Description
In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix data-race around unix_tot_inflight. unix_tot_inflight is changed under spin_lock(unix_gc_lock), but unix_release_sock() reads it locklessly. Let's use READ_ONCE() for unix_tot_inflight. Note that the writer side was marked by commit 9d6d7f1cb67c ("af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress") BUG: KCSAN: data-race in unix_inflight / unix_release_sock write (marked) to 0xffffffff871852b8 of 4 bytes by task 123 on cpu 1: unix_inflight+0x130/0x180 net/unix/scm.c:64 unix_attach_fds+0x137/0x1b0 net/unix/scm.c:123 unix_scm_to_skb net/unix/af_unix.c:1832 [inline] unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1955 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg+0x148/0x160 net/socket.c:747 ____sys_sendmsg+0x4e4/0x610 net/socket.c:2493 ___sys_sendmsg+0xc6/0x140 net/socket.c:2547 __sys_sendmsg+0x94/0x140 net/socket.c:2576 __do_sys_sendmsg net/socket.c:2585 [inline] __se_sys_sendmsg net/socket.c:2583 [inline] __x64_sys_sendmsg+0x45/0x50 net/socket.c:2583 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc read to 0xffffffff871852b8 of 4 bytes by task 4891 on cpu 0: unix_release_sock+0x608/0x910 net/unix/af_unix.c:671 unix_release+0x59/0x80 net/unix/af_unix.c:1058 __sock_release+0x7d/0x170 net/socket.c:653 sock_close+0x19/0x30 net/socket.c:1385 __fput+0x179/0x5e0 fs/file_table.c:321 ____fput+0x15/0x20 fs/file_table.c:349 task_work_run+0x116/0x1a0 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297 do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x72/0xdc value changed: 0x00000000 -> 0x00000001 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 4891 Comm: systemd-coredum Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Product status
9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 (git) before 31b46d5e7c4e295bd112960614a66a177a057dca
9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 (git) before 20aa8325464d8905450089eed96ca102a074d853
9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 (git) before 5d91b7891f4a9a9d69d75e9f44ab4bf1f3b11840
9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 (git) before cf29b42766ad4af2ae6a449f583796951551b48d
9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 (git) before e5edc6e44a882c0458878ab10eaddfe60ac34e57
9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 (git) before 2d8933ca863e252fb09ad0be483255e3dfeb1f54
9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 (git) before afc284a4a781defbb12b2a40427fae34c3d20e17
9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 (git) before ade32bd8a738d7497ffe9743c46728db26740f78
2.6.24
Any version before 2.6.24
4.14.326 (semver)
4.19.295 (semver)
5.4.257 (semver)
5.10.195 (semver)
5.15.132 (semver)
6.1.54 (semver)
6.5.4 (semver)
6.6 (original_commit_for_fix)
References
git.kernel.org/...c/31b46d5e7c4e295bd112960614a66a177a057dca
git.kernel.org/...c/20aa8325464d8905450089eed96ca102a074d853
git.kernel.org/...c/5d91b7891f4a9a9d69d75e9f44ab4bf1f3b11840
git.kernel.org/...c/cf29b42766ad4af2ae6a449f583796951551b48d
git.kernel.org/...c/e5edc6e44a882c0458878ab10eaddfe60ac34e57
git.kernel.org/...c/2d8933ca863e252fb09ad0be483255e3dfeb1f54
git.kernel.org/...c/afc284a4a781defbb12b2a40427fae34c3d20e17
git.kernel.org/...c/ade32bd8a738d7497ffe9743c46728db26740f78
Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.
