af_unix: Fix garbage collection of embryos carrying OOB with SCM_RIGHTS
commit 041933a1 upstream. GC attempts to explicitly drop oob_skb's reference before purging the hit list. The problem is with embryos: kfree_skb(u->oob_skb) is never called on an embryo socket. The python script below [0] sends a listener's fd to its embryo as OOB data. While GC does collect the embryo's queue, it fails to drop the OOB skb's refcount. The skb which was in embryo's receive queue stays as unix_sk(sk)->oob_skb and keeps the listener's refcount [1]. Tell GC to dispose embryo's oob_skb. [0]: from array import array from socket import * addr = '\x00unix-oob' lis = socket(AF_UNIX, SOCK_STREAM) lis.bind(addr) lis.listen(1) s = socket(AF_UNIX, SOCK_STREAM) s.connect(addr) scm = (SOL_SOCKET, SCM_RIGHTS, array('i', [lis.fileno()])) s.sendmsg([b'x'], [scm], MSG_OOB) lis.close() [1] $ grep unix-oob /proc/net/unix $ ./unix-oob.py $ grep unix-oob /proc/net/unix 0000000000000000: 00000002 00000000 00000000 0001 02 0 @unix-oob 0000000000000000: 00000002 00000000 00010000 0001 01 6072 @unix-oob Fixes: 4090fa37 ("af_unix: Replace garbage collection algorithm.") Signed-off-by:Michal Luczaj <mhal@rbox.co> Reviewed-by:
Kuniyuki Iwashima <kuniyu@amazon.com> Signed-off-by:
Paolo Abeni <pabeni@redhat.com> Signed-off-by:
Lee Jones <lee@kernel.org> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Loading
-
mentioned in commit 5d1867ce
-
mentioned in commit 713e1cfd
-
mentioned in commit 7de559de
-
mentioned in commit cd36584a
-
mentioned in commit 329da07f
-
mentioned in commit 9c0c34b5
-
mentioned in commit 9917d3cc
-
mentioned in commit efa3c237
-
mentioned in commit 6e868e8e
-
mentioned in commit 10b66567
-
mentioned in commit 22b7c464
-
mentioned in commit 17614b2d
-
mentioned in commit 5156d49e
-
mentioned in commit 98aebd30
Please sign in to comment