From patchwork Tue Jun 4 16:52:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kuniyuki Iwashima X-Patchwork-Id: 13685677 X-Patchwork-Delegate: kuba@kernel.org Received: from smtp-fw-80006.amazon.com (smtp-fw-80006.amazon.com [99.78.197.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 544B5171BA for ; Tue, 4 Jun 2024 16:54:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=99.78.197.217 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717520050; cv=none; b=f+xwKVJcjGdvBQeT6pVdJUxJF+dCv6RAId5OrHKtQLQl/9cDIYTO9Km4Zmmn2PAPWPIUjn5nVaS5dHB2Dm5Q826nbijzeqDqhf4hIW3MNpz7B4wqsndGx4vaX+VAeUXhg8eqkHJhCHL+YCFv0ocifwQq2cYaplJ+lg798nMelcE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717520050; c=relaxed/simple; bh=8k5m8cjNXXfmJRjwptUKOMAfP+UlqXzkm0Kz+2C+CDo=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=cFckiBKO6S9i7880+Q6tsUGdswnzGT153TZkMCkUh+N1gz3zCbyfGHJLLldVn+Pa+Nz0tG4cVUa5WKPC8cY+gvuYVqz4HTvz4gREKkA4+SzJ9Jaz2tiV207Kbir3aJfw4ruZZbWRJEsz4fSutQbX0o9bxpnw79fBufZYXoxwcuY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com; spf=pass smtp.mailfrom=amazon.co.jp; dkim=pass (1024-bit key) header.d=amazon.com header.i=@amazon.com header.b=KiQJOMkK; arc=none smtp.client-ip=99.78.197.217 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=amazon.co.jp Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=amazon.com header.i=@amazon.com header.b="KiQJOMkK" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1717520049; x=1749056049; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=6ZeZ6aVljVHv+upqFTHF2dLwvGr8bs4e5oAMavytojs=; b=KiQJOMkK5I0/qYnkKHftjx7zb7KSv1XNNGzsZ+dY2wlprkZMMpo8LB8n YpommBTzEik36Dj9+wy0ugz/dP9D/6jpM1TKw40BRVydE3d9pvcJCwwi4 pVuOsjfnMGPZTurQGsvTPzjuI8VeUicjAINHQSdN1cnSNQWFWLAb4JGDf s=; X-IronPort-AV: E=Sophos;i="6.08,214,1712620800"; d="scan'208";a="299734070" Received: from pdx4-co-svc-p1-lb2-vlan3.amazon.com (HELO smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev) ([10.25.36.214]) by smtp-border-fw-80006.pdx80.corp.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Jun 2024 16:54:09 +0000 Received: from EX19MTAUWA002.ant.amazon.com [10.0.21.151:39358] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.1.52:2525] with esmtp (Farcaster) id 5777604f-30c9-4f16-a6ec-97a83c5b77d7; Tue, 4 Jun 2024 16:54:08 +0000 (UTC) X-Farcaster-Flow-ID: 5777604f-30c9-4f16-a6ec-97a83c5b77d7 Received: from EX19D004ANA001.ant.amazon.com (10.37.240.138) by EX19MTAUWA002.ant.amazon.com (10.250.64.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Tue, 4 Jun 2024 16:54:06 +0000 Received: from 88665a182662.ant.amazon.com (10.187.170.50) by EX19D004ANA001.ant.amazon.com (10.37.240.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Tue, 4 Jun 2024 16:54:04 +0000 From: Kuniyuki Iwashima To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni CC: Kuniyuki Iwashima , Kuniyuki Iwashima , Subject: [PATCH v2 net 03/15] af_unix: Annotate data-race of sk->sk_state in unix_inq_len(). Date: Tue, 4 Jun 2024 09:52:29 -0700 Message-ID: <20240604165241.44758-4-kuniyu@amazon.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20240604165241.44758-1-kuniyu@amazon.com> References: <20240604165241.44758-1-kuniyu@amazon.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: EX19D031UWA001.ant.amazon.com (10.13.139.88) To EX19D004ANA001.ant.amazon.com (10.37.240.138) X-Patchwork-Delegate: kuba@kernel.org ioctl(SIOCINQ) calls unix_inq_len() that checks sk->sk_state first and returns -EINVAL if it's TCP_LISTEN. Then, for SOCK_STREAM sockets, unix_inq_len() returns the number of bytes in recvq. However, unix_inq_len() does not hold unix_state_lock(), and the concurrent listen() might change the state after checking sk->sk_state. If the race occurs, 0 is returned for the listener, instead of -EINVAL, because the length of skb with embryo is 0. We could hold unix_state_lock() in unix_inq_len(), but it's overkill given the result is true for pre-listen() TCP_CLOSE state. So, let's use READ_ONCE() for sk->sk_state in unix_inq_len(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima --- net/unix/af_unix.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 424d021a4d7d..b37b53767b29 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -3017,7 +3017,7 @@ long unix_inq_len(struct sock *sk) struct sk_buff *skb; long amount = 0; - if (sk->sk_state == TCP_LISTEN) + if (READ_ONCE(sk->sk_state) == TCP_LISTEN) return -EINVAL; spin_lock(&sk->sk_receive_queue.lock);