */

	U_LOCK_GC_LISTENER, /* used for listening socket while determining gc

			     * candidates to close a small race window.

			     */

};



static inline void unix_state_lock_nested(struct sock *sk,

net/unix/garbage.c

+17 −1
Original line number Diff line number Diff line
@@ -239,12 +239,23 @@ void unix_gc(void) 
	 * receive queues.  Other, non candidate sockets _can_ be

	 * added to queue, so we must make sure only to touch

	 * candidates.

	 *

	 * Embryos, though never candidates themselves, affect which

	 * candidates are reachable by the garbage collector.  Before

	 * being added to a listener's queue, an embryo may already

	 * receive data carrying SCM_RIGHTS, potentially making the

	 * passed socket a candidate that is not yet reachable by the

	 * collector.  It becomes reachable once the embryo is

	 * enqueued.  Therefore, we must ensure that no SCM-laden

	 * embryo appears in a (candidate) listener's queue between

	 * consecutive scan_children() calls.

	 */

	list_for_each_entry_safe(u, next, &gc_inflight_list, link) {

		struct sock *sk = &u->sk;

		long total_refs;

		long inflight_refs;



		total_refs = file_count(u->sk.sk_socket->file);

		total_refs = file_count(sk->sk_socket->file);

		inflight_refs = atomic_long_read(&u->inflight);



		BUG_ON(inflight_refs < 1);
@@ -253,6 +264,11 @@ void unix_gc(void) 
			list_move_tail(&u->link, &gc_candidates);

			__set_bit(UNIX_GC_CANDIDATE, &u->gc_flags);

			__set_bit(UNIX_GC_MAYBE_CYCLE, &u->gc_flags);



			if (sk->sk_state == TCP_LISTEN) {

				unix_state_lock_nested(sk, U_LOCK_GC_LISTENER);

				unix_state_unlock(sk);

			}

		}

	}