cve/published/2023/CVE-2023-52772.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52772: af_unix: fix use-after-free in unix_stream_read_actor()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 af_unix: fix use-after-free in unix_stream_read_actor()

 syzbot reported the following crash [1]

 After releasing unix socket lock, u->oob_skb can be changed
 by another thread. We must temporarily increase skb refcount
 to make sure this other thread will not free the skb under us.

 [1]

 BUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866
 Read of size 4 at addr ffff88801f3b9cc4 by task syz-executor107/5297

 CPU: 1 PID: 5297 Comm: syz-executor107 Not tainted 6.6.0-syzkaller-15910-gb8e3a87a627b #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
 Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:475
 kasan_report+0xda/0x110 mm/kasan/report.c:588
 unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866
 unix_stream_recv_urg net/unix/af_unix.c:2587 [inline]
 unix_stream_read_generic+0x19a5/0x2480 net/unix/af_unix.c:2666
 unix_stream_recvmsg+0x189/0x1b0 net/unix/af_unix.c:2903
 sock_recvmsg_nosec net/socket.c:1044 [inline]
 sock_recvmsg+0xe2/0x170 net/socket.c:1066
 ____sys_recvmsg+0x21f/0x5c0 net/socket.c:2803
 ___sys_recvmsg+0x115/0x1a0 net/socket.c:2845
 __sys_recvmsg+0x114/0x1e0 net/socket.c:2875
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
 RIP: 0033:0x7fc67492c559
 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
 RSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
 RAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559
 RDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004
 RBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0
 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340
 R13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388
 </TASK>

 Allocated by task 5295:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook mm/slab.h:763 [inline]
 slab_alloc_node mm/slub.c:3478 [inline]
 kmem_cache_alloc_node+0x180/0x3c0 mm/slub.c:3523
 __alloc_skb+0x287/0x330 net/core/skbuff.c:641
 alloc_skb include/linux/skbuff.h:1286 [inline]
 alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
 sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
 sock_alloc_send_skb include/net/sock.h:1884 [inline]
 queue_oob net/unix/af_unix.c:2147 [inline]
 unix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0xd5/0x180 net/socket.c:745
 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
 __sys_sendmsg+0x117/0x1e0 net/socket.c:2667
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

 Freed by task 5295:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
 ____kasan_slab_free mm/kasan/common.c:236 [inline]
 ____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
 kasan_slab_free include/linux/kasan.h:164 [inline]
 slab_free_hook mm/slub.c:1800 [inline]
 slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
 slab_free mm/slub.c:3809 [inline]
 kmem_cache_free+0xf8/0x340 mm/slub.c:3831
 kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1015
 __kfree_skb net/core/skbuff.c:1073 [inline]
 consume_skb net/core/skbuff.c:1288 [inline]
 consume_skb+0xdf/0x170 net/core/skbuff.c:1282
 queue_oob net/unix/af_unix.c:2178 [inline]
 unix_stream_sendmsg+0xd49/0x10a0 net/unix/af_unix.c:2301
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0xd5/0x180 net/socket.c:745
 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
 __sys_sendmsg+0x117/0x1e0 net/socket.c:2667
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

 The buggy address belongs to the object at ffff88801f3b9c80
 which belongs to the cache skbuff_head_cache of size 240
 The buggy address is located 68 bytes inside of
 freed 240-byte region [ffff88801f3b9c80, ffff88801f3b9d70)

 The buggy address belongs to the physical page:
 page:ffffea00007cee40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f3b9
 flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
 page_type: 0xffffffff()
 raw: 00fff00000000800 ffff888142a60640 dead000000000122 0000000000000000
 raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
 page dumped because: kasan: bad access detected
 page_owner tracks the page as allocated
 page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5299, tgid 5283 (syz-executor107), ts 103803840339, free_ts 103600093431
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1544 [inline]
 get_page_from_freelist+0xa25/0x36c0 mm/page_alloc.c:3312
 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4568
 alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
 alloc_slab_page mm/slub.c:1870 [inline]
 allocate_slab+0x251/0x380 mm/slub.c:2017
 new_slab mm/slub.c:2070 [inline]
 ___slab_alloc+0x8c7/0x1580 mm/slub.c:3223
 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
 __slab_alloc_node mm/slub.c:3375 [inline]
 slab_alloc_node mm/slub.c:3468 [inline]
 kmem_cache_alloc_node+0x132/0x3c0 mm/slub.c:3523
 __alloc_skb+0x287/0x330 net/core/skbuff.c:641
 alloc_skb include/linux/skbuff.h:1286 [inline]
 alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
 sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
 sock_alloc_send_skb include/net/sock.h:1884 [inline]
 queue_oob net/unix/af_unix.c:2147 [inline]
 unix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0xd5/0x180 net/socket.c:745
 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
 __sys_sendmsg+0x117/0x1e0 net/socket.c:2667
 page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1137 [inline]
 free_unref_page_prepare+0x4f8/0xa90 mm/page_alloc.c:2347
 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2487
 __unfreeze_partials+0x21d/0x240 mm/slub.c:2655
 qlink_free mm/kasan/quarantine.c:168 [inline]
 qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
 kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294
 __kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook mm/slab.h:763 [inline]
 slab_alloc_node mm/slub.c:3478 [inline]
 slab_alloc mm/slub.c:3486 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3493 [inline]
 kmem_cache_alloc+0x15d/0x380 mm/slub.c:3502
 vm_area_dup+0x21/0x2f0 kernel/fork.c:500
 __split_vma+0x17d/0x1070 mm/mmap.c:2365
 split_vma mm/mmap.c:2437 [inline]
 vma_modify+0x25d/0x450 mm/mmap.c:2472
 vma_modify_flags include/linux/mm.h:3271 [inline]
 mprotect_fixup+0x228/0xc80 mm/mprotect.c:635
 do_mprotect_pkey+0x852/0xd60 mm/mprotect.c:809
 __do_sys_mprotect mm/mprotect.c:830 [inline]
 __se_sys_mprotect mm/mprotect.c:827 [inline]
 __x64_sys_mprotect+0x78/0xb0 mm/mprotect.c:827
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

 Memory state around the buggy address:
 ffff88801f3b9b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801f3b9c00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
 >ffff88801f3b9c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ^
 ffff88801f3b9d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
 ffff88801f3b9d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb

 The Linux kernel CVE team has assigned CVE-2023-52772 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15 with commit 876c14ad014d0e39c57cbfde53e13d17cdb6d645 and fixed in 5.15.140 with commit 75bcfc188abf4fae9c1d5f5dc0a03540be602eef
 	Issue introduced in 5.15 with commit 876c14ad014d0e39c57cbfde53e13d17cdb6d645 and fixed in 6.1.64 with commit d179189eec426fe4801e4b91efa1889faed12700
 	Issue introduced in 5.15 with commit 876c14ad014d0e39c57cbfde53e13d17cdb6d645 and fixed in 6.5.13 with commit eae0b295ce16d8c8b4114c3037993191b4bb92f0
 	Issue introduced in 5.15 with commit 876c14ad014d0e39c57cbfde53e13d17cdb6d645 and fixed in 6.6.3 with commit 069a3ec329ff43e7869a3d94c62cd03203016bce
 	Issue introduced in 5.15 with commit 876c14ad014d0e39c57cbfde53e13d17cdb6d645 and fixed in 6.7 with commit 4b7b492615cf3017190f55444f7016812b66611d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52772
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/unix/af_unix.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/75bcfc188abf4fae9c1d5f5dc0a03540be602eef
 	https://git.kernel.org/stable/c/d179189eec426fe4801e4b91efa1889faed12700
 	https://git.kernel.org/stable/c/eae0b295ce16d8c8b4114c3037993191b4bb92f0
 	https://git.kernel.org/stable/c/069a3ec329ff43e7869a3d94c62cd03203016bce
 	https://git.kernel.org/stable/c/4b7b492615cf3017190f55444f7016812b66611d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52772: af_unix: fix use-after-free in unix_stream_read_actor()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	af_unix: fix use-after-free in unix_stream_read_actor()

	syzbot reported the following crash [1]

	After releasing unix socket lock, u->oob_skb can be changed
	by another thread. We must temporarily increase skb refcount
	to make sure this other thread will not free the skb under us.

	[1]

	BUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866
	Read of size 4 at addr ffff88801f3b9cc4 by task syz-executor107/5297

	CPU: 1 PID: 5297 Comm: syz-executor107 Not tainted 6.6.0-syzkaller-15910-gb8e3a87a627b #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:88 [inline]
	dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
	print_address_description mm/kasan/report.c:364 [inline]
	print_report+0xc4/0x620 mm/kasan/report.c:475
	kasan_report+0xda/0x110 mm/kasan/report.c:588
	unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866
	unix_stream_recv_urg net/unix/af_unix.c:2587 [inline]
	unix_stream_read_generic+0x19a5/0x2480 net/unix/af_unix.c:2666
	unix_stream_recvmsg+0x189/0x1b0 net/unix/af_unix.c:2903
	sock_recvmsg_nosec net/socket.c:1044 [inline]
	sock_recvmsg+0xe2/0x170 net/socket.c:1066
	____sys_recvmsg+0x21f/0x5c0 net/socket.c:2803
	___sys_recvmsg+0x115/0x1a0 net/socket.c:2845
	__sys_recvmsg+0x114/0x1e0 net/socket.c:2875
	do_syscall_x64 arch/x86/entry/common.c:51 [inline]
	do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
	entry_SYSCALL_64_after_hwframe+0x63/0x6b
	RIP: 0033:0x7fc67492c559
	Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
	RSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
	RAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559
	RDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004
	RBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0
	R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340
	R13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388
	</TASK>

	Allocated by task 5295:
	kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
	kasan_set_track+0x25/0x30 mm/kasan/common.c:52
	__kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328
	kasan_slab_alloc include/linux/kasan.h:188 [inline]
	slab_post_alloc_hook mm/slab.h:763 [inline]
	slab_alloc_node mm/slub.c:3478 [inline]
	kmem_cache_alloc_node+0x180/0x3c0 mm/slub.c:3523
	__alloc_skb+0x287/0x330 net/core/skbuff.c:641
	alloc_skb include/linux/skbuff.h:1286 [inline]
	alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
	sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
	sock_alloc_send_skb include/net/sock.h:1884 [inline]
	queue_oob net/unix/af_unix.c:2147 [inline]
	unix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg+0xd5/0x180 net/socket.c:745
	____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
	___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
	__sys_sendmsg+0x117/0x1e0 net/socket.c:2667
	do_syscall_x64 arch/x86/entry/common.c:51 [inline]
	do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
	entry_SYSCALL_64_after_hwframe+0x63/0x6b

	Freed by task 5295:
	kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
	kasan_set_track+0x25/0x30 mm/kasan/common.c:52
	kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
	____kasan_slab_free mm/kasan/common.c:236 [inline]
	____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
	kasan_slab_free include/linux/kasan.h:164 [inline]
	slab_free_hook mm/slub.c:1800 [inline]
	slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
	slab_free mm/slub.c:3809 [inline]
	kmem_cache_free+0xf8/0x340 mm/slub.c:3831
	kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1015
	__kfree_skb net/core/skbuff.c:1073 [inline]
	consume_skb net/core/skbuff.c:1288 [inline]
	consume_skb+0xdf/0x170 net/core/skbuff.c:1282
	queue_oob net/unix/af_unix.c:2178 [inline]
	unix_stream_sendmsg+0xd49/0x10a0 net/unix/af_unix.c:2301
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg+0xd5/0x180 net/socket.c:745
	____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
	___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
	__sys_sendmsg+0x117/0x1e0 net/socket.c:2667
	do_syscall_x64 arch/x86/entry/common.c:51 [inline]
	do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
	entry_SYSCALL_64_after_hwframe+0x63/0x6b

	The buggy address belongs to the object at ffff88801f3b9c80
	which belongs to the cache skbuff_head_cache of size 240
	The buggy address is located 68 bytes inside of
	freed 240-byte region [ffff88801f3b9c80, ffff88801f3b9d70)

	The buggy address belongs to the physical page:
	page:ffffea00007cee40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f3b9
	flags: 0xfff00000000800(slab\|node=0\|zone=1\|lastcpupid=0x7ff)
	page_type: 0xffffffff()
	raw: 00fff00000000800 ffff888142a60640 dead000000000122 0000000000000000
	raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
	page dumped because: kasan: bad access detected
	page_owner tracks the page as allocated
	page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL\|__GFP_NOWARN\|__GFP_NORETRY), pid 5299, tgid 5283 (syz-executor107), ts 103803840339, free_ts 103600093431
	set_page_owner include/linux/page_owner.h:31 [inline]
	post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1537
	prep_new_page mm/page_alloc.c:1544 [inline]
	get_page_from_freelist+0xa25/0x36c0 mm/page_alloc.c:3312
	__alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4568
	alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
	alloc_slab_page mm/slub.c:1870 [inline]
	allocate_slab+0x251/0x380 mm/slub.c:2017
	new_slab mm/slub.c:2070 [inline]
	___slab_alloc+0x8c7/0x1580 mm/slub.c:3223
	__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
	__slab_alloc_node mm/slub.c:3375 [inline]
	slab_alloc_node mm/slub.c:3468 [inline]
	kmem_cache_alloc_node+0x132/0x3c0 mm/slub.c:3523
	__alloc_skb+0x287/0x330 net/core/skbuff.c:641
	alloc_skb include/linux/skbuff.h:1286 [inline]
	alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
	sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
	sock_alloc_send_skb include/net/sock.h:1884 [inline]
	queue_oob net/unix/af_unix.c:2147 [inline]
	unix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301
	sock_sendmsg_nosec net/socket.c:730 [inline]
	__sock_sendmsg+0xd5/0x180 net/socket.c:745
	____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
	___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
	__sys_sendmsg+0x117/0x1e0 net/socket.c:2667
	page last free stack trace:
	reset_page_owner include/linux/page_owner.h:24 [inline]
	free_pages_prepare mm/page_alloc.c:1137 [inline]
	free_unref_page_prepare+0x4f8/0xa90 mm/page_alloc.c:2347
	free_unref_page+0x33/0x3b0 mm/page_alloc.c:2487
	__unfreeze_partials+0x21d/0x240 mm/slub.c:2655
	qlink_free mm/kasan/quarantine.c:168 [inline]
	qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
	kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294
	__kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
	kasan_slab_alloc include/linux/kasan.h:188 [inline]
	slab_post_alloc_hook mm/slab.h:763 [inline]
	slab_alloc_node mm/slub.c:3478 [inline]
	slab_alloc mm/slub.c:3486 [inline]
	__kmem_cache_alloc_lru mm/slub.c:3493 [inline]
	kmem_cache_alloc+0x15d/0x380 mm/slub.c:3502
	vm_area_dup+0x21/0x2f0 kernel/fork.c:500
	__split_vma+0x17d/0x1070 mm/mmap.c:2365
	split_vma mm/mmap.c:2437 [inline]
	vma_modify+0x25d/0x450 mm/mmap.c:2472
	vma_modify_flags include/linux/mm.h:3271 [inline]
	mprotect_fixup+0x228/0xc80 mm/mprotect.c:635
	do_mprotect_pkey+0x852/0xd60 mm/mprotect.c:809
	__do_sys_mprotect mm/mprotect.c:830 [inline]
	__se_sys_mprotect mm/mprotect.c:827 [inline]
	__x64_sys_mprotect+0x78/0xb0 mm/mprotect.c:827
	do_syscall_x64 arch/x86/entry/common.c:51 [inline]
	do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
	entry_SYSCALL_64_after_hwframe+0x63/0x6b

	Memory state around the buggy address:
	ffff88801f3b9b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	ffff88801f3b9c00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
	>ffff88801f3b9c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	^
	ffff88801f3b9d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
	ffff88801f3b9d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb

	The Linux kernel CVE team has assigned CVE-2023-52772 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15 with commit 876c14ad014d0e39c57cbfde53e13d17cdb6d645 and fixed in 5.15.140 with commit 75bcfc188abf4fae9c1d5f5dc0a03540be602eef
	Issue introduced in 5.15 with commit 876c14ad014d0e39c57cbfde53e13d17cdb6d645 and fixed in 6.1.64 with commit d179189eec426fe4801e4b91efa1889faed12700
	Issue introduced in 5.15 with commit 876c14ad014d0e39c57cbfde53e13d17cdb6d645 and fixed in 6.5.13 with commit eae0b295ce16d8c8b4114c3037993191b4bb92f0
	Issue introduced in 5.15 with commit 876c14ad014d0e39c57cbfde53e13d17cdb6d645 and fixed in 6.6.3 with commit 069a3ec329ff43e7869a3d94c62cd03203016bce
	Issue introduced in 5.15 with commit 876c14ad014d0e39c57cbfde53e13d17cdb6d645 and fixed in 6.7 with commit 4b7b492615cf3017190f55444f7016812b66611d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52772
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/unix/af_unix.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/75bcfc188abf4fae9c1d5f5dc0a03540be602eef
	https://git.kernel.org/stable/c/d179189eec426fe4801e4b91efa1889faed12700
	https://git.kernel.org/stable/c/eae0b295ce16d8c8b4114c3037993191b4bb92f0
	https://git.kernel.org/stable/c/069a3ec329ff43e7869a3d94c62cd03203016bce
	https://git.kernel.org/stable/c/4b7b492615cf3017190f55444f7016812b66611d