Re: [PATCH net] net/iucv: fix locking in .getsockopt

Next message: Kiryl Shutsemau: "[PATCH v3 16/16] ioctl_userfaultfd.2: Add read-write protect mode docs"
Previous message: Barry Song: "Re: [PATCH v2 0/5] mm: reduce mmap_lock contention and improve page fault performance"
In reply to: Breno Leitao: "[PATCH net] net/iucv: fix locking in .getsockopt"
Next in thread: patchwork-bot+netdevbpf: "Re: [PATCH net] net/iucv: fix locking in .getsockopt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alexandra Winter

Date: Fri May 22 2026 - 09:59:27 EST

On 21.05.26 16:11, Breno Leitao wrote:
> Mirror iucv_sock_setsockopt() and wrap the whole switch in
> lock_sock()/release_sock(). The pre-existing SO_MSGLIMIT-only lock
> becomes redundant and is removed.
>
> Any AF_IUCV HIPER user can potentially crash the kernel by racing
> recvmsg() with getsockopt(SO_MSGSIZE): the SO_MSGSIZE arm dereferences
> iucv->hs_dev->mtu after iucv_sock_close() (called from the racing
> recvmsg()) has set hs_dev to NULL, producing a NULL pointer dereference
> oops.
>
> Suggested-by: Stanislav Fomichev <sdf.kernel@xxxxxxxxx>
> Fixes: 51363b8751a6 ("af_iucv: allow retrieval of maximum message size")
> Signed-off-by: Breno Leitao <leitao@xxxxxxxxxx>
> ---
> Note1: Not using goto/label to simplify the merge conflict that might
> happen with the migration of af_iucv to getsockopt_iter
>
> Note2: This was only compile-tested.
> ---

Thank you very much Breno.

I ran some regression tests which call IUCV getsockopt(SO_MSGSIZE) while
sending and receiving data via IUCV. I have not created a specific
reproducer testcase of the described race, which would require enforcing
a problem in IUCV over HS congestion management which triggers an error
path in recvmsg().

Reviewed-by: Alexandra Winter <wintera@xxxxxxxxxxxxx>
Tested-by: Alexandra Winter <wintera@xxxxxxxxxxxxx>