lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aeaca3bf-b6e6-48e4-9493-6c200a49d1ec@kernel.dk>
Date: Tue, 6 Jan 2026 08:08:26 -0700
From: Jens Axboe <axboe@...nel.dk>
To: Willem de Bruijn <willemdebruijn.kernel@...il.com>, netdev@...r.kernel.org
Cc: davem@...emloft.net, kuba@...nel.org, edumazet@...gle.com,
 pabeni@...hat.com, horms@...nel.org, kuniyu@...gle.com,
 Willem de Bruijn <willemb@...gle.com>, stable@...r.kernel.org
Subject: Re: [PATCH net] net: do not write to msg_get_inq in callee

On 1/6/26 8:05 AM, Willem de Bruijn wrote:
> From: Willem de Bruijn <willemb@...gle.com>
> 
> NULL pointer dereference fix.
> 
> msg_get_inq is an input field from caller to callee. Don't set it in
> the callee, as the caller may not clear it on struct reuse.
> 
> This is a kernel-internal variant of msghdr only, and the only user
> does reinitialize the field. So this is not critical for that reason.
> But it is more robust to avoid the write, and slightly simpler code.
> And it fixes a bug, see below.
> 
> Callers set msg_get_inq to request the input queue length to be
> returned in msg_inq. This is equivalent to but independent from the
> SO_INQ request to return that same info as a cmsg (tp->recvmsg_inq).
> To reduce branching in the hot path the second also sets the msg_inq.
> That is WAI.
> 
> This is a fix to commit 4d1442979e4a ("af_unix: don't post cmsg for
> SO_INQ unless explicitly asked for"), which fixed the inverse.
> 
> Also avoid NULL pointer dereference in unix_stream_read_generic if
> state->msg is NULL and msg->msg_get_inq is written. A NULL state->msg
> can happen when splicing as of commit 2b514574f7e8 ("net: af_unix:
> implement splice for stream af_unix sockets").
> 
> Also collapse two branches using a bitwise or.
> 
> Cc: stable@...r.kernel.org
> Fixes: 4d1442979e4a ("af_unix: don't post cmsg for SO_INQ unless explicitly asked for")
> Link: https://lore.kernel.org/netdev/willemdebruijn.kernel.24d8030f7a3de@gmail.com/
> Signed-off-by: Willem de Bruijn <willemb@...gle.com>
> 
> ---
> 
> Jens, I dropped your Reviewed-by because of the commit message updates.
> But code is unchanged.

Still looks good to me:

Reviewed-by: Jens Axboe <axboe@...nel.dk>

Thanks for doing this!

-- 
Jens Axboe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ