From patchwork Fri Jan 21 14:26:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1582601 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=qLKyqZ1A; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4JgMBm3BS2z9t2p for ; Sat, 22 Jan 2022 01:26:39 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1nAus4-0004uq-Kw; Fri, 21 Jan 2022 14:26:32 +0000 Received: from smtp-relay-canonical-1.internal ([10.131.114.174] helo=smtp-relay-canonical-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1nAus3-0004uh-7l for kernel-team@lists.ubuntu.com; Fri, 21 Jan 2022 14:26:31 +0000 Received: from localhost.localdomain (unknown [179.93.158.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id 0EC703FCE9 for ; Fri, 21 Jan 2022 14:26:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1642775190; bh=/9V+XpNcw2wR+1zmhCkmj/LWkHi8kXeCK7MCTjigGDw=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=qLKyqZ1Avqq1+vCCrqUFvClzc9XWqMZyDO+7C6YLM0sgLfqaVUcU7rgRbVLgFZ8jA g9aJ0QK2UEvjXRDVJlDaYYDhbM9Gj2dvrc2geDnRLHmZhrQqGSjng/9xuz2CBJhFyt qu/nhTS1Gw9Q1+frVucgWmWXgzJDBwByMD5ubVKdSVJjSNfs2d93m92p6+HGrPAWLk wxKvHhj9+Qd2xcetksNsAPSJHUnJFmCye8ScwvT6wZrn4+fe6WwgDTTM8fgS3X7amA wQZWmDgX+i32TN30b73Aw/1zribx+xqYSYcAfm+/8DoohM0AaXmB+IR/Mc9qAF6u1m MtQlJqH5kQpFA== From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [SRU Impish,Hirsute,OEM-5.10,Focal,Bionic 0/2] CVE-2021-4083 Date: Fri, 21 Jan 2022 11:26:13 -0300 Message-Id: <20220121142616.163592-1-cascardo@canonical.com> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" [Impact] A race condition during unix socket garbage collection may lead to a potential use-after-free for a struct file. [Backport] On 4.15 kernel, an additional commit was necessary. On 5.4 and 5.10 kernels, __fcheck_files was used instead, as it was renamed to files_lookup_fd_raw. This solution was also used on upstream stable backports. [Test case] There is no specific test case for this, but a stress on the unix garbage collection was tested. [Potential regression] These fixes impact every use of file descriptors, not only restricted to unix sockets. Some impact on workloads with races on creating and closing file descriptors is expected. Jens Axboe (1): fs: add fget_many() and fput_many() Linus Torvalds (1): fget: check that the fd still exists after getting a ref to it fs/file.c | 19 ++++++++++++++----- fs/file_table.c | 9 +++++++-- include/linux/file.h | 2 ++ include/linux/fs.h | 4 +++- 4 files changed, 26 insertions(+), 8 deletions(-) Acked-by: Krzysztof Kozlowski Acked-by: Tim Gardner