* [PATCH] net/iucv: fix UAF in afiucv_netdev_event()
@ 2026-05-08 16:38 Nagamani PV
2026-05-11 9:02 ` Heiko Carstens
0 siblings, 1 reply; 3+ messages in thread
From: Nagamani PV @ 2026-05-08 16:38 UTC (permalink / raw)
To: wintera, aswin, sidraya, hidayath, pasic, mjambigi, dk, twinkler,
jaka, wenjia, gbayer, linux390-list
Cc: Nagamani PV, stable, syzbotz+89435e7383b82238dd91
afiucv_netdev_event() traverses iucv_sk_list without holding
iucv_sk_list.lock.
A concurrent socket teardown can unlink and free the socket via
iucv_sock_kill() while the notifier path is still iterating over
the list, leading to a possible use-after-free when dereferencing
the socket.
Protect the traversal using the existing read-side lock, matching
the locking pattern already used by other iucv_sk_list traversal
paths in af_iucv.c.
Use read_lock()/read_unlock() to remain consistent with existing
softirq/tasklet-side readers in the same file.
Fixes: 9fbd87d41392 ("af_iucv: handle netdev events")
Cc: stable@vger.kernel.org
Reported-by: syzbotz+89435e7383b82238dd91@linux.ibm.com
Closes: https://lnxgwne1.boeblingen.de.ibm.com/linux-ci/syzbot/dashboard/bug?extid=89435e7383b82238dd91
Suggested-by: Hidayath Khan <hidayath@linux.ibm.com>
Signed-off-by: Nagamani PV <nagamani@linux.ibm.com>
---
net/iucv/af_iucv.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index 72dfccd4e3d5..e8a0b55fc55d 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -2188,6 +2188,7 @@ static int afiucv_netdev_event(struct notifier_block *this,
switch (event) {
case NETDEV_REBOOT:
case NETDEV_GOING_DOWN:
+ read_lock(&iucv_sk_list.lock);
sk_for_each(sk, &iucv_sk_list.head) {
iucv = iucv_sk(sk);
if ((iucv->hs_dev == event_dev) &&
@@ -2198,6 +2199,7 @@ static int afiucv_netdev_event(struct notifier_block *this,
sk->sk_state_change(sk);
}
}
+ read_unlock(&iucv_sk_list.lock);
break;
case NETDEV_DOWN:
case NETDEV_UNREGISTER:
--
2.53.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] net/iucv: fix UAF in afiucv_netdev_event()
2026-05-08 16:38 [PATCH] net/iucv: fix UAF in afiucv_netdev_event() Nagamani PV
@ 2026-05-11 9:02 ` Heiko Carstens
2026-05-11 12:46 ` Nagamani PV
0 siblings, 1 reply; 3+ messages in thread
From: Heiko Carstens @ 2026-05-11 9:02 UTC (permalink / raw)
To: Nagamani PV
Cc: wintera, aswin, sidraya, hidayath, pasic, mjambigi, dk, twinkler,
jaka, wenjia, gbayer, linux390-list, stable,
syzbotz+89435e7383b82238dd91
On Fri, May 08, 2026 at 06:38:36PM +0200, Nagamani PV wrote:
> afiucv_netdev_event() traverses iucv_sk_list without holding
> iucv_sk_list.lock.
>
> A concurrent socket teardown can unlink and free the socket via
> iucv_sock_kill() while the notifier path is still iterating over
> the list, leading to a possible use-after-free when dereferencing
> the socket.
>
> Protect the traversal using the existing read-side lock, matching
> the locking pattern already used by other iucv_sk_list traversal
> paths in af_iucv.c.
>
> Use read_lock()/read_unlock() to remain consistent with existing
> softirq/tasklet-side readers in the same file.
>
> Fixes: 9fbd87d41392 ("af_iucv: handle netdev events")
> Cc: stable@vger.kernel.org
> Reported-by: syzbotz+89435e7383b82238dd91@linux.ibm.com
> Closes: https://lnxgwne1.boeblingen.de.ibm.com/linux-ci/syzbot/dashboard/bug?extid=89435e7383b82238dd91
Please don't add IBM internal references to commit messages. They are
useless, besides that they will go away rather sooner than later. Better:
add the _relevant_ parts of the crash output to the commit message, which
allows people to make verify if this patch is actually fixing what the
commit message says.
> diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
> index 72dfccd4e3d5..e8a0b55fc55d 100644
> --- a/net/iucv/af_iucv.c
> +++ b/net/iucv/af_iucv.c
> @@ -2188,6 +2188,7 @@ static int afiucv_netdev_event(struct notifier_block *this,
> switch (event) {
> case NETDEV_REBOOT:
> case NETDEV_GOING_DOWN:
> + read_lock(&iucv_sk_list.lock);
> sk_for_each(sk, &iucv_sk_list.head) {
> iucv = iucv_sk(sk);
> if ((iucv->hs_dev == event_dev) &&
Are you sure that afiucv_netdev_event() is called in either tasklet context
or with bottom halves disabled? Doesn't look like it to me.
Read: most likely this should be read_lock_bh() to avoid deadlocks.
But then again I might be completely wrong, and lockdep says that this code
is actually correct :)
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] net/iucv: fix UAF in afiucv_netdev_event()
2026-05-11 9:02 ` Heiko Carstens
@ 2026-05-11 12:46 ` Nagamani PV
0 siblings, 0 replies; 3+ messages in thread
From: Nagamani PV @ 2026-05-11 12:46 UTC (permalink / raw)
To: Heiko Carstens
Cc: wintera, aswin, sidraya, hidayath, pasic, mjambigi, dk, twinkler,
jaka, wenjia, gbayer, linux390-list, stable,
syzbotz+89435e7383b82238dd91
On 11/05/26 2:32 PM, Heiko Carstens wrote:
> On Fri, May 08, 2026 at 06:38:36PM +0200, Nagamani PV wrote:
>> afiucv_netdev_event() traverses iucv_sk_list without holding
>> iucv_sk_list.lock.
>>
>> A concurrent socket teardown can unlink and free the socket via
>> iucv_sock_kill() while the notifier path is still iterating over
>> the list, leading to a possible use-after-free when dereferencing
>> the socket.
>>
>> Protect the traversal using the existing read-side lock, matching
>> the locking pattern already used by other iucv_sk_list traversal
>> paths in af_iucv.c.
>>
>> Use read_lock()/read_unlock() to remain consistent with existing
>> softirq/tasklet-side readers in the same file.
>>
>> Fixes: 9fbd87d41392 ("af_iucv: handle netdev events")
>> Cc: stable@vger.kernel.org
>> Reported-by: syzbotz+89435e7383b82238dd91@linux.ibm.com
>> Closes: https://lnxgwne1.boeblingen.de.ibm.com/linux-ci/syzbot/dashboard/bug?extid=89435e7383b82238dd91
>
> Please don't add IBM internal references to commit messages. They are
> useless, besides that they will go away rather sooner than later. Better:
> add the _relevant_ parts of the crash output to the commit message, which
> allows people to make verify if this patch is actually fixing what the
> commit message says.
>
>> diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
>> index 72dfccd4e3d5..e8a0b55fc55d 100644
>> --- a/net/iucv/af_iucv.c
>> +++ b/net/iucv/af_iucv.c
>> @@ -2188,6 +2188,7 @@ static int afiucv_netdev_event(struct notifier_block *this,
>> switch (event) {
>> case NETDEV_REBOOT:
>> case NETDEV_GOING_DOWN:
>> + read_lock(&iucv_sk_list.lock);
>> sk_for_each(sk, &iucv_sk_list.head) {
>> iucv = iucv_sk(sk);
>> if ((iucv->hs_dev == event_dev) &&
>
> Are you sure that afiucv_netdev_event() is called in either tasklet context
> or with bottom halves disabled? Doesn't look like it to me.
> Read: most likely this should be read_lock_bh() to avoid deadlocks.
>
> But then again I might be completely wrong, and lockdep says that this code
> is actually correct :)
Thanks Heiko.
You’re right on both points. I’ll drop the IBM-internal reference and add
the relevant KASAN/UAF details directly to the commit message.
Regarding the locking: afiucv_netdev_event() is invoked from the
netdevice notifier chain in process context without bottom halves being
disabled. Since iucv_sk_list is modified under write_lock_bh() and also
accessed from softirq/callback paths, using read_lock_bh() in the
notifier is the correct and safer choice to avoid lock inversion.
Thanks Alexandra as well for confirming. I’ll resend a v2 with these
updates.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-11 12:47 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-08 16:38 [PATCH] net/iucv: fix UAF in afiucv_netdev_event() Nagamani PV
2026-05-11 9:02 ` Heiko Carstens
2026-05-11 12:46 ` Nagamani PV
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox