This is a note to let you know that I've just added the patch titled
af_unix: Rename unlinked_skb in manage_oob().
to the 6.11-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
af_unix-rename-unlinked_skb-in-manage_oob.patch
and it can be found in the queue-6.11 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit fe3a7d76cd8027ce256356e02b2078e25db0301b
Author: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
Date: Thu Sep 5 12:32:38 2024 -0700
af_unix: Rename unlinked_skb in manage_oob().
[ Upstream commit beb2c5f19b6ab033b187e770a659c730c3bd05ca ]
When OOB skb has been already consumed, manage_oob() returns the next
skb if exists. In such a case, we need to fall back to the else branch
below.
Then, we need to keep two skbs and free them later with consume_skb()
and kfree_skb().
Let's rename unlinked_skb accordingly.
Signed-off-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
Link: https://patch.msgid.link/20240905193240.17565-3-kuniyu@xxxxxxxxxx
Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
Stable-dep-of: 5aa57d9f2d53 ("af_unix: Don't return OOB skb in manage_oob().")
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 03820454bc723..91d7877a10794 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2654,7 +2654,7 @@ static int unix_stream_recv_urg(struct unix_stream_read_state *state)
static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
int flags, int copied)
{
- struct sk_buff *unlinked_skb = NULL;
+ struct sk_buff *read_skb = NULL, *unread_skb = NULL;
struct unix_sock *u = unix_sk(sk);
if (!unix_skb_len(skb)) {
@@ -2665,14 +2665,14 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
} else if (flags & MSG_PEEK) {
skb = skb_peek_next(skb, &sk->sk_receive_queue);
} else {
- unlinked_skb = skb;
+ read_skb = skb;
skb = skb_peek_next(skb, &sk->sk_receive_queue);
- __skb_unlink(unlinked_skb, &sk->sk_receive_queue);
+ __skb_unlink(read_skb, &sk->sk_receive_queue);
}
spin_unlock(&sk->sk_receive_queue.lock);
- consume_skb(unlinked_skb);
+ consume_skb(read_skb);
return skb;
}
@@ -2688,7 +2688,7 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
if (!sock_flag(sk, SOCK_URGINLINE)) {
__skb_unlink(skb, &sk->sk_receive_queue);
- unlinked_skb = skb;
+ unread_skb = skb;
skb = skb_peek(&sk->sk_receive_queue);
}
} else if (!sock_flag(sk, SOCK_URGINLINE)) {
@@ -2698,7 +2698,7 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
unlock:
spin_unlock(&sk->sk_receive_queue.lock);
- kfree_skb(unlinked_skb);
+ kfree_skb(unread_skb);
return skb;
}
