• Paul Moore's avatar
    unix: fix a race condition in unix_release() · 480cabcc
    Paul Moore authored
    [ Upstream commit ded34e0f ]
    
    As reported by Jan, and others over the past few years, there is a
    race condition caused by unix_release setting the sock->sk pointer
    to NULL before properly marking the socket as dead/orphaned.  This
    can cause a problem with the LSM hook security_unix_may_send() if
    there is another socket attempting to write to this partially
    released socket in between when sock->sk is set to NULL and it is
    marked as dead/orphaned.  This patch fixes this by only setting
    sock->sk to NULL after the socket has been marked as dead; I also
    take the opportunity to make unix_release_sock() a void function
    as it only ever returned 0/success.
    
    Dave, I think this one should go on the -stable pile.
    
    Special thanks to Jan for coming up with a reproducer for this
    problem.
    Reported-by: default avatarJan Stancek <jan.stancek@gmail.com>
    Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
    480cabcc
af_unix.c 53.8 KB