af_unix: Annotate data-race of sk->sk_state in unix_accept().

[ Upstream commit 1b536948e805aab61a48c5aa5db10c9afee880bd ]

Once sk->sk_state is changed to TCP_LISTEN, it never changes.

unix_accept() takes the advantage and reads sk->sk_state without
holding unix_state_lock().

Let's use READ_ONCE() there.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index cbc011ceb89b458c78c24e466a437c323c7c336d..4647fb5e53a87ee347d5431b848af493523e1fa2 100644 (file)
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1704,7 +1704,7 @@ static int unix_accept(struct socket *sock, struct socket *newsock, int flags,
                goto out;
 
        err = -EINVAL;
-       if (sk->sk_state != TCP_LISTEN)
+       if (READ_ONCE(sk->sk_state) != TCP_LISTEN)
                goto out;
 
        /* If socket state is TCP_LISTEN it cannot change (for now...),