Commit 39897df3 authored by Jiexun Wang's avatar Jiexun Wang Committed by Jakub Kicinski
Browse files

af_unix: read UNIX_DIAG_VFS data under unix_state_lock 



Exact UNIX diag lookups hold a reference to the socket, but not to
u->path. Meanwhile, unix_release_sock() clears u->path under
unix_state_lock() and drops the path reference after unlocking.

Read the inode and device numbers for UNIX_DIAG_VFS while holding
unix_state_lock(), then emit the netlink attribute after dropping the
lock.

This keeps the VFS data stable while the reply is being built.

Fixes: 5f7b0569 ("unix_diag: Unix inode info NLA")
Reported-by: default avatarYifan Wu <yifanwucs@gmail.com>
Reported-by: default avatarJuefei Pu <tomapufckgml@gmail.com>
Co-developed-by: default avatarYuan Tan <yuantan098@gmail.com>
Signed-off-by: default avatarYuan Tan <yuantan098@gmail.com>
Suggested-by: default avatarXin Liu <bird@lzu.edu.cn>
Tested-by: default avatarRen Wei <enjou1224z@gmail.com>
Signed-off-by: default avatarJiexun Wang <wangjiexun2025@gmail.com>
Signed-off-by: default avatarRen Wei <n05ec@lzu.edu.cn>
Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260407080015.1744197-1-n05ec@lzu.edu.cn


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 8e2760ea

net/unix/diag.c

+13 −8
Original line number Diff line number Diff line
@@ -28,18 +28,23 @@ static int sk_diag_dump_name(struct sock *sk, struct sk_buff *nlskb) 


static int sk_diag_dump_vfs(struct sock *sk, struct sk_buff *nlskb)

{

	struct dentry *dentry = unix_sk(sk)->path.dentry;

	struct unix_diag_vfs uv;

	struct dentry *dentry;

	bool have_vfs = false;



	unix_state_lock(sk);

	dentry = unix_sk(sk)->path.dentry;

	if (dentry) {

		struct unix_diag_vfs uv = {

			.udiag_vfs_ino = d_backing_inode(dentry)->i_ino,

			.udiag_vfs_dev = dentry->d_sb->s_dev,

		};



		return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv);

		uv.udiag_vfs_ino = d_backing_inode(dentry)->i_ino;

		uv.udiag_vfs_dev = dentry->d_sb->s_dev;

		have_vfs = true;

	}

	unix_state_unlock(sk);



	if (!have_vfs)

		return 0;



	return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv);

}



static int sk_diag_dump_peer(struct sock *sk, struct sk_buff *nlskb)