[PATCH 5.15 020/203] af_unix: Fix a data race of sk->sk_receive_queue->qlen.

1 view
Skip to first unread message

Greg Kroah-Hartman

unread,
May 22, 2023, 3:13:10 PM5/22/23
to sta...@vger.kernel.org, Greg Kroah-Hartman, pat...@lists.linux.dev, syzbot, Kuniyuki Iwashima, Eric Dumazet, Michal Kubiak, Jakub Kicinski, Sasha Levin
From: Kuniyuki Iwashima <kun...@amazon.com>

[ Upstream commit 679ed006d416ea0cecfe24a99d365d1dea69c683 ]

KCSAN found a data race of sk->sk_receive_queue->qlen where recvmsg()
updates qlen under the queue lock and sendmsg() checks qlen under
unix_state_sock(), not the queue lock, so the reader side needs
READ_ONCE().

BUG: KCSAN: data-race in __skb_try_recv_from_queue / unix_wait_for_peer

write (marked) to 0xffff888019fe7c68 of 4 bytes by task 49792 on cpu 0:
__skb_unlink include/linux/skbuff.h:2347 [inline]
__skb_try_recv_from_queue+0x3de/0x470 net/core/datagram.c:197
__skb_try_recv_datagram+0xf7/0x390 net/core/datagram.c:263
__unix_dgram_recvmsg+0x109/0x8a0 net/unix/af_unix.c:2452
unix_dgram_recvmsg+0x94/0xa0 net/unix/af_unix.c:2549
sock_recvmsg_nosec net/socket.c:1019 [inline]
____sys_recvmsg+0x3a3/0x3b0 net/socket.c:2720
___sys_recvmsg+0xc8/0x150 net/socket.c:2764
do_recvmmsg+0x182/0x560 net/socket.c:2858
__sys_recvmmsg net/socket.c:2937 [inline]
__do_sys_recvmmsg net/socket.c:2960 [inline]
__se_sys_recvmmsg net/socket.c:2953 [inline]
__x64_sys_recvmmsg+0x153/0x170 net/socket.c:2953
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x72/0xdc

read to 0xffff888019fe7c68 of 4 bytes by task 49793 on cpu 1:
skb_queue_len include/linux/skbuff.h:2127 [inline]
unix_recvq_full net/unix/af_unix.c:229 [inline]
unix_wait_for_peer+0x154/0x1a0 net/unix/af_unix.c:1445
unix_dgram_sendmsg+0x13bc/0x14b0 net/unix/af_unix.c:2048
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg+0x148/0x160 net/socket.c:747
____sys_sendmsg+0x20e/0x620 net/socket.c:2503
___sys_sendmsg+0xc6/0x140 net/socket.c:2557
__sys_sendmmsg+0x11d/0x370 net/socket.c:2643
__do_sys_sendmmsg net/socket.c:2672 [inline]
__se_sys_sendmmsg net/socket.c:2669 [inline]
__x64_sys_sendmmsg+0x58/0x70 net/socket.c:2669
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x72/0xdc

value changed: 0x0000000b -> 0x00000001

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 49793 Comm: syz-executor.0 Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot <syzk...@googlegroups.com>
Signed-off-by: Kuniyuki Iwashima <kun...@amazon.com>
Reviewed-by: Eric Dumazet <edum...@google.com>
Reviewed-by: Michal Kubiak <michal...@intel.com>
Signed-off-by: Jakub Kicinski <ku...@kernel.org>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
net/unix/af_unix.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index a96026dbdf94e..230e20cd986e2 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1307,7 +1307,7 @@ static long unix_wait_for_peer(struct sock *other, long timeo)

sched = !sock_flag(other, SOCK_DEAD) &&
!(other->sk_shutdown & RCV_SHUTDOWN) &&
- unix_recvq_full(other);
+ unix_recvq_full_lockless(other);

unix_state_unlock(other);

--
2.39.2



Greg Kroah-Hartman

unread,
May 22, 2023, 3:24:24 PM5/22/23
to sta...@vger.kernel.org, Greg Kroah-Hartman, pat...@lists.linux.dev, syzbot, Kuniyuki Iwashima, Eric Dumazet, Michal Kubiak, Jakub Kicinski, Sasha Levin
index 7d17601ceee79..3b292a7a1fa58 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1441,7 +1441,7 @@ static long unix_wait_for_peer(struct sock *other, long timeo)

Greg Kroah-Hartman

unread,
May 22, 2023, 3:38:01 PM5/22/23
to sta...@vger.kernel.org, Greg Kroah-Hartman, pat...@lists.linux.dev, syzbot, Kuniyuki Iwashima, Eric Dumazet, Michal Kubiak, Jakub Kicinski, Sasha Levin
index 0b0f18ecce447..0a54959e5b944 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1442,7 +1442,7 @@ static long unix_wait_for_peer(struct sock *other, long timeo)

Greg Kroah-Hartman

unread,
May 28, 2023, 3:13:16 PM5/28/23
to sta...@vger.kernel.org, Greg Kroah-Hartman, pat...@lists.linux.dev, syzbot, Kuniyuki Iwashima, Eric Dumazet, Michal Kubiak, Jakub Kicinski, Sasha Levin
index 0e494902fadaa..375d4e20efd6b 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1236,7 +1236,7 @@ static long unix_wait_for_peer(struct sock *other, long timeo)

Greg Kroah-Hartman

unread,
May 28, 2023, 3:16:28 PM5/28/23
to sta...@vger.kernel.org, Greg Kroah-Hartman, pat...@lists.linux.dev, syzbot, Kuniyuki Iwashima, Eric Dumazet, Michal Kubiak, Jakub Kicinski, Sasha Levin
index e79c329427964..0b2d466fb8585 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1232,7 +1232,7 @@ static long unix_wait_for_peer(struct sock *other, long timeo)

Greg Kroah-Hartman

unread,
May 28, 2023, 3:23:21 PM5/28/23
to sta...@vger.kernel.org, Greg Kroah-Hartman, pat...@lists.linux.dev, syzbot, Kuniyuki Iwashima, Eric Dumazet, Michal Kubiak, Jakub Kicinski, Sasha Levin
index f33e90bd0683b..35a941684f16e 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1227,7 +1227,7 @@ static long unix_wait_for_peer(struct sock *other, long timeo)

Greg Kroah-Hartman

unread,
May 28, 2023, 3:39:26 PM5/28/23
to sta...@vger.kernel.org, Greg Kroah-Hartman, pat...@lists.linux.dev, syzbot, Kuniyuki Iwashima, Eric Dumazet, Michal Kubiak, Jakub Kicinski, Sasha Levin
index 28721e9575b75..a210275368560 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1236,7 +1236,7 @@ static long unix_wait_for_peer(struct sock *other, long timeo)
Reply all
Reply to author
Forward
0 new messages