[PATCH v2 net 03/15] af_unix: Annotate data-race of sk->sk_state in unix_inq_len().

[PATCH v2 net 00/15] af_unix: Fix lockless access of sk->sk_state and others fields. · Kuniyuki Iwashima <hidden> · 2024-06-04
[PATCH v2 net 01/15] af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer. · Kuniyuki Iwashima <hidden> · 2024-06-04
Re: [PATCH v2 net 01/15] af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer. · Michal Luczaj <hidden> · 2024-06-09
Re: [PATCH v2 net 01/15] af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer. · Kuniyuki Iwashima <hidden> · 2024-06-09
Re: [PATCH v2 net 01/15] af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer. · Kuniyuki Iwashima <hidden> · 2024-06-09
Re: [PATCH v2 net 01/15] af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer. · Michal Luczaj <hidden> · 2024-06-10
Re: [PATCH v2 net 01/15] af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer. · Kuniyuki Iwashima <hidden> · 2024-06-10
Re: [PATCH v2 net 01/15] af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer. · Michal Luczaj <hidden> · 2024-06-16
Re: [PATCH v2 net 01/15] af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer. · Kuniyuki Iwashima <hidden> · 2024-06-17
Re: [PATCH v2 net 01/15] af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer. · Michal Luczaj <hidden> · 2024-06-19
Re: [PATCH v2 net 01/15] af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer. · Kuniyuki Iwashima <hidden> · 2024-06-19
Re: [PATCH v2 net 01/15] af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer. · Michal Luczaj <hidden> · 2024-06-20
Re: [PATCH v2 net 01/15] af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer. · Kuniyuki Iwashima <hidden> · 2024-06-20
Re: [PATCH v2 net 01/15] af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer. · Michal Luczaj <hidden> · 2024-06-22
Re: [PATCH v2 net 01/15] af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer. · Kuniyuki Iwashima <hidden> · 2024-06-23
Re: [PATCH v2 net 01/15] af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer. · Michal Luczaj <hidden> · 2024-06-26
Re: [PATCH v2 net 01/15] af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer. · Kuniyuki Iwashima <hidden> · 2024-06-26
[PATCH v2 net 02/15] af_unix: Annodate data-races around sk->sk_state for writers. · Kuniyuki Iwashima <hidden> · 2024-06-04
[PATCH v2 net 03/15] af_unix: Annotate data-race of sk->sk_state in unix_inq_len(). · Kuniyuki Iwashima <hidden> · 2024-06-04
[PATCH v2 net 04/15] af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll(). · Kuniyuki Iwashima <hidden> · 2024-06-04
[PATCH v2 net 05/15] af_unix: Annotate data-race of sk->sk_state in unix_stream_connect(). · Kuniyuki Iwashima <hidden> · 2024-06-04
[PATCH v2 net 06/15] af_unix: Annotate data-race of sk->sk_state in unix_accept(). · Kuniyuki Iwashima <hidden> · 2024-06-04
[PATCH v2 net 07/15] af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg(). · Kuniyuki Iwashima <hidden> · 2024-06-04
[PATCH v2 net 08/15] af_unix: Annotate data-race of sk->sk_state in unix_stream_read_skb(). · Kuniyuki Iwashima <hidden> · 2024-06-04
[PATCH v2 net 09/15] af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG. · Kuniyuki Iwashima <hidden> · 2024-06-04
[PATCH v2 net 10/15] af_unix: Annotate data-races around sk->sk_sndbuf. · Kuniyuki Iwashima <hidden> · 2024-06-04
[PATCH v2 net 11/15] af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen. · Kuniyuki Iwashima <hidden> · 2024-06-04
[PATCH v2 net 12/15] af_unix: Use unix_recvq_full_lockless() in unix_stream_connect(). · Kuniyuki Iwashima <hidden> · 2024-06-04
[PATCH v2 net 13/15] af_unix: Use skb_queue_empty_lockless() in unix_release_sock(). · Kuniyuki Iwashima <hidden> · 2024-06-04
[PATCH v2 net 14/15] af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen(). · Kuniyuki Iwashima <hidden> · 2024-06-04
[PATCH v2 net 15/15] af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill(). · Kuniyuki Iwashima <hidden> · 2024-06-04
Re: [PATCH v2 net 00/15] af_unix: Fix lockless access of sk->sk_state and others fields. · patchwork-bot+netdevbpf@kernel.org · 2024-06-06

STALE706d

Revisions (2)

2024-06-03 v1 [diff vs current]
2024-06-04 v2 current

From: Kuniyuki Iwashima <hidden>
Date: 2024-06-04 16:54:09
Subsystem: networking [general], networking [unix sockets], the rest · Maintainers: "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Kuniyuki Iwashima, Linus Torvalds

ioctl(SIOCINQ) calls unix_inq_len() that checks sk->sk_state first
and returns -EINVAL if it's TCP_LISTEN.

Then, for SOCK_STREAM sockets, unix_inq_len() returns the number of
bytes in recvq.

However, unix_inq_len() does not hold unix_state_lock(), and the
concurrent listen() might change the state after checking sk->sk_state.

If the race occurs, 0 is returned for the listener, instead of -EINVAL,
because the length of skb with embryo is 0.

We could hold unix_state_lock() in unix_inq_len(), but it's overkill
given the result is true for pre-listen() TCP_CLOSE state.

So, let's use READ_ONCE() for sk->sk_state in unix_inq_len().

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <redacted>
---
 net/unix/af_unix.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 424d021a4d7d..b37b53767b29 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c

@@ -3017,7 +3017,7 @@ long unix_inq_len(struct sock *sk)
 	struct sk_buff *skb;
 	long amount = 0;
 
-	if (sk->sk_state == TCP_LISTEN)
+	if (READ_ONCE(sk->sk_state) == TCP_LISTEN)
 		return -EINVAL;
 
 	spin_lock(&sk->sk_receive_queue.lock);

-- 
2.30.2

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help