APPLIED: [SRU][N/Q][PATCH 0/1] CVE-2026-23394
Mehmet Basaran
mehmet.basaran at canonical.com
Thu Apr 9 13:55:40 UTC 2026
Applied to noble:linux, questing:linux master-next branches. Thanks.
-------------- next part --------------
Tim Whisonant <tim.whisonant at canonical.com> writes:
> SRU Justification:
>
> [Impact]
>
> af_unix: Give up GC if MSG_PEEK intervened.
>
> Igor Ushakov reported that GC purged the receive queue of
> an alive socket due to a race with MSG_PEEK with a nice repro.
>
> This is the exact same issue previously fixed by commit
> cbcf01128d0a ("af_unix: fix garbage collect vs MSG_PEEK").
>
> After GC was replaced with the current algorithm, the cited
> commit removed the locking dance in unix_peek_fds() and
> reintroduced the same issue.
>
> The problem is that MSG_PEEK bumps a file refcount without
> interacting with GC.
>
> Consider an SCC containing sk-A and sk-B, where sk-A is
> close()d but can be recv()ed via sk-B.
>
> The bad thing happens if sk-A is recv()ed with MSG_PEEK from
> sk-B and sk-B is close()d while GC is checking unix_vertex_dead()
> for sk-A and sk-B.
>
> GC thread User thread
> --------- -----------
> unix_vertex_dead(sk-A)
> -> true <------.
> \
> `------ recv(sk-B, MSG_PEEK)
> invalidate !! -> sk-A's file refcount : 1 -> 2
>
> close(sk-B)
> -> sk-B's file refcount : 2 -> 1
> unix_vertex_dead(sk-B)
> -> true
>
> Initially, sk-A's file refcount is 1 by the inflight fd in sk-B
> recvq. GC thinks sk-A is dead because the file refcount is the
> same as the number of its inflight fds.
>
> However, sk-A's file refcount is bumped silently by MSG_PEEK,
> which invalidates the previous evaluation.
>
> At this moment, sk-B's file refcount is 2; one by the open fd,
> and one by the inflight fd in sk-A. The subsequent close()
> releases one refcount by the former.
>
> Finally, GC incorrectly concludes that both sk-A and sk-B are dead.
>
> One option is to restore the locking dance in unix_peek_fds(),
> but we can resolve this more elegantly thanks to the new algorithm.
>
> The point is that the issue does not occur without the subsequent
> close() and we actually do not need to synchronise MSG_PEEK with
> the dead SCC detection.
>
> When the issue occurs, close() and GC touch the same file refcount.
> If GC sees the refcount being decremented by close(), it can just
> give up garbage-collecting the SCC.
>
> Therefore, we only need to signal the race during MSG_PEEK with
> a proper memory barrier to make it visible to the GC.
>
> Let's use seqcount_t to notify GC when MSG_PEEK occurs and let
> it defer the SCC to the next run.
>
> This way no locking is needed on the MSG_PEEK side, and we can
> avoid imposing a penalty on every MSG_PEEK unnecessarily.
>
> Note that we can retry within unix_scc_dead() if MSG_PEEK is
> detected, but we do not do so to avoid hung task splat from
> abusive MSG_PEEK calls.
>
> [Fix]
>
> Questing: backported from upstream
> Noble: backported from upstream
> Jammy: not affected
> Focal: not affected
> Bionic: not affected
> Xenial: not affected
> Trusty: not affected
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The change affects Unix domain sockets, specifically the garbage
> collection algorithm, to prevent a race condition that leads to
> early clearing of a receive queue. Issues would affect Unix
> domain sockets, particularly when used with MSG_PEEK.
>
> Kuniyuki Iwashima (1):
> af_unix: Give up GC if MSG_PEEK intervened.
>
> net/unix/af_unix.c | 2 ++
> net/unix/af_unix.h | 1 +
> net/unix/garbage.c | 79 ++++++++++++++++++++++++++++++----------------
> 3 files changed, 54 insertions(+), 28 deletions(-)
>
> --
> 2.43.0
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260409/b70ea8fb/attachment-0001.sig>
More information about the kernel-team
mailing list