af_unix: Fix garbage collection of embryos carrying OOB with SCM_RIGHTS
commit 041933a1 upstream. GC attempts to explicitly drop oob_skb's reference before purging the hit list. The problem is with embryos: kfree_skb(u->oob_skb) is never called on an embryo socket. The python script below [0] sends a listener's fd to its embryo as OOB data. While GC does collect the embryo's queue, it fails to drop the OOB skb's refcount. The skb which was in embryo's receive queue stays as unix_sk(sk)->oob_skb and keeps the listener's refcount [1]. Tell GC to dispose embryo's oob_skb. [0]: from array import array from socket import * addr = '\x00unix-oob' lis = socket(AF_UNIX, SOCK_STREAM) lis.bind(addr) lis.listen(1) s = socket(AF_UNIX, SOCK_STREAM) s.connect(addr) scm = (SOL_SOCKET, SCM_RIGHTS, array('i', [lis.fileno()])) s.sendmsg([b'x'], [scm], MSG_OOB) lis.close() [1] $ grep unix-oob /proc/net/unix $ ./unix-oob.py $ grep unix-oob /proc/net/unix 0000000000000000: 00000002 00000000 00000000 0001 02 0 @unix-oob 0000000000000000: 00000002 00000000 00010000 0001 01 6072 @unix-oob Fixes: 4090fa37 ("af_unix: Replace garbage collection algorithm.") Signed-off-by:Michal Luczaj <mhal@rbox.co> Reviewed-by:
Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by:
Paolo Abeni <pabeni@redhat.com> Signed-off-by:
Lee Jones <lee@kernel.org> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Loading
-
mentioned in commit ec737ac2
-
mentioned in commit 22088c42
-
mentioned in commit 33eb9e32
-
mentioned in commit 79bed69d
-
mentioned in commit 93e7e70c
-
mentioned in commit e477c95d
-
mentioned in commit 8061d63b
-
mentioned in commit 837503ec
-
mentioned in commit c36c203e
-
mentioned in commit 05edf4d1
-
mentioned in commit f86d1844
-
mentioned in commit 54999b00
-
mentioned in commit 45271a2c
Please sign in to comment