From: Al Viro <viro@zeniv.linux.org.uk>
To: Sasha Levin <sashal@kernel.org>
Cc: netdev@vger.kernel.org, David Miller <davem@davemloft.net>,
stable@kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH][unix] missing barriers in some of unix_sock ->addr and ->path accesses
Date: Mon, 18 Feb 2019 21:32:46 +0000 [thread overview]
Message-ID: <20190218213246.GV2217@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20190218211434.05DF121773@mail.kernel.org>
On Mon, Feb 18, 2019 at 09:14:33PM +0000, Sasha Levin wrote:
> Hi,
>
> [This is an automated email]
>
> This commit has been processed because it contains a -stable tag.
Ugh... Should've removed Cc; stable from netdev posting; my apologies.
> How should we proceed with this patch?
Wait for it to get into davem's tree, for starters?
Sorry about that, again...
FWIW, further adventures in net/unix land:
unix_dgram_poll() contains
/* connection hasn't started yet? */
if (sk->sk_state == TCP_SYN_SENT)
return mask;
and nothing in there sets TCP_SYN_SENT state (not that it would've made
any sense of AF_UNIX).
unix_poll() contains
/* Connection-based need to check for termination and startup */
if ((sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) &&
sk->sk_state == TCP_CLOSE)
while it can only be called as ->poll of unix_stream_ops, which means
that sk->sk_type can't be anything other that SOCK_STREAM in there.
static void scan_children(struct sock *x, void (*func)(struct unix_sock *),
struct sk_buff_head *hitlist)
{
if (x->sk_state != TCP_LISTEN) {
scan_inflight(x, func, hitlist);
} else {
...
has no exclusion or barriers to deal with the store of TCP_LISTEN into
->sk_state inside unix_listen(). That one's potentially nasty - we won't
find SCM_RIGHTS already queued to embrios in x's queue until we notice
that x->sk_state == TCP_LISTEN, which can happen between two calls of
scan_children() in the same unix_gc() run. The race is narrow, but not
impossible, AFAICS. Reasonably easy to fix - lift locking the queue
out of scan_inflight(), grab the queue lock before checking if it's
a listener and have unix_listen() either grab the queue lock around the
assignment to ->sk_state, or pump it up and down before dropping
unix_state_lock() (at which point connect() might be able to find it, etc.)
Al, still digging through net/unix...
next prev parent reply other threads:[~2019-02-18 21:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-15 20:09 [PATCH][unix] missing barriers in some of unix_sock ->addr and ->path accesses Al Viro
2019-02-18 21:14 ` Sasha Levin
2019-02-18 21:32 ` Al Viro [this message]
2019-02-19 1:30 ` Sasha Levin
2019-02-21 4:07 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190218213246.GV2217@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.