CVE-2023-52772

In the Linux kernel, the following vulnerability has been resolved:
af_unix: fix use-after-free in unix_stream_read_actor() syzbot reported the
following crash [1] After releasing unix socket lock, u->oob_skb can be
changed by another thread. We must temporarily increase skb refcount to
make sure this other thread will not free the skb under us. [1] BUG: KASAN:
slab-use-after-free in unix_stream_read_actor+0xa7/0xc0
net/unix/af_unix.c:2866 Read of size 4 at addr ffff88801f3b9cc4 by task
syz-executor107/5297 CPU: 1 PID: 5297 Comm: syz-executor107 Not tainted
6.6.0-syzkaller-15910-gb8e3a87a627b #0 Hardware name: Google Google Compute
Engine/Google Compute Engine, BIOS Google 10/09/2023 Call Trace: <TASK>
__dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0
lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364
[inline] print_report+0xc4/0x620 mm/kasan/report.c:475
kasan_report+0xda/0x110 mm/kasan/report.c:588
unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866
unix_stream_recv_urg net/unix/af_unix.c:2587 [inline]
unix_stream_read_generic+0x19a5/0x2480 net/unix/af_unix.c:2666
unix_stream_recvmsg+0x189/0x1b0 net/unix/af_unix.c:2903 sock_recvmsg_nosec
net/socket.c:1044 [inline] sock_recvmsg+0xe2/0x170 net/socket.c:1066
____sys_recvmsg+0x21f/0x5c0 net/socket.c:2803 ___sys_recvmsg+0x115/0x1a0
net/socket.c:2845 __sys_recvmsg+0x114/0x1e0 net/socket.c:2875
do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3f/0x110
arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP:
0033:0x7fc67492c559 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00
90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP:
002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f RAX:
ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559 RDX:
0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004 RBP:
00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0 R10:
0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340 R13:
00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388 </TASK>
Allocated by task 5295: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x81/0x90
mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slab.h:763 [inline] slab_alloc_node mm/slub.c:3478
[inline] kmem_cache_alloc_node+0x180/0x3c0 mm/slub.c:3523
__alloc_skb+0x287/0x330 net/core/skbuff.c:641 alloc_skb
include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xe4/0x710
net/core/skbuff.c:6331 sock_alloc_send_pskb+0x7e4/0x970
net/core/sock.c:2780 sock_alloc_send_skb include/net/sock.h:1884 [inline]
queue_oob net/unix/af_unix.c:2147 [inline] unix_stream_sendmsg+0xb5f/0x10a0
net/unix/af_unix.c:2301 sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745 ____sys_sendmsg+0x6ac/0x940
net/socket.c:2584 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
__sys_sendmsg+0x117/0x1e0 net/socket.c:2667 do_syscall_x64
arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3f/0x110
arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Freed
by task 5295: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522 ____kasan_slab_free
mm/kasan/common.c:236 [inline] ____kasan_slab_free+0x15b/0x1b0
mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline] slab_free_freelist_hook+0x114/0x1e0
mm/slub.c:1826 slab_free mm/slub.c:3809 [inline] kmem_cache_free+0xf8/0x340
mm/slub.c:3831 kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1015 __kfree_skb
net/core/skbuff.c:1073 [inline] consume_skb net/core/skbuff.c:1288 [inline]
consume_skb+0xdf/0x170 net/core/skbuff.c:1282 queue_oob
net/unix/af_unix.c:2178 [inline] u —truncated—