From: Miklos Szeredi <[email protected]>
Date: Tue, 05 Jun 2007 09:42:41 +0200
> From: Miklos Szeredi <[email protected]>
>
> A recv() on an AF_UNIX, SOCK_STREAM socket can race with a
> send()+close() on the peer, causing recv() to return zero, even though
> the sent data should be received.
>
> This happens if the send() and the close() is performed between
> skb_dequeue() and checking sk->sk_shutdown in unix_stream_recvmsg():
>
> process A skb_dequeue() returns NULL, there's no data in the socket queue
> process B new data is inserted onto the queue by unix_stream_sendmsg()
> process B sk->sk_shutdown is set to SHUTDOWN_MASK by unix_release_sock()
> process A sk->sk_shutdown is checked, unix_release_sock() returns zero
>
> I'm surprised nobody noticed this, it's not hard to trigger. Maybe
> it's just (un)luck with the timing.
>
> It's possible to work around this bug in userspace, by retrying the
> recv() once in case of a zero return value.
>
> Signed-off-by: Miklos Szeredi <[email protected]>
Looks good, applied.
Another way to fix this would have been to take the u->readlock
in unix_release() and unix_shutdown(), but that would have hurt
unix_dgram_recvmsg() which doesn't need to handle this race.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
