af_unix: unix_stream_data_wait() fix and improvements

[PATCH 0/3] af_unix: unix_stream_data_wait() fix and improvements

Jann Horn posted 3 patches 1 week, 2 days ago

Download series mbox

net/unix/af_unix.c | 66 +++++++++++++++++++-----------------------------------
1 file changed, 23 insertions(+), 43 deletions(-)

Expand all Fold all

[PATCH 0/3] af_unix: unix_stream_data_wait() fix and improvements

Posted by Jann Horn 1 week, 2 days ago

Patch 1 fixes a race condition that can lead to a UAF read in
unix_stream_data_wait(). This is a read-only UAF that doesn't have
particularly interesting security consequences, but should still be
fixed. This is a minimal fix, intended to be easy to backport.

Patch 2 cleans up and simplifies this code a bit more (at the cost of
taking the iolock during false wakeups).

Since patch 2 probably increases the impact of false wakeups,
patch 3 is a performance optimization to reduce false wakeups.

Signed-off-by: Jann Horn <jannh@google.com>
---
Jann Horn (3):
      af_unix: Fix UAF read of tail->len in unix_stream_data_wait()
      af_unix: Simplify unix_stream_data_wait()
      af_unix: prevent spurious reader wakeups by writer

 net/unix/af_unix.c | 66 +++++++++++++++++++-----------------------------------
 1 file changed, 23 insertions(+), 43 deletions(-)
---
base-commit: 70eda68668d1476b459b64e69b8f36659fa9dfa8
change-id: 20260515-unix-recv-wait-01b3a9cbacc4

--  
Jann Horn <jannh@google.com>