Commit 942cf9e3 authored by Pavel Begunkov's avatar Pavel Begunkov Committed by Liu Jian
Browse files

io_uring/af_unix: disable sending io_uring over sockets 

stable inclusion
from stable-v5.10.204
commit 3fe1ea5f921bf5b71cbfdc4469fb96c05936610e
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8RWPE
CVE: CVE-2023-6531

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3fe1ea5f921bf5b71cbfdc4469fb96c05936610e



---------------------------

commit 705318a99a138c29a512a72c3e0043b3cd7f55f4 upstream.

File reference cycles have caused lots of problems for io_uring
in the past, and it still doesn't work exactly right and races with
unix_stream_read_generic(). The safest fix would be to completely
disallow sending io_uring files via sockets via SCM_RIGHT, so there
are no possible cycles invloving registered files and thus rendering
SCM accounting on the io_uring side unnecessary.

Cc:  <stable@vger.kernel.org>
Fixes: 0091bfc8 ("io_uring/af_unix: defer registered files gc to io_uring release")
Reported-and-suggested-by: default avatarJann Horn <jannh@google.com>
Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/c716c88321939156909cfa1bd8b0faaf1c804103.1701868795.git.asml.silence@gmail.com


Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>

[cherry-pick the cve bugfix from 5.10-stable]
Signed-off-by: default avatarLiu Jian <liujian56@huawei.com>

Conflicts:
	io_uring/io_uring.c
	net/core/scm.c
parent ef298231
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment