Re: [PATCH net v2] af_unix: Fix UAF read of tail->len in unix_stream_data_wait()

Next message: patchwork-bot+netdevbpf: "Re: [PATCH net v2 0/2] net: phy: honor eee_disabled_modes when advertising EEE"
Previous message: Dominique Martinet: "Re: [PATCH v1] 9p: Fix mkdir to return NULL on success"
In reply to: Kuniyuki Iwashima: "Re: [PATCH net v2] af_unix: Fix UAF read of tail-&gt;len in unix_stream_data_wait()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+netdevbpf

Date: Tue May 19 2026 - 22:00:14 EST

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@xxxxxxxxxx>:

On Mon, 18 May 2026 18:51:30 +0200 you wrote:
> unix_stream_data_wait() does skb_peek_tail(&sk->sk_receive_queue) without
> holding any lock that prevents SKBs on that queue from being dequeued and
> freed.
> This has been the case since commit 79f632c71bea ("unix/stream: fix
> peeking with an offset larger than data in queue").
> The first consequence of this is that the pointer comparison
> `tail != last` can be false even if `last` semantically refers to an
> already-freed SKB while `tail` is a new SKB allocated at the same address;
> which can cause unix_stream_data_wait() to wrongly keep blocking after new
> data has arrived, but only in a weird scenario where a peeking recv() and
> a normal recv() on the same socket are racing, which is probably not a
> real problem.
>
> [...]

Here is the summary with links:
- [net,v2] af_unix: Fix UAF read of tail->len in unix_stream_data_wait()
https://git.kernel.org/netdev/net/c/be309f8eae8b

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html