[SRU Impish,Hirsute,OEM-5.10,Focal,Bionic 0/2] CVE-2021-4083
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Fri Jan 21 14:26:13 UTC 2022
[Impact]
A race condition during unix socket garbage collection may lead to a potential
use-after-free for a struct file.
[Backport]
On 4.15 kernel, an additional commit was necessary. On 5.4 and 5.10 kernels,
__fcheck_files was used instead, as it was renamed to files_lookup_fd_raw.
This solution was also used on upstream stable backports.
[Test case]
There is no specific test case for this, but a stress on the unix garbage
collection was tested.
[Potential regression]
These fixes impact every use of file descriptors, not only restricted to
unix sockets. Some impact on workloads with races on creating and closing
file descriptors is expected.
Jens Axboe (1):
fs: add fget_many() and fput_many()
Linus Torvalds (1):
fget: check that the fd still exists after getting a ref to it
fs/file.c | 19 ++++++++++++++-----
fs/file_table.c | 9 +++++++--
include/linux/file.h | 2 ++
include/linux/fs.h | 4 +++-
4 files changed, 26 insertions(+), 8 deletions(-)
--
2.32.0
More information about the kernel-team
mailing list