From: Stanislav Fomichev <sdf.kernel@gmail.com>
To: Breno Leitao <leitao@debian.org>
Cc: Chas Williams <3chas3@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
Magnus Karlsson <magnus.karlsson@intel.com>,
Maciej Fijalkowski <maciej.fijalkowski@intel.com>,
Stanislav Fomichev <sdf@fomichev.me>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Jesper Dangaard Brouer <hawk@kernel.org>,
John Fastabend <john.fastabend@gmail.com>,
Jon Maloy <jmaloy@redhat.com>,
Alexandra Winter <wintera@linux.ibm.com>,
Thorsten Winkler <twinkler@linux.ibm.com>,
James Chapman <jchapman@katalix.com>,
David Howells <dhowells@redhat.com>,
Marc Dionne <marc.dionne@auristor.com>,
David Heidelberg <david+nfc@ixit.cz>,
Samuel Ortiz <sameo@linux.intel.com>,
linux-atm-general@lists.sourceforge.net, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, bpf@vger.kernel.org,
tipc-discussion@lists.sourceforge.net,
linux-s390@vger.kernel.org, linux-afs@lists.infradead.org,
oe-linux-nfc@lists.linux.dev, kernel-team@meta.com
Subject: Re: [PATCH net-next v2 1/7] af_iucv: take socket lock around SO_MSGSIZE getsockopt
Date: Fri, 15 May 2026 13:45:27 -0700 [thread overview]
Message-ID: <ageFn6UV-c-pOPBW@devvm7509.cco0.facebook.com> (raw)
In-Reply-To: <20260515-getsock_four-v2-1-0d8eed952627@debian.org>
On 05/15, Breno Leitao wrote:
> Mirror the locking used by the SO_MSGLIMIT case directly above: take
> lock_sock() before reading iucv->hs_dev and dereferencing hs_dev->mtu,
> and release it afterwards. This keeps the two adjacent getsockopt arms
> consistent and matches the lock held by iucv_sock_close() when it
> clears hs_dev.
>
> This is not an exploitable bug. iucv_sock_close() is the only writer
> of iucv->hs_dev and only runs from the protocol release callback,
> which the socket layer invokes after the last file reference drops.
> The getsockopt() syscall holds an fd reference for its entire
> duration via fdget()/fdput(), so iucv_sock_close() cannot run
> concurrently with the SO_MSGSIZE read on the same socket. There is
> no other writer of hs_dev, and the aligned pointer load cannot tear
> on any architecture Linux supports, so the existing code cannot
> observe a NULL dereference or use-after-free in practice.
>
> The change is purely defensive: making the locking pattern uniform
> across the function avoids surprising the next reader and removes a
> foot-gun should the close path ever grow a new caller that does not
> hold the fd reference.
>
> Note: For the reason above, it doesn't contain a "Fixes" tag, and is
> aiming at net-next instead of net.
>
> Signed-off-by: Breno Leitao <leitao@debian.org>
> ---
> net/iucv/af_iucv.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
> index 72dfccd4e3d58..3dd11d7a967c8 100644
> --- a/net/iucv/af_iucv.c
> +++ b/net/iucv/af_iucv.c
> @@ -1566,9 +1566,11 @@ static int iucv_sock_getsockopt(struct socket *sock, int level, int optname,
> case SO_MSGSIZE:
> if (sk->sk_state == IUCV_OPEN)
> return -EBADFD;
> + lock_sock(sk);
> val = (iucv->hs_dev) ? iucv->hs_dev->mtu -
> sizeof(struct af_iucv_trans_hdr) - ETH_HLEN :
> 0x7fffffff;
> + release_sock(sk);
> break;
> default:
> return -ENOPROTOOPT;
>
SO_IPRMDATA_MSG also seems to be only reading the value set via setsockopt,
so maybe it's ok to just cover the whole switch with lock/unlock? (will
mirror what setsockopt does)
next prev parent reply other threads:[~2026-05-15 20:45 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-15 8:32 [PATCH net-next v2 0/7] net: convert atm/xdp/af_iucv/l2tp_ppp/rxrpc/tipc to getsockopt_iter Breno Leitao
2026-05-15 8:32 ` [PATCH net-next v2 1/7] af_iucv: take socket lock around SO_MSGSIZE getsockopt Breno Leitao
2026-05-15 20:45 ` Stanislav Fomichev [this message]
2026-05-16 8:34 ` sashiko-bot
2026-05-15 8:32 ` [PATCH net-next v2 2/7] af_iucv: convert to getsockopt_iter Breno Leitao
2026-05-15 8:32 ` [PATCH net-next v2 3/7] atm: " Breno Leitao
2026-05-15 8:32 ` [PATCH net-next v2 4/7] xdp: " Breno Leitao
2026-05-15 8:32 ` [PATCH net-next v2 5/7] l2tp: ppp: " Breno Leitao
2026-05-15 8:32 ` [PATCH net-next v2 6/7] rxrpc: " Breno Leitao
2026-05-15 8:32 ` [PATCH net-next v2 7/7] tipc: " Breno Leitao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ageFn6UV-c-pOPBW@devvm7509.cco0.facebook.com \
--to=sdf.kernel@gmail.com \
--cc=3chas3@gmail.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=david+nfc@ixit.cz \
--cc=dhowells@redhat.com \
--cc=edumazet@google.com \
--cc=hawk@kernel.org \
--cc=horms@kernel.org \
--cc=jchapman@katalix.com \
--cc=jmaloy@redhat.com \
--cc=john.fastabend@gmail.com \
--cc=kernel-team@meta.com \
--cc=kuba@kernel.org \
--cc=leitao@debian.org \
--cc=linux-afs@lists.infradead.org \
--cc=linux-atm-general@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=maciej.fijalkowski@intel.com \
--cc=magnus.karlsson@intel.com \
--cc=marc.dionne@auristor.com \
--cc=netdev@vger.kernel.org \
--cc=oe-linux-nfc@lists.linux.dev \
--cc=pabeni@redhat.com \
--cc=sameo@linux.intel.com \
--cc=sdf@fomichev.me \
--cc=tipc-discussion@lists.sourceforge.net \
--cc=twinkler@linux.ibm.com \
--cc=wintera@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.