From: sashiko-bot@kernel.org
To: "Bryam Vargas" <hexlabsecurity@proton.me>
Cc: "Alexander Gordeev" <agordeev@linux.ibm.com>,
"Heiko Carstens" <hca@linux.ibm.com>,
"Vasily Gorbik" <gor@linux.ibm.com>,
linux-s390@vger.kernel.org
Subject: Re: [PATCH net] net/iucv: take a reference on the socket found in afiucv_hs_rcv()
Date: Tue, 07 Jul 2026 03:24:41 +0000 [thread overview]
Message-ID: <20260707032441.B1FB31F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260705-b4-disp-fc79c0dc-v1-1-d2cdcb57afa9@proton.me>
Thank you for your contribution! Sashiko AI review found 5 potential issue(s) to consider:
Pre-existing issues:
- [High] NULL Pointer Dereference in `afiucv_hs_callback_syn` error path.
- [High] Shared SKB Data Corruption by in-place modification.
- [High] Buffer Underflow panic due to unchecked `skb_push()`.
- [High] Memory leak of `message_q.list` elements on socket destruction.
- [High] Race Condition modifying socket state from softirq without checking `sock_owned_by_user()`.
--
commit 65314896d356a76bf086aa52125b656e444bcb3c
Author: Bryam Vargas <hexlabsecurity@proton.me>
Subject: net/iucv: take a reference on the socket found in afiucv_hs_rcv()
afiucv_hs_rcv() looks up the destination socket under iucv_sk_list.lock, drops
the lock, and passes the socket to handlers without holding a reference. This
commit takes a reference with sock_hold() while the socket is on the list and
releases it with sock_put() once the handler completes.
> diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
> index fed240b453bd9..b85fb9767dec2 100644
> --- a/net/iucv/af_iucv.c
> +++ b/net/iucv/af_iucv.c
[ ... ]
net/iucv/af_iucv.c:afiucv_hs_callback_syn() {
nsk = iucv_sock_alloc(NULL, GFP_ATOMIC, sk->sk_type, sk->sk_protocol);
if (!nsk) {
...
goto out;
}
...
out:
iucv_sock_kill(nsk);
}
[Severity: High]
This is a pre-existing issue, but does this error path cause a NULL pointer
dereference when memory allocation fails?
If iucv_sock_alloc() returns NULL under memory pressure, we jump to the out
label and pass NULL to iucv_sock_kill().
net/iucv/af_iucv.c:iucv_sock_kill() {
if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
return;
...
}
Will iucv_sock_kill() immediately dereference the NULL sk pointer when checking
the socket flags, causing a kernel panic?
[ ... ]
net/iucv/af_iucv.c:afiucv_hs_rcv() {
...
trans_hdr = iucv_trans_hdr(skb);
EBCASC(trans_hdr->destAppName, sizeof(trans_hdr->destAppName));
EBCASC(trans_hdr->destUserID, sizeof(trans_hdr->destUserID));
...
}
[Severity: High]
This isn't a bug introduced by this patch, but does this in-place modification
corrupt shared or cloned SKBs?
Since afiucv_hs_rcv() acts as a packet_type handler, the received SKB might be
cloned or shared with other consumers. Should we be using skb_share_check() or
skb_unshare() before destructively modifying the header with EBCASC()?
Similarly, in afiucv_swap_src_dest():
net/iucv/af_iucv.c:afiucv_swap_src_dest() {
...
ASCEBC(trans_hdr->destUserID, sizeof(trans_hdr->destUserID));
...
}
Does this further modify the shared SKB payload in-place?
[ ... ]
net/iucv/af_iucv.c:afiucv_swap_src_dest() {
...
skb_push(skb, ETH_HLEN);
...
}
[Severity: High]
This is a pre-existing issue, but does this skb_push() call cause a buffer
underflow panic?
When echoing packets back, this prepends a MAC header without verifying if the
SKB has sufficient headroom.
If a packet is injected locally or the incoming interface strips the MAC header
tightly, will the lack of skb_headroom() checks result in skb_under_panic()?
[ ... ]
net/iucv/af_iucv.c:iucv_sock_destruct() {
...
skb_queue_purge(&sk->sk_receive_queue);
skb_queue_purge(&sk->sk_error_queue);
...
}
[Severity: High]
This isn't a bug introduced by this patch, but does socket destruction leak
the dynamically allocated message_q.list items?
Incoming messages are allocated and appended to iucv->message_q.list in
iucv_callback_rx().
If the socket is destroyed before all messages are consumed by recvmsg(),
neither iucv_sock_destruct() nor iucv_sock_close() appears to iterate over and
free these elements:
net/iucv/af_iucv.c:iucv_sock_close() {
...
skb_queue_purge(&iucv->send_skb_q);
skb_queue_purge(&iucv->backlog_skb_q);
...
}
Could an abrupt disconnect permanently leak these unread items?
[ ... ]
net/iucv/af_iucv.c:afiucv_hs_callback_synack() {
...
bh_lock_sock(sk);
iucv->msglimit_peer = iucv_trans_hdr(skb)->window;
sk->sk_state = IUCV_CONNECTED;
sk->sk_state_change(sk);
bh_unlock_sock(sk);
...
}
[Severity: High]
This is a pre-existing issue, but does modifying the socket state from a
softirq context corrupt the socket state machine?
Since this handler runs in softirq context when network packets arrive, it
acquires the socket spinlock and directly mutates sk->sk_state.
If a user process is concurrently executing a system call and holds the socket
mutex via lock_sock(), does bypassing the backlog mechanism by failing to check
sock_owned_by_user() cause race conditions?
[ ... ]
> @@ -2089,6 +2089,8 @@ static int afiucv_hs_rcv(struct sk_buff *skb, struct net_device *dev,
> }
> }
> }
> + if (sk)
> + sock_hold(sk);
> read_unlock(&iucv_sk_list.lock);
> if (!iucv)
> sk = NULL;
> @@ -2138,6 +2140,8 @@ static int afiucv_hs_rcv(struct sk_buff *skb, struct net_device *dev,
> kfree_skb(skb);
> }
>
> + if (sk)
> + sock_put(sk);
> return err;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260705-b4-disp-fc79c0dc-v1-1-d2cdcb57afa9@proton.me?part=1
next prev parent reply other threads:[~2026-07-07 3:24 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-06 3:24 [PATCH net] net/iucv: take a reference on the socket found in afiucv_hs_rcv() Bryam Vargas via B4 Relay
2026-07-06 3:24 ` Bryam Vargas
2026-07-07 3:24 ` sashiko-bot [this message]
2026-07-09 17:17 ` Alexandra Winter
2026-07-11 4:11 ` Bryam Vargas
2026-07-08 16:06 ` Hidayathulla Khan I
2026-07-08 16:45 ` Hidayathulla Khan I
2026-07-10 14:30 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260707032441.B1FB31F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=agordeev@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=hexlabsecurity@proton.me \
--cc=linux-s390@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.