Updated: 2025-11-10 03:08:31.533918
Description:
In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg A data-race condition has been identified in af_unix. In one data path, the write function unix_release_sock() atomically writes to sk->sk_shutdown using WRITE_ONCE. However, on the reader side, unix_stream_sendmsg() does not read it atomically. Consequently, this issue is causing the following KCSAN splat to occur: BUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg write (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28: unix_release_sock (net/unix/af_unix.c:640) unix_release (net/unix/af_unix.c:1050) sock_close (net/socket.c:659 net/socket.c:1421) __fput (fs/file_table.c:422) __fput_sync (fs/file_table.c:508) __se_sys_close (fs/open.c:1559 fs/open.c:1541) __x64_sys_close (fs/open.c:1541) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) read to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14: unix_stream_sendmsg (net/unix/af_unix.c:2273) __sock_sendmsg (net/socket.c:730 net/socket.c:745) ____sys_sendmsg (net/socket.c:2584) __sys_sendmmsg (net/socket.c:2638 net/socket.c:2724) __x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) value changed: 0x01 -> 0x03 The line numbers are related to commit dd5a440a31fa ("Linux 6.9-rc7"). Commit e1d09c2c2f57 ("af_unix: Fix data races around sk->sk_shutdown.") addressed a comparable issue in the past regarding sk->sk_shutdown. However, it overlooked resolving this particular data path. This patch only offending unix_stream_sendmsg() function, since the other reads seem to be protected by unix_state_lock() as discussed in
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0.0 | |
| CVSS Version 3.x | MEDIUM | 4.7 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | kernel | 5.14.0 | 4.7 | MEDIUM | Ignored | 2025-09-23 11:05:17 | This issue is a local-only, timing‑dependent race in AF_UNIX stream sockets that affects availabil... | |
| CentOS 6 ELS | kernel | 2.6.32 | 4.7 | MEDIUM | Ignored | 2024-07-25 05:17:33 | Ignored due to low severity | |
| CentOS 7 ELS | kernel | 3.10.0 | 4.7 | MEDIUM | Ignored | 2024-07-25 05:17:31 | Ignored due to low severity | |
| CentOS 8.4 ELS | kernel | 4.18.0 | 4.7 | MEDIUM | Ignored | 2024-08-20 12:21:30 | Ignored due to low severity | |
| CentOS 8.5 ELS | kernel | 4.18.0 | 4.7 | MEDIUM | Ignored | 2024-08-20 12:21:30 | Ignored due to low severity | |
| CentOS Stream 8 ELS | kernel | 4.18.0 | 4.7 | MEDIUM | Ignored | 2024-08-20 12:21:30 | Ignored due to low severity | |
| CloudLinux 6 ELS | kernel | 2.6.32 | 4.7 | MEDIUM | Ignored | 2024-07-25 05:17:32 | Ignored due to low severity | |
| CloudLinux 7 ELS | kernel | 3.10.0 | 4.7 | MEDIUM | Ignored | 2024-07-25 05:17:31 | Ignored due to low severity | |
| Oracle Linux 6 ELS | kernel | 2.6.32 | 4.7 | MEDIUM | Ignored | 2024-07-25 05:17:31 | Ignored due to low severity | |
| Oracle Linux 7 ELS | kernel | 3.10.0 | 4.7 | MEDIUM | Ignored | 2025-09-23 07:59:40 | Ignored due to low severity |