)]}'
{
  "commit": "841ca536d4e2f61710ff31ad0e9a7a22e8311f1f",
  "tree": "ec68e8b942751278ae5d9c104f0fd13553a54a41",
  "parents": [
    "5a3d21014c9d58a10207becdedea031abf4c6cef"
  ],
  "author": {
    "name": "Michal Luczaj",
    "email": "mhal@rbox.co",
    "time": "Tue Apr 09 22:09:39 2024 +0200"
  },
  "committer": {
    "name": "Oleksandr Tymoshenko",
    "email": "ovt@google.com",
    "time": "Sat Apr 27 00:56:34 2024 +0000"
  },
  "message": "af_unix: Fix garbage collector racing against connect()\n\n[ Upstream commit 47d8ac011fe1c9251070e1bd64cb10b48193ec51 ]\n\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\n\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV\u0027s fd will be passed via sendmsg(), gets inflight count bumped\n\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\n\nNS \u003d unix_create1()\nskb1 \u003d sock_wmalloc(NS)\nL \u003d unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) \u003d NS\n\t\t\t// V count\u003d1 inflight\u003d0\n\n \t\t\tNS \u003d unix_peer(S)\n \t\t\tskb2 \u003d sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\n\n\t\t\t// V became in-flight\n\t\t\t// V count\u003d2 inflight\u003d1\n\n\t\t\tclose(V)\n\n\t\t\t// V count\u003d1 inflight\u003d1\n\t\t\t// GC candidate condition met\n\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t  if (total_refs \u003d\u003d inflight_refs)\n\t\t\t\t\t\t    add u to gc_candidates\n\n\t\t\t\t\t\t// gc_candidates\u003d{L, V}\n\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  scan_children(u, dec_inflight)\n\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V\u0027s\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t  if (u.inflight)\n\t\t\t\t\t\t    scan_children(u, inc_inflight_move_tail)\n\n\t\t\t\t\t\t// V count\u003d1 inflight\u003d2 (!)\n\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected.\n\nBUG\u003db/336269491\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dNone\n\ncos-patch: security-high\nFixes: 1fd05ba5a2f2 (\"[AF_UNIX]: Rewrite garbage collector, fixes race.\")\nChange-Id: Ic4e0839fdc2000245f36c49315e4dba917a3a312\nSigned-off-by: Michal Luczaj \u003cmhal@rbox.co\u003e\nReviewed-by: Kuniyuki Iwashima \u003ckuniyu@amazon.com\u003e\nLink: https://lore.kernel.org/r/20240409201047.1032217-1-mhal@rbox.co\nSigned-off-by: Paolo Abeni \u003cpabeni@redhat.com\u003e\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/70595\nReviewed-by: Arnav Kansal \u003crnv@google.com\u003e\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "7b326582d97da912b9e539488e3cd6939544234b",
      "old_mode": 33188,
      "old_path": "net/unix/garbage.c",
      "new_id": "85c6f05c0fa3c4cf266aa71e6c8c701803a3a6de",
      "new_mode": 33188,
      "new_path": "net/unix/garbage.c"
    }
  ]
}