APPLIED: [SRU][N][PATCH 0/1] CVE-2025-40214

Thu Jan 8 14:26:49 UTC 2026

On 06/01/2026 20:20, Tim Whisonant wrote:
> SRU Justification:
> 
> [Impact]
> 
> af_unix: Initialise scc_index in unix_add_edge().
> 
> Quang Le reported that the AF_UNIX GC could garbage-collect a
> receive queue of an alive in-flight socket, with a nice repro.
> 
> The repro consists of three stages.
> 
>    1)
>      1-a. Create a single cyclic reference with many sockets
>      1-b. close() all sockets
>      1-c. Trigger GC
> 
>    2)
>      2-a. Pass sk-A to an embryo sk-B
>      2-b. Pass sk-X to sk-X
>      2-c. Trigger GC
> 
>    3)
>      3-a. accept() the embryo sk-B
>      3-b. Pass sk-B to sk-C
>      3-c. close() the in-flight sk-A
>      3-d. Trigger GC
> 
> As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices,
> and unix_walk_scc() groups them into two different SCCs:
> 
>    unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START)
>    unix_sk(sk-X)->vertex->scc_index = 3
> 
> Once GC completes, unix_graph_grouped is set to true.
> Also, unix_graph_maybe_cyclic is set to true due to sk-X's
> cyclic self-reference, which makes close() trigger GC.
> 
> At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and
> links it to unix_unvisited_vertices.
> 
> unix_update_graph() is called at 3-a. and 3-b., but neither
> unix_graph_grouped nor unix_graph_maybe_cyclic is changed
> because both sk-B's listener and sk-C are not in-flight.
> 
> 3-c decrements sk-A's file refcnt to 1.
> 
> Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast()
> is finally called and iterates 3 sockets sk-A, sk-B, and sk-X:
> 
>    sk-A -> sk-B (-> sk-C)
>    sk-X -> sk-X
> 
> This is totally fine.  All of them are not yet close()d and
> should be grouped into different SCCs.
> 
> However, unix_vertex_dead() misjudges that sk-A and sk-B are
> in the same SCC and sk-A is dead.
> 
>    unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong!
>    &&
>    sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree
>                                         ^-- 1 in-flight count for sk-B
>    -> sk-A is dead !?
> 
> The problem is that unix_add_edge() does not initialise scc_index.
> 
> Stage 1) is used for heap spraying, making a newly allocated
> vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START)
> set by unix_walk_scc() at 1-c.
> 
> Let's track the max SCC index from the previous unix_walk_scc()
> call and assign the max + 1 to a new vertex's scc_index.
> 
> This way, we can continue to avoid Tarjan's algorithm while
> preventing misjudgments.
> 
> [Fix]
> 
> Questing: not affected
> Noble:    cherry picked from upstream
> Jammy:    not affected
> Focal:    not affected
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
> 
> [Test Plan]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> The changes affect the garbage collection for Unix domain sockets.
> Issues might appear as failures related to the garbage collection
> mechanism.
> 
> Kuniyuki Iwashima (1):
>    af_unix: Initialise scc_index in unix_add_edge().
> 
>   net/unix/garbage.c | 14 +++++++++++---
>   1 file changed, 11 insertions(+), 3 deletions(-)
> 

Applied to noble:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260108/ee205be2/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260108/ee205be2/attachment-0001.sig>