[PATCH 0/3] af_unix: unix_stream_data_wait() fix and improvements

Next message: Jann Horn: "[PATCH 1/3] af_unix: Fix UAF read of tail-&gt;len in unix_stream_data_wait()"
Previous message: Moger, Babu: "Re: [PATCH v2 0/8] x86/resctrl: Support for AMD Global (Slow) Memory Bandwidth Allocation"
Next in thread: Jann Horn: "[PATCH 1/3] af_unix: Fix UAF read of tail-&gt;len in unix_stream_data_wait()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jann Horn

Date: Fri May 15 2026 - 14:54:33 EST

Patch 1 fixes a race condition that can lead to a UAF read in
unix_stream_data_wait(). This is a read-only UAF that doesn't have
particularly interesting security consequences, but should still be
fixed. This is a minimal fix, intended to be easy to backport.

Patch 2 cleans up and simplifies this code a bit more (at the cost of
taking the iolock during false wakeups).

Since patch 2 probably increases the impact of false wakeups,
patch 3 is a performance optimization to reduce false wakeups.

Signed-off-by: Jann Horn <jannh@xxxxxxxxxx>
---
Jann Horn (3):
af_unix: Fix UAF read of tail->len in unix_stream_data_wait()
af_unix: Simplify unix_stream_data_wait()
af_unix: prevent spurious reader wakeups by writer

net/unix/af_unix.c | 66 +++++++++++++++++++-----------------------------------
1 file changed, 23 insertions(+), 43 deletions(-)
---
base-commit: 70eda68668d1476b459b64e69b8f36659fa9dfa8
change-id: 20260515-unix-recv-wait-01b3a9cbacc4

--
Jann Horn <jannh@xxxxxxxxxx>