Message ID | 20220121142616.163592-1-cascardo@canonical.com |
---|---|
Headers | show |
Series | CVE-2021-4083 | expand |
On 21/01/2022 15:26, Thadeu Lima de Souza Cascardo wrote: > [Impact] > A race condition during unix socket garbage collection may lead to a potential > use-after-free for a struct file. > > [Backport] > On 4.15 kernel, an additional commit was necessary. On 5.4 and 5.10 kernels, > __fcheck_files was used instead, as it was renamed to files_lookup_fd_raw. > > This solution was also used on upstream stable backports. > > [Test case] > There is no specific test case for this, but a stress on the unix garbage > collection was tested. > > [Potential regression] > These fixes impact every use of file descriptors, not only restricted to > unix sockets. Some impact on workloads with races on creating and closing > file descriptors is expected. > > Jens Axboe (1): > fs: add fget_many() and fput_many() > > Linus Torvalds (1): > fget: check that the fd still exists after getting a ref to it > Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Best regards, Krzysztof
Acked-by: Tim Gardner <tim.gardner@canonical.com> On 1/21/22 7:26 AM, Thadeu Lima de Souza Cascardo wrote: > [Impact] > A race condition during unix socket garbage collection may lead to a potential > use-after-free for a struct file. > > [Backport] > On 4.15 kernel, an additional commit was necessary. On 5.4 and 5.10 kernels, > __fcheck_files was used instead, as it was renamed to files_lookup_fd_raw. > > This solution was also used on upstream stable backports. > > [Test case] > There is no specific test case for this, but a stress on the unix garbage > collection was tested. > > [Potential regression] > These fixes impact every use of file descriptors, not only restricted to > unix sockets. Some impact on workloads with races on creating and closing > file descriptors is expected. > > Jens Axboe (1): > fs: add fget_many() and fput_many() > > Linus Torvalds (1): > fget: check that the fd still exists after getting a ref to it > > fs/file.c | 19 ++++++++++++++----- > fs/file_table.c | 9 +++++++-- > include/linux/file.h | 2 ++ > include/linux/fs.h | 4 +++- > 4 files changed, 26 insertions(+), 8 deletions(-) >