From: Breno Leitao <leitao@debian.org>
To: Alexandra Winter <wintera@linux.ibm.com>
Cc: Stanislav Fomichev <sdf.kernel@gmail.com>,
Chas Williams <3chas3@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
Magnus Karlsson <magnus.karlsson@intel.com>,
Maciej Fijalkowski <maciej.fijalkowski@intel.com>,
Stanislav Fomichev <sdf@fomichev.me>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Jesper Dangaard Brouer <hawk@kernel.org>,
John Fastabend <john.fastabend@gmail.com>,
Jon Maloy <jmaloy@redhat.com>,
Thorsten Winkler <twinkler@linux.ibm.com>,
James Chapman <jchapman@katalix.com>,
David Howells <dhowells@redhat.com>,
Marc Dionne <marc.dionne@auristor.com>,
David Heidelberg <david+nfc@ixit.cz>,
Samuel Ortiz <sameo@linux.intel.com>,
linux-atm-general@lists.sourceforge.net, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, bpf@vger.kernel.org,
tipc-discussion@lists.sourceforge.net,
linux-s390@vger.kernel.org, linux-afs@lists.infradead.org,
oe-linux-nfc@lists.linux.dev, kernel-team@meta.com
Subject: Re: [PATCH net-next v2 1/7] af_iucv: take socket lock around SO_MSGSIZE getsockopt
Date: Wed, 20 May 2026 09:03:14 -0700 [thread overview]
Message-ID: <ag3aAv4AV7VXQnKo@gmail.com> (raw)
In-Reply-To: <732d4698-8b36-4803-9c81-ae9865b3f943@linux.ibm.com>
On Mon, May 18, 2026 at 02:00:01PM +0200, Alexandra Winter wrote:
> On 15.05.26 22:45, Stanislav Fomichev wrote:
> > On 05/15, Breno Leitao wrote:
> >> This is not an exploitable bug. iucv_sock_close() is the only writer
> >> of iucv->hs_dev and only runs from the protocol release callback,
> >> which the socket layer invokes after the last file reference drops.
> >> The getsockopt() syscall holds an fd reference for its entire
> >> duration via fdget()/fdput(), so iucv_sock_close() cannot run
> >> concurrently with the SO_MSGSIZE read on the same socket. There is
> >> no other writer of hs_dev, and the aligned pointer load cannot tear
> >> on any architecture Linux supports, so the existing code cannot
> >> observe a NULL dereference or use-after-free in practice.
>
> Actually iucv_sock_bind() and afiucv_hs_callback_syn() also write hs_dev,
> but iucv_sock_close() is the only instance that clears it to NULL.
> Maybe there is another wording than 'writer'?
Good point, you are right. I'll reword it to be precise — something
like "iucv_sock_close() is the only writer that clears hs_dev to NULL",
and call out the other writers (iucv_sock_bind() and
afiucv_hs_callback_syn()) so the reader has the full picture.
> >> diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
> >> index 72dfccd4e3d58..3dd11d7a967c8 100644
> >> --- a/net/iucv/af_iucv.c
> >> +++ b/net/iucv/af_iucv.c
> >> @@ -1566,9 +1566,11 @@ static int iucv_sock_getsockopt(struct socket *sock, int level, int optname,
> >> case SO_MSGSIZE:
> >> if (sk->sk_state == IUCV_OPEN)
> >> return -EBADFD;
> >> + lock_sock(sk);
> >> val = (iucv->hs_dev) ? iucv->hs_dev->mtu -
> >> sizeof(struct af_iucv_trans_hdr) - ETH_HLEN :
> >> 0x7fffffff;
> >> + release_sock(sk);
> >> break;
> >> default:
> >> return -ENOPROTOOPT;
> >>
> >
> > SO_IPRMDATA_MSG also seems to be only reading the value set via setsockopt,
> > so maybe it's ok to just cover the whole switch with lock/unlock? (will
> > mirror what setsockopt does)
> >
>
> I like that idea.
Ack, let me implement it and respin.
> Feel free to split this improvement out from your series, if that is more convenient for you.
That is what I was planning to do, but, it will cause some merge conflict
later, so, I decided to get both of them on the same series, so, it apply
cleanly. Let's try it once more in the same series, if this patch doesn't set
easily, I will split it in v4.
Thanks for the review,
--breno
next prev parent reply other threads:[~2026-05-20 16:03 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-15 8:32 [PATCH net-next v2 0/7] net: convert atm/xdp/af_iucv/l2tp_ppp/rxrpc/tipc to getsockopt_iter Breno Leitao
2026-05-15 8:32 ` [PATCH net-next v2 1/7] af_iucv: take socket lock around SO_MSGSIZE getsockopt Breno Leitao
2026-05-15 20:45 ` Stanislav Fomichev
2026-05-18 12:00 ` Alexandra Winter
2026-05-20 16:03 ` Breno Leitao [this message]
2026-05-20 16:49 ` Breno Leitao
2026-05-16 8:34 ` sashiko-bot
2026-05-20 16:14 ` Breno Leitao
2026-05-15 8:32 ` [PATCH net-next v2 2/7] af_iucv: convert to getsockopt_iter Breno Leitao
2026-05-18 12:00 ` Alexandra Winter
2026-05-15 8:32 ` [PATCH net-next v2 3/7] atm: " Breno Leitao
2026-05-19 14:04 ` Paolo Abeni
2026-05-20 15:50 ` Breno Leitao
2026-05-15 8:32 ` [PATCH net-next v2 4/7] xdp: " Breno Leitao
2026-05-15 8:32 ` [PATCH net-next v2 5/7] l2tp: ppp: " Breno Leitao
2026-05-15 8:32 ` [PATCH net-next v2 6/7] rxrpc: " Breno Leitao
2026-05-15 8:32 ` [PATCH net-next v2 7/7] tipc: " Breno Leitao
2026-05-19 14:08 ` Paolo Abeni
2026-05-20 15:51 ` Breno Leitao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ag3aAv4AV7VXQnKo@gmail.com \
--to=leitao@debian.org \
--cc=3chas3@gmail.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=david+nfc@ixit.cz \
--cc=dhowells@redhat.com \
--cc=edumazet@google.com \
--cc=hawk@kernel.org \
--cc=horms@kernel.org \
--cc=jchapman@katalix.com \
--cc=jmaloy@redhat.com \
--cc=john.fastabend@gmail.com \
--cc=kernel-team@meta.com \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=linux-atm-general@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=maciej.fijalkowski@intel.com \
--cc=magnus.karlsson@intel.com \
--cc=marc.dionne@auristor.com \
--cc=netdev@vger.kernel.org \
--cc=oe-linux-nfc@lists.linux.dev \
--cc=pabeni@redhat.com \
--cc=sameo@linux.intel.com \
--cc=sdf.kernel@gmail.com \
--cc=sdf@fomichev.me \
--cc=tipc-discussion@lists.sourceforge.net \
--cc=twinkler@linux.ibm.com \
--cc=wintera@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.