Merge branch 'af_unix-data-races'

davem330 · davem330 · commit 2861f09c1112 · 2023-09-04T11:06:16.000+01:00
Kuniyuki Iwashima says:

====================
af_unix: Fix four data-races.

While running syzkaller, KCSAN reported 3 data-races with
systemd-coredump using AF_UNIX sockets.

This series fixes the three and another one inspiered by
one of the reports.
====================

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
diff --git a/net/core/sock.c b/net/core/sock.c
@@ -2747,9 +2747,9 @@ static long sock_wait_for_wmem(struct sock *sk, long timeo)
 		prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
 		if (refcount_read(&sk->sk_wmem_alloc) < READ_ONCE(sk->sk_sndbuf))
 			break;
-		if (sk->sk_shutdown & SEND_SHUTDOWN)
+		if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN)
 			break;
-		if (sk->sk_err)
+		if (READ_ONCE(sk->sk_err))
 			break;
 		timeo = schedule_timeout(timeo);
 	}
@@ -2777,7 +2777,7 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
 			goto failure;
 
 		err = -EPIPE;
-		if (sk->sk_shutdown & SEND_SHUTDOWN)
+		if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN)
 			goto failure;
 
 		if (sk_wmem_alloc_get(sk) < READ_ONCE(sk->sk_sndbuf))
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
@@ -680,7 +680,7 @@ static void unix_release_sock(struct sock *sk, int embrion)
 	 *	  What the above comment does talk about? --ANK(980817)
 	 */
 
-	if (unix_tot_inflight)
+	if (READ_ONCE(unix_tot_inflight))
 		unix_gc();		/* Garbage collect fds */
 }
 
diff --git a/net/unix/scm.c b/net/unix/scm.c
@@ -64,7 +64,7 @@ void unix_inflight(struct user_struct *user, struct file *fp)
 		/* Paired with READ_ONCE() in wait_for_unix_gc() */
 		WRITE_ONCE(unix_tot_inflight, unix_tot_inflight + 1);
 	}
-	user->unix_inflight++;
+	WRITE_ONCE(user->unix_inflight, user->unix_inflight + 1);
 	spin_unlock(&unix_gc_lock);
 }
 
@@ -85,7 +85,7 @@ void unix_notinflight(struct user_struct *user, struct file *fp)
 		/* Paired with READ_ONCE() in wait_for_unix_gc() */
 		WRITE_ONCE(unix_tot_inflight, unix_tot_inflight - 1);
 	}
-	user->unix_inflight--;
+	WRITE_ONCE(user->unix_inflight, user->unix_inflight - 1);
 	spin_unlock(&unix_gc_lock);
 }
 
@@ -99,7 +99,7 @@ static inline bool too_many_unix_fds(struct task_struct *p)
 {
 	struct user_struct *user = current_user();
 
-	if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
+	if (unlikely(READ_ONCE(user->unix_inflight) > task_rlimit(p, RLIMIT_NOFILE)))
 		return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
 	return false;
 }

Original file line number	Diff line number	Diff line change
`@@ -680,7 +680,7 @@ static void unix_release_sock(struct sock *sk, int embrion)`
`680`	`680`	`* What the above comment does talk about? --ANK(980817)`
`681`	`681`	`*/`
`682`	`682`
`683`		`- if (unix_tot_inflight)`
	`683`	`+ if (READ_ONCE(unix_tot_inflight))`
`684`	`684`	`unix_gc(); /* Garbage collect fds */`
`685`	`685`	`}`
`686`	`686`
Original file line number	Diff line number	Diff line change
`@@ -64,7 +64,7 @@ void unix_inflight(struct user_struct user, struct file fp)`
`64`	`64`	`/* Paired with READ_ONCE() in wait_for_unix_gc() */`
`65`	`65`	`WRITE_ONCE(unix_tot_inflight, unix_tot_inflight + 1);`
`66`	`66`	`}`
`67`		`- user->unix_inflight++;`
	`67`	`+ WRITE_ONCE(user->unix_inflight, user->unix_inflight + 1);`
`68`	`68`	`spin_unlock(&unix_gc_lock);`
`69`	`69`	`}`
`70`	`70`
`@@ -85,7 +85,7 @@ void unix_notinflight(struct user_struct user, struct file fp)`
`85`	`85`	`/* Paired with READ_ONCE() in wait_for_unix_gc() */`
`86`	`86`	`WRITE_ONCE(unix_tot_inflight, unix_tot_inflight - 1);`
`87`	`87`	`}`
`88`		`- user->unix_inflight--;`
	`88`	`+ WRITE_ONCE(user->unix_inflight, user->unix_inflight - 1);`
`89`	`89`	`spin_unlock(&unix_gc_lock);`
`90`	`90`	`}`
`91`	`91`
`@@ -99,7 +99,7 @@ static inline bool too_many_unix_fds(struct task_struct *p)`
`99`	`99`	`{`
`100`	`100`	`struct user_struct *user = current_user();`
`101`	`101`
`102`		`- if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))`
	`102`	`+ if (unlikely(READ_ONCE(user->unix_inflight) > task_rlimit(p, RLIMIT_NOFILE)))`
`103`	`103`	`return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);`
`104`	`104`	`return false;`
`105`	`105`	`}`