Patch "af_unix: Annotate data-race of sk->sk_state in unix_stream_connect()." has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 15 Jun 2024 22:07:53 -0400

This is a note to let you know that I've just added the patch titled

    af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     af_unix-annotate-data-race-of-sk-sk_state-in-unix_st.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 9ca458fd70435e9c3615e46bf42aa05e30144e1f
Author: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
Date:   Tue Jun 4 09:52:31 2024 -0700

    af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().
    
    [ Upstream commit a9bf9c7dc6a5899c01cb8f6e773a66315a5cd4b7 ]
    
    As small optimisation, unix_stream_connect() prefetches the client's
    sk->sk_state without unix_state_lock() and checks if it's TCP_CLOSE.
    
    Later, sk->sk_state is checked again under unix_state_lock().
    
    Let's use READ_ONCE() for the first check and TCP_CLOSE directly for
    the second check.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
    Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 4a43091c95419..53d67d540a574 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1491,7 +1491,6 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
 	struct sk_buff *skb = NULL;
 	long timeo;
 	int err;
-	int st;
 
 	err = unix_validate_addr(sunaddr, addr_len);
 	if (err)
@@ -1577,9 +1576,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
 
 	   Well, and we have to recheck the state after socket locked.
 	 */
-	st = sk->sk_state;
-
-	switch (st) {
+	switch (READ_ONCE(sk->sk_state)) {
 	case TCP_CLOSE:
 		/* This is ok... continue with connect */
 		break;
@@ -1594,7 +1591,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
 
 	unix_state_lock_nested(sk, U_LOCK_SECOND);
 
-	if (sk->sk_state != st) {
+	if (sk->sk_state != TCP_CLOSE) {
 		unix_state_unlock(sk);
 		unix_state_unlock(other);
 		sock_put(other);







