From patchwork Mon Jun 3 14:32:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kuniyuki Iwashima X-Patchwork-Id: 13683883 X-Patchwork-Delegate: kuba@kernel.org Received: from smtp-fw-2101.amazon.com (smtp-fw-2101.amazon.com [72.21.196.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9903E12BF34 for ; Mon, 3 Jun 2024 14:34:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=72.21.196.25 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717425254; cv=none; b=LC6PZmPTskT2pXG5av6UCujlbWyYNAlkYGj/PuSvZYabmIdjxfrlNQERwLwhMKCuBkxRVyW2A2k8sLONDj4opDD9oxg/iMLFA0VLTAAX8iPb/sYcBkg3nHqXCutegzfmvI5uWRpL9flWebLX7tf6UCalX+JQlH3eehVz1FtdcPM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717425254; c=relaxed/simple; bh=UfHHCVbg5wCVJTFMOV0fEQn/YU9ICFZzOK6ibX077ZQ=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=RVX05u5+n+LB5vg41u7MJjm3y3w/TYYaH+mtYeqSo4hQCBKVkPKd4O8mVz73Hs3ySQxvV1zbILy8/3Fmj2h04n9By31R0KWVtl+A+9wgf3nEhDMcw4BWa/VW4SYU9eSUn6KEaoogqnpSofWApt6v1YH4gee7auS1VEvsjIq/4JQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com; spf=pass smtp.mailfrom=amazon.co.jp; dkim=pass (1024-bit key) header.d=amazon.com header.i=@amazon.com header.b=irBahmNJ; arc=none smtp.client-ip=72.21.196.25 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=amazon.co.jp Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amazon.com header.i=@amazon.com header.b="irBahmNJ" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1717425253; x=1748961253; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=fZ8pQa89N/N5F6IOvaiVfwf5AmkSaqfOB7N/3B+DckQ=; b=irBahmNJLazQ8dkJ0y03yUgXH9rFkdUhKNbVTD8YWdJbXeLyRZUeWwsa HKgz8VwEU+f7rsWhMflMmZ6aH5vBCoVpqG2fmEXAXbDqNTku02NPH87kV XBrEzoq8iJMZZamIsvn9eVLg+WkcbnF6oaes1bbmgkYJrv2snlxw4If75 o=; X-IronPort-AV: E=Sophos;i="6.08,211,1712620800"; d="scan'208";a="405257764" Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev) ([10.43.8.6]) by smtp-border-fw-2101.iad2.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Jun 2024 14:34:09 +0000 Received: from EX19MTAUWB001.ant.amazon.com [10.0.7.35:42618] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.31.236:2525] with esmtp (Farcaster) id b311dcd6-8c4a-407e-8e08-e631488170fc; Mon, 3 Jun 2024 14:34:08 +0000 (UTC) X-Farcaster-Flow-ID: b311dcd6-8c4a-407e-8e08-e631488170fc Received: from EX19D004ANA001.ant.amazon.com (10.37.240.138) by EX19MTAUWB001.ant.amazon.com (10.250.64.248) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Mon, 3 Jun 2024 14:34:07 +0000 Received: from 88665a182662.ant.amazon.com (10.88.143.104) by EX19D004ANA001.ant.amazon.com (10.37.240.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Mon, 3 Jun 2024 14:34:05 +0000 From: Kuniyuki Iwashima To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni CC: Kuniyuki Iwashima , Kuniyuki Iwashima , Subject: [PATCH v1 net 03/15] af_unix: Annotate data-race of sk->sk_state in unix_inq_len(). Date: Mon, 3 Jun 2024 07:32:19 -0700 Message-ID: <20240603143231.62085-4-kuniyu@amazon.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20240603143231.62085-1-kuniyu@amazon.com> References: <20240603143231.62085-1-kuniyu@amazon.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: EX19D031UWC002.ant.amazon.com (10.13.139.212) To EX19D004ANA001.ant.amazon.com (10.37.240.138) X-Patchwork-Delegate: kuba@kernel.org ioctl(SIOCINQ) calls unix_inq_len() that checks sk->sk_state first and returns -EINVAL if it's TCP_LISTEN. Then, for SOCK_STREAM sockets, unix_inq_len() returns the number of bytes in recvq. However, unix_inq_len() does not hold unix_state_lock(), and the concurrent listen() might change the state after checking sk->sk_state. If the race occurs, 0 is returned for the listener, instead of -EINVAL, because the length of skb with embryo is 0. We could hold unix_state_lock() in unix_inq_len(), but it's overkill given the result is true for pre-listen() TCP_CLOSE state. So, let's use READ_ONCE() for sk->sk_state in unix_inq_len(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima --- net/unix/af_unix.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 124ca3af1452..dfb74822ed2e 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -3017,7 +3017,7 @@ long unix_inq_len(struct sock *sk) struct sk_buff *skb; long amount = 0; - if (sk->sk_state == TCP_LISTEN) + if (READ_ONCE(sk->sk_state) == TCP_LISTEN) return -EINVAL; spin_lock(&sk->sk_receive_queue.lock);