CVE-2024-26624

In the Linux kernel, the following vulnerability has been resolved:
af_unix: fix lockdep positive in sk_diag_dump_icons() syzbot reported a
lockdep splat [1]. Blamed commit hinted about the possible lockdep
violation, and code used unix_state_lock_nested() in an attempt to silence
lockdep. It is not sufficient, because unix_state_lock_nested() is already
used from unix_state_double_lock(). We need to use a separate subclass.
This patch adds a distinct enumeration to make things more explicit. Also
use swap() in unix_state_double_lock() as a clean up. v2: add a missing
inline keyword to unix_state_lock_nested() [1] WARNING: possible circular
locking dependency detected 6.8.0-rc1-syzkaller-00356-g8a696a29c690 #0 Not
tainted syz-executor.1/2542 is trying to acquire lock: ffff88808b5df9e8
(rlock-AF_UNIX){+.+.}-{2:2}, at: skb_queue_tail+0x36/0x120
net/core/skbuff.c:3863 but task is already holding lock: ffff88808b5dfe70
(&u->lock/1){+.+.}-{2:2}, at: unix_dgram_sendmsg+0xfc7/0x2200
net/unix/af_unix.c:2089 which lock already depends on the new lock. the
existing dependency chain (in reverse order) is: -> #1
(&u->lock/1){+.+.}-{2:2}: lock_acquire+0x1e3/0x530
kernel/locking/lockdep.c:5754 _raw_spin_lock_nested+0x31/0x40
kernel/locking/spinlock.c:378 sk_diag_dump_icons net/unix/diag.c:87
[inline] sk_diag_fill+0x6ea/0xfe0 net/unix/diag.c:157 sk_diag_dump
net/unix/diag.c:196 [inline] unix_diag_dump+0x3e9/0x630 net/unix/diag.c:220
netlink_dump+0x5c1/0xcd0 net/netlink/af_netlink.c:2264
__netlink_dump_start+0x5d7/0x780 net/netlink/af_netlink.c:2370
netlink_dump_start include/linux/netlink.h:338 [inline]
unix_diag_handler_dump+0x1c3/0x8f0 net/unix/diag.c:319
sock_diag_rcv_msg+0xe3/0x400 netlink_rcv_skb+0x1df/0x430
net/netlink/af_netlink.c:2543 sock_diag_rcv+0x2a/0x40
net/core/sock_diag.c:280 netlink_unicast_kernel
net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7e6/0x980
net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa37/0xd70
net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline] sock_write_iter+0x39a/0x520
net/socket.c:1160 call_write_iter include/linux/fs.h:2085 [inline]
new_sync_write fs/read_write.c:497 [inline] vfs_write+0xa74/0xca0
fs/read_write.c:590 ksys_write+0x1a0/0x2c0 fs/read_write.c:643
do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x230
arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b -> #0
(rlock-AF_UNIX){+.+.}-{2:2}: check_prev_add kernel/locking/lockdep.c:3134
[inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain+0x1909/0x5ab0 kernel/locking/lockdep.c:3869
__lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137
lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
skb_queue_tail+0x36/0x120 net/core/skbuff.c:3863
unix_dgram_sendmsg+0x15d9/0x2200 net/unix/af_unix.c:2112 sock_sendmsg_nosec
net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x592/0x890 net/socket.c:2584 ___sys_sendmsg
net/socket.c:2638 [inline] __sys_sendmmsg+0x3b2/0x730 net/socket.c:2724
__do_sys_sendmmsg net/socket.c:2753 [inline] __se_sys_sendmmsg
net/socket.c:2750 [inline] __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2750
do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x230
arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b other
info that might help us debug this: Possible unsafe locking scenario: CPU0
—truncated—

Bugs

• <https://bugzilla.redhat.com/show_bug.cgi?id=2268221&gt;
• <https://bugzilla.suse.com/show_bug.cgi?id=1221059&gt;