ACK: [SRU Impish,Hirsute,OEM-5.10,Focal,Bionic 0/2] CVE-2021-4083
Tim Gardner
tim.gardner at canonical.com
Mon Jan 24 13:10:30 UTC 2022
Acked-by: Tim Gardner <tim.gardner at canonical.com>
On 1/21/22 7:26 AM, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> A race condition during unix socket garbage collection may lead to a potential
> use-after-free for a struct file.
>
> [Backport]
> On 4.15 kernel, an additional commit was necessary. On 5.4 and 5.10 kernels,
> __fcheck_files was used instead, as it was renamed to files_lookup_fd_raw.
>
> This solution was also used on upstream stable backports.
>
> [Test case]
> There is no specific test case for this, but a stress on the unix garbage
> collection was tested.
>
> [Potential regression]
> These fixes impact every use of file descriptors, not only restricted to
> unix sockets. Some impact on workloads with races on creating and closing
> file descriptors is expected.
>
> Jens Axboe (1):
> fs: add fget_many() and fput_many()
>
> Linus Torvalds (1):
> fget: check that the fd still exists after getting a ref to it
>
> fs/file.c | 19 ++++++++++++++-----
> fs/file_table.c | 9 +++++++--
> include/linux/file.h | 2 ++
> include/linux/fs.h | 4 +++-
> 4 files changed, 26 insertions(+), 8 deletions(-)
>
--
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list