qiurui
/
Centos-kernel-stream-9
mirror of https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
1,167,572 Commits 5 Branches 2,211 Tags 2.6 GiB
Commit Graph

6 Commits

Author SHA1 Message Date
Jeff Moyer b3b30700de io_uring/unix: drop usage of io_uring socket 
JIRA: https://issues.redhat.com/browse/RHEL-36366
CVE: CVE-2023-52656
Conflicts: Contextual differences in iouring.h.

commit a4104821ad651d8a0b374f0b2474c345bbb42f82
Author: Jens Axboe <axboe@kernel.dk>
Date:   Tue Dec 19 12:30:43 2023 -0700

    io_uring/unix: drop usage of io_uring socket
    
    Since we no longer allow sending io_uring fds over SCM_RIGHTS, move to
    using io_is_uring_fops() to detect whether this is a io_uring fd or not.
    With that done, kill off io_uring_get_socket() as nobody calls it
    anymore.
    
    This is in preparation to yanking out the rest of the core related to
    unix gc with io_uring.
    
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
 2024-05-15 13:58:16 -04:00
Davide Caratti 57e2296e1e af_unix: Fix data-races around user->unix_inflight. 
JIRA: https://issues.redhat.com/browse/RHEL-14526
Upstream Status: net.git commit 0bc36c0650b21df36fbec8136add83936eaf0607

commit 0bc36c0650b21df36fbec8136add83936eaf0607
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Fri Sep 1 17:27:05 2023 -0700

    af_unix: Fix data-races around user->unix_inflight.

    user->unix_inflight is changed under spin_lock(unix_gc_lock),
    but too_many_unix_fds() reads it locklessly.

    Let's annotate the write/read accesses to user->unix_inflight.

    BUG: KCSAN: data-race in unix_attach_fds / unix_inflight

    write to 0xffffffff8546f2d0 of 8 bytes by task 44798 on cpu 1:
     unix_inflight+0x157/0x180 net/unix/scm.c:66
     unix_attach_fds+0x147/0x1e0 net/unix/scm.c:123
     unix_scm_to_skb net/unix/af_unix.c:1827 [inline]
     unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950
     unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]
     unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292
     sock_sendmsg_nosec net/socket.c:725 [inline]
     sock_sendmsg+0x148/0x160 net/socket.c:748
     ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494
     ___sys_sendmsg+0xc6/0x140 net/socket.c:2548
     __sys_sendmsg+0x94/0x140 net/socket.c:2577
     __do_sys_sendmsg net/socket.c:2586 [inline]
     __se_sys_sendmsg net/socket.c:2584 [inline]
     __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x6e/0xd8

    read to 0xffffffff8546f2d0 of 8 bytes by task 44814 on cpu 0:
     too_many_unix_fds net/unix/scm.c:101 [inline]
     unix_attach_fds+0x54/0x1e0 net/unix/scm.c:110
     unix_scm_to_skb net/unix/af_unix.c:1827 [inline]
     unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950
     unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]
     unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292
     sock_sendmsg_nosec net/socket.c:725 [inline]
     sock_sendmsg+0x148/0x160 net/socket.c:748
     ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494
     ___sys_sendmsg+0xc6/0x140 net/socket.c:2548
     __sys_sendmsg+0x94/0x140 net/socket.c:2577
     __do_sys_sendmsg net/socket.c:2586 [inline]
     __se_sys_sendmsg net/socket.c:2584 [inline]
     __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x6e/0xd8

    value changed: 0x000000000000000c -> 0x000000000000000d

    Reported by Kernel Concurrency Sanitizer on:
    CPU: 0 PID: 44814 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014

    Fixes: 712f4aad40 ("unix: properly account for FDs passed over unix sockets")
    Reported-by: syzkaller <syzkaller@googlegroups.com>
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Acked-by: Willy Tarreau <w@1wt.eu>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

Signed-off-by: Davide Caratti <dcaratti@redhat.com>
 2023-10-24 15:12:12 +02:00
Jeff Moyer 053953f296 net: reclaim skb->scm_io_uring bit 
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2068237

commit 10369080454d87ee5b2db211ce947cb3118f0e13
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Mar 7 14:59:59 2023 +0000

    net: reclaim skb->scm_io_uring bit
    
    Commit 0091bfc81741 ("io_uring/af_unix: defer registered
    files gc to io_uring release") added one bit to struct sk_buff.
    
    This structure is critical for networking, and we try very hard
    to not add bloat on it, unless absolutely required.
    
    For instance, we can use a specific destructor as a wrapper
    around unix_destruct_scm(), to identify skbs that unix_gc()
    has to special case.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Pavel Begunkov <asml.silence@gmail.com>
    Cc: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
    Cc: Jens Axboe <axboe@kernel.dk>
    Reviewed-by: Jens Axboe <axboe@kernel.dk>
    Reviewed-by: Pavel Begunkov <asml.silence@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
 2023-05-05 15:26:33 -04:00
Xin Long b07e4e495b af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress 
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2080477
Tested: compile only

commit 9d6d7f1cb67cdee15f1a0e85aacfb924e0e02435
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Jan 14 08:43:28 2022 -0800

    af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress

    wait_for_unix_gc() reads unix_tot_inflight & gc_in_progress
    without synchronization.

    Adds READ_ONCE()/WRITE_ONCE() and their associated comments
    to better document the intent.

    BUG: KCSAN: data-race in unix_inflight / wait_for_unix_gc

    write to 0xffffffff86e2b7c0 of 4 bytes by task 9380 on cpu 0:
     unix_inflight+0x1e8/0x260 net/unix/scm.c:63
     unix_attach_fds+0x10c/0x1e0 net/unix/scm.c:121
     unix_scm_to_skb net/unix/af_unix.c:1674 [inline]
     unix_dgram_sendmsg+0x679/0x16b0 net/unix/af_unix.c:1817
     unix_seqpacket_sendmsg+0xcc/0x110 net/unix/af_unix.c:2258
     sock_sendmsg_nosec net/socket.c:704 [inline]
     sock_sendmsg net/socket.c:724 [inline]
     ____sys_sendmsg+0x39a/0x510 net/socket.c:2409
     ___sys_sendmsg net/socket.c:2463 [inline]
     __sys_sendmmsg+0x267/0x4c0 net/socket.c:2549
     __do_sys_sendmmsg net/socket.c:2578 [inline]
     __se_sys_sendmmsg net/socket.c:2575 [inline]
     __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2575
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x44/0xae

    read to 0xffffffff86e2b7c0 of 4 bytes by task 9375 on cpu 1:
     wait_for_unix_gc+0x24/0x160 net/unix/garbage.c:196
     unix_dgram_sendmsg+0x8e/0x16b0 net/unix/af_unix.c:1772
     unix_seqpacket_sendmsg+0xcc/0x110 net/unix/af_unix.c:2258
     sock_sendmsg_nosec net/socket.c:704 [inline]
     sock_sendmsg net/socket.c:724 [inline]
     ____sys_sendmsg+0x39a/0x510 net/socket.c:2409
     ___sys_sendmsg net/socket.c:2463 [inline]
     __sys_sendmmsg+0x267/0x4c0 net/socket.c:2549
     __do_sys_sendmmsg net/socket.c:2578 [inline]
     __se_sys_sendmmsg net/socket.c:2575 [inline]
     __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2575
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x44/0xae

    value changed: 0x00000002 -> 0x00000004

    Reported by Kernel Concurrency Sanitizer on:
    CPU: 1 PID: 9375 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

    Fixes: 9915672d41 ("af_unix: limit unix_tot_inflight")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Link: https://lore.kernel.org/r/20220114164328.2038499-1-eric.dumazet@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Signed-off-by: Xin Long <lxin@redhat.com>
 2022-05-03 10:49:18 -04:00
Jens Axboe a3ec600540 io_uring: move io_uring_get_socket() into io_uring.h 
Now we have a io_uring kernel header, move this definition out of fs.h
and into io_uring.h where it belongs.

Signed-off-by: Jens Axboe <axboe@kernel.dk>
 2020-09-30 20:32:33 -06:00
Jens Axboe f4e65870e5 net: split out functions related to registering inflight socket files 
We need this functionality for the io_uring file registration, but
we cannot rely on it since CONFIG_UNIX can be modular. Move the helpers
to a separate file, that's always builtin to the kernel if CONFIG_UNIX is
m/y.

No functional changes in this patch, just moving code around.

Reviewed-by: Hannes Reinecke <hare@suse.com>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
 2019-02-28 08:24:23 -07:00