From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.5 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 45703C43381 for ; Wed, 20 Feb 2019 19:47:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 25EC72086A for ; Wed, 20 Feb 2019 19:47:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726368AbfBTTrl (ORCPT ); Wed, 20 Feb 2019 14:47:41 -0500 Received: from zeniv.linux.org.uk ([195.92.253.2]:58656 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725798AbfBTTrl (ORCPT ); Wed, 20 Feb 2019 14:47:41 -0500 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.91 #2 (Red Hat Linux)) id 1gwXqF-0004rm-Vz for netdev@vger.kernel.org; Wed, 20 Feb 2019 19:47:40 +0000 Date: Wed, 20 Feb 2019 19:47:39 +0000 From: Al Viro To: netdev@vger.kernel.org Subject: [RFC] odd checks in AF_UNIX ->recvmsg() Message-ID: <20190220194739.GY2217@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Can ->recvmsg() (or ->splice_read(), for that matter) overlap with ->release() of the socket it's reading from? I'd always assumed that to be impossible, but we have this in unix_stream_read_generic(): redo: unix_state_lock(sk); if (sock_flag(sk, SOCK_DEAD)) { err = -ECONNRESET; goto unlock; } last = skb = skb_peek(&sk->sk_receive_queue); last_len = last ? last->len : 0; ... and sk comes from state->socket->sk, i.e. sock->sk of unix_stream_recvmsg() and unix_stream_splice_read(). IOW, the socket being read from. And SOCK_DEAD is only set by sock_orphan(), which means that socket would have to have gone through ->release(). What am I missing and how is that supposed to be triggered? Note that e.g. shutdown(2) doesn't set SOCK_DEAD - its effects are in ->sk_shutdown and the same unix_stream_read_generic() does check for those separately.