af_unix: Fix garbage collection of embryos carrying OOB with SCM_RIGHTS
commit 041933a1ec7b4173a8e638cae4f8e394331d7e54 upstream.
GC attempts to explicitly drop oob_skb's reference before purging the hit
list.
The problem is with embryos: kfree_skb(u->oob_skb) is never called on an
embryo socket.
The python script below [0] sends a listener's fd to its embryo as OOB
data. While GC does collect the embryo's queue, it fails to drop the OOB
skb's refcount. The skb which was in embryo's receive queue stays as
unix_sk(sk)->oob_skb and keeps the listener's refcount [1].
Tell GC to dispose embryo's oob_skb.
[0]:
from array import array
from socket import *
addr = '\x00unix-oob'
lis = socket(AF_UNIX, SOCK_STREAM)
lis.bind(addr)
lis.listen(1)
s = socket(AF_UNIX, SOCK_STREAM)
s.connect(addr)
scm = (SOL_SOCKET, SCM_RIGHTS, array('i', [lis.fileno()]))
s.sendmsg([b'x'], [scm], MSG_OOB)
lis.close()
[1]
$ grep unix-oob /proc/net/unix
$ ./unix-oob.py
$ grep unix-oob /proc/net/unix
0000000000000000: 00000002 00000000 00000000 0001 02 0 @unix-oob
0000000000000000: 00000002 00000000 00010000 0001 01 6072 @unix-oob
Fixes: 4090fa373f0e ("af_unix: Replace garbage collection algorithm.")
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Michal Luczaj
committed by
Greg Kroah-Hartman
Greg Kroah-Hartman
parent
c0c8d419da
commit
ed14f8ae9b
@@ -342,6 +342,18 @@ enum unix_recv_queue_lock_class {
|
||||
U_RECVQ_LOCK_EMBRYO,
|
||||
};
|
||||
|
||||
static void unix_collect_queue(struct unix_sock *u, struct sk_buff_head *hitlist)
|
||||
{
|
||||
skb_queue_splice_init(&u->sk.sk_receive_queue, hitlist);
|
||||
|
||||
#if IS_ENABLED(CONFIG_AF_UNIX_OOB)
|
||||
if (u->oob_skb) {
|
||||
WARN_ON_ONCE(skb_unref(u->oob_skb));
|
||||
u->oob_skb = NULL;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
static void unix_collect_skb(struct list_head *scc, struct sk_buff_head *hitlist)
|
||||
{
|
||||
struct unix_vertex *vertex;
|
||||
@@ -365,18 +377,11 @@ static void unix_collect_skb(struct list_head *scc, struct sk_buff_head *hitlist
|
||||
|
||||
/* listener -> embryo order, the inversion never happens. */
|
||||
spin_lock_nested(&embryo_queue->lock, U_RECVQ_LOCK_EMBRYO);
|
||||
skb_queue_splice_init(embryo_queue, hitlist);
|
||||
unix_collect_queue(unix_sk(skb->sk), hitlist);
|
||||
spin_unlock(&embryo_queue->lock);
|
||||
}
|
||||
} else {
|
||||
skb_queue_splice_init(queue, hitlist);
|
||||
|
||||
#if IS_ENABLED(CONFIG_AF_UNIX_OOB)
|
||||
if (u->oob_skb) {
|
||||
kfree_skb(u->oob_skb);
|
||||
u->oob_skb = NULL;
|
||||
}
|
||||
#endif
|
||||
unix_collect_queue(u, hitlist);
|
||||
}
|
||||
|
||||
spin_unlock(&queue->lock);
|
||||
|
||||
Reference in New Issue
Block a user