From nobody Sat Feb 7 22:13:08 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D7B6122F16F; Wed, 21 May 2025 15:35:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747841722; cv=none; b=qnT7RfORNrlFeVWkP1Ahbg0l6p0u9sxS8LYVy3GYmKtkdZ59lWUc1zofOX70/VbTCH6Vt9W/fcUHfJzfylW3uW6HabKamvFDw2gQ523P7imVWsrSXoKFkWKeqmC10QMsow1mhd3rD1rVHbvmX09unPlPF/heM5cGLzlNZo5KLg0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1747841722; c=relaxed/simple; bh=rEd3GIc9h95purN1mvqJDK9HVhwB0Wh8CFRZBngI7II=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=q8mYs+ccSanH6qf8q+UQxPC712wYfkiAd7fjF+27sxns2UYnrUiAeCWBQY7kioeXnwVySRwaVG4iCJjHAYjc61kvDPIOAGhR6oWaTEJDtJV6PWrkZ1KqVsJyJNAzntrTcvKfPrTr9LSZtbtYGF/OniKOYiE/SXpOUKxxsFvapzg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Tz3jmHst; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Tz3jmHst" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C3512C4CEE4; Wed, 21 May 2025 15:35:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1747841722; bh=rEd3GIc9h95purN1mvqJDK9HVhwB0Wh8CFRZBngI7II=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Tz3jmHstAkrGj/lMkMKrAHiTmXIfBzecXOUfFgFqyI+I3xqE0hazzQeikkvmPueOK DmiFea0evRcG77RncL6yDiT4n2MCs42FeIdFikLDRlM//lc+ozE1CezwwpNmTji2/P NXYzofCTYwsf0kFlApvjMCaBZ8OL1KV7+XL1b95n6EahhvUBRR/C1C+1D7VjgkACbM FoQO9W2DaM69rAFCsbYFOLhIoObLsN8d1fExgmQZ8P2+rXo2h0BHZ9Kb90H+277hyf 5ZMmGx53TPu1Odf8bdrgNJv4cDexd+tMLOlQ9UqRD27QG0A8Dp2ZoZOM1XumKmrlhG nXLkLPHe7DZYw== From: Lee Jones To: lee@kernel.org, "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Christian Brauner , Kuniyuki Iwashima , Jens Axboe , Alexander Mikhalitsyn , Sasha Levin , Michal Luczaj , Rao Shoaib , Simon Horman , linux-kernel@vger.kernel.org, netdev@vger.kernel.org Cc: stable@vger.kernel.org Subject: [PATCH v6.1 26/27] af_unix: Fix garbage collection of embryos carrying OOB with SCM_RIGHTS Date: Wed, 21 May 2025 16:27:25 +0100 Message-ID: <20250521152920.1116756-27-lee@kernel.org> X-Mailer: git-send-email 2.49.0.1143.g0be31eac6b-goog In-Reply-To: <20250521152920.1116756-1-lee@kernel.org> References: <20250521152920.1116756-1-lee@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Michal Luczaj [ Upstream commit 041933a1ec7b4173a8e638cae4f8e394331d7e54 ] GC attempts to explicitly drop oob_skb's reference before purging the hit list. The problem is with embryos: kfree_skb(u->oob_skb) is never called on an embryo socket. The python script below [0] sends a listener's fd to its embryo as OOB data. While GC does collect the embryo's queue, it fails to drop the OOB skb's refcount. The skb which was in embryo's receive queue stays as unix_sk(sk)->oob_skb and keeps the listener's refcount [1]. Tell GC to dispose embryo's oob_skb. [0]: from array import array from socket import * addr =3D '\x00unix-oob' lis =3D socket(AF_UNIX, SOCK_STREAM) lis.bind(addr) lis.listen(1) s =3D socket(AF_UNIX, SOCK_STREAM) s.connect(addr) scm =3D (SOL_SOCKET, SCM_RIGHTS, array('i', [lis.fileno()])) s.sendmsg([b'x'], [scm], MSG_OOB) lis.close() [1] $ grep unix-oob /proc/net/unix $ ./unix-oob.py $ grep unix-oob /proc/net/unix 0000000000000000: 00000002 00000000 00000000 0001 02 0 @unix-oob 0000000000000000: 00000002 00000000 00010000 0001 01 6072 @unix-oob Fixes: 4090fa373f0e ("af_unix: Replace garbage collection algorithm.") Signed-off-by: Michal Luczaj Reviewed-by: Kuniyuki Iwashima Signed-off-by: Paolo Abeni (cherry picked from commit 041933a1ec7b4173a8e638cae4f8e394331d7e54) Signed-off-by: Lee Jones --- net/unix/garbage.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/net/unix/garbage.c b/net/unix/garbage.c index 1f8b8cdfcdc8..dfe94a90ece4 100644 --- a/net/unix/garbage.c +++ b/net/unix/garbage.c @@ -342,6 +342,18 @@ enum unix_recv_queue_lock_class { U_RECVQ_LOCK_EMBRYO, }; =20 +static void unix_collect_queue(struct unix_sock *u, struct sk_buff_head *h= itlist) +{ + skb_queue_splice_init(&u->sk.sk_receive_queue, hitlist); + +#if IS_ENABLED(CONFIG_AF_UNIX_OOB) + if (u->oob_skb) { + WARN_ON_ONCE(skb_unref(u->oob_skb)); + u->oob_skb =3D NULL; + } +#endif +} + static void unix_collect_skb(struct list_head *scc, struct sk_buff_head *h= itlist) { struct unix_vertex *vertex; @@ -365,18 +377,11 @@ static void unix_collect_skb(struct list_head *scc, s= truct sk_buff_head *hitlist =20 /* listener -> embryo order, the inversion never happens. */ spin_lock_nested(&embryo_queue->lock, U_RECVQ_LOCK_EMBRYO); - skb_queue_splice_init(embryo_queue, hitlist); + unix_collect_queue(unix_sk(skb->sk), hitlist); spin_unlock(&embryo_queue->lock); } } else { - skb_queue_splice_init(queue, hitlist); - -#if IS_ENABLED(CONFIG_AF_UNIX_OOB) - if (u->oob_skb) { - kfree_skb(u->oob_skb); - u->oob_skb =3D NULL; - } -#endif + unix_collect_queue(u, hitlist); } =20 spin_unlock(&queue->lock); --=20 2.49.0.1143.g0be31eac6b-goog