Hi,
On Wed, Aug 14, 2024 at 04:57:05PM +0800, He Zhe via lists.yoctoproject.org
wrote:
> Back-port two commits to fix CVE-2023-52735
>
> [2/2] is the CVE-2023-52735 fix.
> [2/2] depends on [1/2].
> [1/2] has been included in v5.10.222, so when update to v5.10.222+ we will
> only need [2/2].
I wonder if these fixes are for a backported feature which is not in
upstream stable linux-5.10.y branch? If not, have you submitted these
to upstream stable tree?
Then upstream linux-6.6.y stable tree also has:
commit e946428439a0d2079959f5603256ac51b6047017
Author: Thadeu Lima de Souza Cascardo <casca...@igalia.com>
AuthorDate: Fri May 24 11:47:02 2024 -0300
Commit: Greg Kroah-Hartman <gre...@linuxfoundation.org>
CommitDate: Fri Jun 21 14:38:40 2024 +0200
sock_map: avoid race between sock_map_close and sk_psock_put
commit 4b4647add7d3c8530493f7247d11e257ee425bf0 upstream.
sk_psock_get will return NULL if the refcount of psock has gone to 0, which
will happen when the last call of sk_psock_put is done. However,
sk_psock_drop may not have finished yet, so the close callback will still
point to sock_map_close despite psock being NULL.
This can be reproduced with a thread deleting an element from the sock map,
while the second one creates a socket, adds it to the map and closes it.
That will trigger the WARN_ON_ONCE:
...
Use sk_psock, which will only check that the pointer is not been set to
NULL yet, which should only happen after the callbacks are restored. If,
then, a reference can still be gotten, we may call sk_psock_stop and cancel
psock->work.
As suggested by Paolo Abeni, reorder the condition so the control flow is
less convoluted.
After that change, the reproducer does not trigger the WARN_ON_ONCE
anymore.
Suggested-by: Paolo Abeni <pab...@redhat.com>
Reported-by: syzbot+07a2e4a1a57118ef7...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=07a2e4a1a57118ef7355
Fixes: aadb2bb83ff7 ("sock_map: Fix a potential use-after-free in
sock_map_close()")
Fixes: 5b4a79ba65a1 ("bpf, sockmap: Don't let
sock_map_{close,destroy,unhash} call itself")
Cc: sta...@vger.kernel.org
Signed-off-by: Thadeu Lima de Souza Cascardo <casca...@igalia.com>
Acked-by: Jakub Sitnicki <ja...@cloudflare.com>
Link: https://lore.kernel.org/r/20240524144702.1178377-1-casca...@igalia.com
Signed-off-by: Paolo Abeni <pab...@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
Should this be taken too?
Cheers,
-Mikko
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#14246):
https://lists.yoctoproject.org/g/linux-yocto/message/14246
Mute This Topic: https://lists.yoctoproject.org/mt/107891725/21656
Group Owner: linux-yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
