review.tizen.org Git - platform/kernel/linux-rpi.git/commit

author	Eric Dumazet <edumazet@google.com>
	Wed, 29 Sep 2021 22:57:50 +0000 (15:57 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 6 Oct 2021 13:55:58 +0000 (15:55 +0200)
commit	3db53827a0e9130d9e2cbe3c3b5bca601caa4c74
tree	d0e12d0812062ee9f3f7cd55557d1d86200afda2	tree \| snapshot
parent	d0d520c19e7ea19ed38dc5797b12397b6ccf9f88	commit \| diff

af_unix: fix races in sk_peer_pid and sk_peer_cred accesses

[ Upstream commit 35306eb23814444bd4021f8a1c3047d3cb0c8b2b ]

Jann Horn reported that SO_PEERCRED and SO_PEERGROUPS implementations
are racy, as af_unix can concurrently change sk_peer_pid and sk_peer_cred.

In order to fix this issue, this patch adds a new spinlock that needs
to be used whenever these fields are read or written.

Jann also pointed out that l2cap_sock_get_peer_pid_cb() is currently
reading sk->sk_peer_pid which makes no sense, as this field
is only possibly set by AF_UNIX sockets.
We will have to clean this in a separate patch.
This could be done by reverting b48596d1dc25 "Bluetooth: L2CAP: Add get_peer_pid callback"
or implementing what was truly expected.

Fixes: 109f6e39fa07 ("af_unix: Allow SO_PEERCRED to work across namespaces.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>

include/net/sock.h		diff \| blob \| history
net/core/sock.c		diff \| blob \| history
net/unix/af_unix.c		diff \| blob \| history