Patch kernel: backport af_unix UAF fix in unix_stream_data_wait() (torvalds/linux@be309f8eae8b)

[omkhar]

Backport af_unix UAF fix from torvalds/linux@be309f8.

Upstream: Author Jann Horn jannh@google.com (Google Project Zero). Reviewed-by Kuniyuki Iwashima. Signed-off-by chain Jann → Jakub Kicinski. Cc: stable@vger.kernel.org # 6.5.x. Fixes: 2b514574f7e8.

Backport type: CUSTOM 5.15 backport. Upstream's Cc: stable@vger.kernel.org # 6.5.x explicitly excludes 5.15 because unix_stream_sendpage() on 5.15 can still grow the receiver tail skb (commit 869e7c62486e). We cannot simply remove the last_len check on 5.15 (would re-introduce sendpage-grows-last-skb race). Instead we SERIALIZE the read by taking sk->sk_receive_queue.lock around skb_peek_tail() + tail->len read. +5/-2 lines, contained in unix_stream_data_wait().

Code-correctness: unix_stream_data_wait +80 bytes (within +30–100 expected range for the added locking). +1 spin_lock callsite. +2 KASAN store-checks for the lock writes. All deltas match the design spec.

LTP regression: 66 tests (41 AF_UNIX-touching). Baseline 242/11/2 = patched 242/11/2. 0 patch-induced regressions. The 4 failing test families (dnsmasq_tests, ping01, sendfile01, tracepath01) are environmental (no peer on 10.0.0.1) and identical on both sides.

Mariner 2.0 caveat: AKS EOL 2025-11-30; PR for non-AKS consumers.

[omkhar]

Closing — this is a Mariner 2.0 kernel backport (head branch is kernel-2.0 / kernel-mariner2, kernel.spec edits target 5.15.y) and should have been filed against microsoft/CBL-Mariner, not this repo. The misfile is on me; I retargeted the base to 3.0-dev earlier today which made the diff explode to ~2.9k files because the branch was never compatible with 3.0-dev. Sorry for the noise.

Holding on opening the equivalent PR on microsoft/CBL-Mariner until I hear back from the Mariner-2.0 maintainers on whether OOT carries are wanted there post-AKS-EOL — open question raised on #17414.