6.11-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx> [ Upstream commit beb2c5f19b6ab033b187e770a659c730c3bd05ca ] When OOB skb has been already consumed, manage_oob() returns the next skb if exists. In such a case, we need to fall back to the else branch below. Then, we need to keep two skbs and free them later with consume_skb() and kfree_skb(). Let's rename unlinked_skb accordingly. Signed-off-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx> Link: https://patch.msgid.link/20240905193240.17565-3-kuniyu@xxxxxxxxxx Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx> Stable-dep-of: 5aa57d9f2d53 ("af_unix: Don't return OOB skb in manage_oob().") Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> --- net/unix/af_unix.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 03820454bc723..91d7877a10794 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -2654,7 +2654,7 @@ static int unix_stream_recv_urg(struct unix_stream_read_state *state) static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk, int flags, int copied) { - struct sk_buff *unlinked_skb = NULL; + struct sk_buff *read_skb = NULL, *unread_skb = NULL; struct unix_sock *u = unix_sk(sk); if (!unix_skb_len(skb)) { @@ -2665,14 +2665,14 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk, } else if (flags & MSG_PEEK) { skb = skb_peek_next(skb, &sk->sk_receive_queue); } else { - unlinked_skb = skb; + read_skb = skb; skb = skb_peek_next(skb, &sk->sk_receive_queue); - __skb_unlink(unlinked_skb, &sk->sk_receive_queue); + __skb_unlink(read_skb, &sk->sk_receive_queue); } spin_unlock(&sk->sk_receive_queue.lock); - consume_skb(unlinked_skb); + consume_skb(read_skb); return skb; } @@ -2688,7 +2688,7 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk, if (!sock_flag(sk, SOCK_URGINLINE)) { __skb_unlink(skb, &sk->sk_receive_queue); - unlinked_skb = skb; + unread_skb = skb; skb = skb_peek(&sk->sk_receive_queue); } } else if (!sock_flag(sk, SOCK_URGINLINE)) { @@ -2698,7 +2698,7 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk, unlock: spin_unlock(&sk->sk_receive_queue.lock); - kfree_skb(unlinked_skb); + kfree_skb(unread_skb); return skb; } -- 2.43.0
