| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3308e844-6c04-44a1-84c9-9b9f1aaef917@redhat.com>
Date: Sun, 28 Dec 2025 16:02:11 +0100
From: Paolo Abeni <pabeni@...hat.com>
To: Jens Axboe <axboe@...nel.dk>,
Willem de Bruijn <willemdebruijn.kernel@...il.com>,
netdev <netdev@...r.kernel.org>
Cc: io-uring <io-uring@...r.kernel.org>, Jakub Kicinski <kuba@...nel.org>,
Willem de Bruijn <willemb@...gle.com>, Kuniyuki Iwashima
<kuniyu@...gle.com>, Julian Orth <ju.orth@...il.com>
Subject: Re: [PATCH v2] af_unix: don't post cmsg for SO_INQ unless explicitly
asked for
On 12/23/25 6:27 PM, Jens Axboe wrote:
> On 12/19/25 1:08 PM, Willem de Bruijn wrote:
>> [PATCH net v2] assuming this is intended to go through the net tree.
>>
>> Jens Axboe wrote:
>>> On 12/19/25 12:02 PM, Willem de Bruijn wrote:
>>>> Jens Axboe wrote:
>>>>> A previous commit added SO_INQ support for AF_UNIX (SOCK_STREAM), but it
>>>>> posts a SCM_INQ cmsg even if just msg->msg_get_inq is set. This is
>>>>> incorrect, as ->msg_get_inq is just the caller asking for the remainder
>>>>> to be passed back in msg->msg_inq, it has nothing to do with cmsg. The
>>>>> original commit states that this is done to make sockets
>>>>> io_uring-friendly", but it's actually incorrect as io_uring doesn't use
>>>>> cmsg headers internally at all, and it's actively wrong as this means
>>>>> that cmsg's are always posted if someone does recvmsg via io_uring.
>>>>>
>>>>> Fix that up by only posting a cmsg if u->recvmsg_inq is set.
>>>>>
>>>>> Additionally, mirror how TCP handles inquiry handling in that it should
>>>>> only be done for a successful return. This makes the logic for the two
>>>>> identical.
>>>>>
>>>>> Cc: stable@...r.kernel.org
>>>>> Fixes: df30285b3670 ("af_unix: Introduce SO_INQ.")
>>>>> Reported-by: Julian Orth <ju.orth@...il.com>
>>>>> Link: https://github.com/axboe/liburing/issues/1509
>>>>> Signed-off-by: Jens Axboe <axboe@...nel.dk>
>>>>>
>>>>> ---
>>>>>
>>>>> V2:
>>>>> - Unify logic with tcp
>>>>> - Squash the two patches into one
>>>>>
>>>>> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
>>>>> index 55cdebfa0da0..a7ca74653d94 100644
>>>>> --- a/net/unix/af_unix.c
>>>>> +++ b/net/unix/af_unix.c
>>>>> @@ -2904,6 +2904,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state,
>>>>> unsigned int last_len;
>>>>> struct unix_sock *u;
>>>>> int copied = 0;
>>>>> + bool do_cmsg;
>>>>> int err = 0;
>>>>> long timeo;
>>>>> int target;
>>>>> @@ -2929,6 +2930,9 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state,
>>>>>
>>>>> u = unix_sk(sk);
>>>>>
>>>>> + do_cmsg = READ_ONCE(u->recvmsg_inq);
>>>>> + if (do_cmsg)
>>>>> + msg->msg_get_inq = 1;
>>>>
>>>> I would avoid overwriting user written fields if it's easy to do so.
>>>>
>>>> In this case it probably is harmless. But we've learned the hard way
>>>> that applications can even get confused by recvmsg setting msg_flags.
>>>> I've seen multiple reports of applications failing to scrub that field
>>>> inbetween calls.
>>>>
>>>> Also just more similar to tcp:
>>>>
>>>> do_cmsg = READ_ONCE(u->recvmsg_inq);
>>>> if ((do_cmsg || msg->msg_get_inq) && (copied ?: err) >= 0) {
>>>
>>> I think you need to look closer, because this is actually what the tcp
>>> path does:
>>>
>>> if (tp->recvmsg_inq) {
>>> [...]
>>> msg->msg_get_inq = 1;
>>> }
>>
>> I indeed missed that TCP does the same. Ack. Indeed consistency was what I asked for.
>>
>> Reviewed-by: Willem de Bruijn <willemb@...gle.com>
>
> Can someone get this applied, please?
For a few more days it's just me. That means a significantly longer than
usual latency, but I'm almost there.
/P
Powered by blists - more mailing lists