From: Jens Axboe <axboe@kernel.dk>
To: Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
netdev@vger.kernel.org
Cc: davem@davemloft.net, kuba@kernel.org, edumazet@google.com,
pabeni@redhat.com, horms@kernel.org, kuniyu@google.com,
Willem de Bruijn <willemb@google.com>,
stable@vger.kernel.org
Subject: Re: [PATCH net] net: do not write to msg_get_inq in callee
Date: Tue, 6 Jan 2026 08:08:26 -0700 [thread overview]
Message-ID: <aeaca3bf-b6e6-48e4-9493-6c200a49d1ec@kernel.dk> (raw)
In-Reply-To: <20260106150626.3944363-1-willemdebruijn.kernel@gmail.com>
On 1/6/26 8:05 AM, Willem de Bruijn wrote:
> From: Willem de Bruijn <willemb@google.com>
>
> NULL pointer dereference fix.
>
> msg_get_inq is an input field from caller to callee. Don't set it in
> the callee, as the caller may not clear it on struct reuse.
>
> This is a kernel-internal variant of msghdr only, and the only user
> does reinitialize the field. So this is not critical for that reason.
> But it is more robust to avoid the write, and slightly simpler code.
> And it fixes a bug, see below.
>
> Callers set msg_get_inq to request the input queue length to be
> returned in msg_inq. This is equivalent to but independent from the
> SO_INQ request to return that same info as a cmsg (tp->recvmsg_inq).
> To reduce branching in the hot path the second also sets the msg_inq.
> That is WAI.
>
> This is a fix to commit 4d1442979e4a ("af_unix: don't post cmsg for
> SO_INQ unless explicitly asked for"), which fixed the inverse.
>
> Also avoid NULL pointer dereference in unix_stream_read_generic if
> state->msg is NULL and msg->msg_get_inq is written. A NULL state->msg
> can happen when splicing as of commit 2b514574f7e8 ("net: af_unix:
> implement splice for stream af_unix sockets").
>
> Also collapse two branches using a bitwise or.
>
> Cc: stable@vger.kernel.org
> Fixes: 4d1442979e4a ("af_unix: don't post cmsg for SO_INQ unless explicitly asked for")
> Link: https://lore.kernel.org/netdev/willemdebruijn.kernel.24d8030f7a3de@gmail.com/
> Signed-off-by: Willem de Bruijn <willemb@google.com>
>
> ---
>
> Jens, I dropped your Reviewed-by because of the commit message updates.
> But code is unchanged.
Still looks good to me:
Reviewed-by: Jens Axboe <axboe@kernel.dk>
Thanks for doing this!
--
Jens Axboe
next prev parent reply other threads:[~2026-01-06 15:08 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-06 15:05 [PATCH net] net: do not write to msg_get_inq in callee Willem de Bruijn
2026-01-06 15:08 ` Jens Axboe [this message]
2026-01-06 15:13 ` Eric Dumazet
2026-01-07 7:41 ` Kuniyuki Iwashima
2026-01-08 16:50 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aeaca3bf-b6e6-48e4-9493-6c200a49d1ec@kernel.dk \
--to=axboe@kernel.dk \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
--cc=willemb@google.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox