On Mon, Mar 03, 2025 at 07:01:49PM -0800, Kuniyuki Iwashima wrote:
> Embryo socket is not queued in gc_candidates, so we can't drop
> a reference held by its oob_skb.
>
> Let's say we create listener and embryo sockets, send the
> listener's fd to the embryo as OOB data, and close() them
> without recv()ing the OOB data.
>
> There is a self-reference cycle like
>
> listener -> embryo.oob_skb -> listener
>
> , so this must be cleaned up by GC. Otherwise, the listener's
> refcnt is not released and sockets are leaked:
>
> # unshare -n
> # cat /proc/net/protocols | grep UNIX-STREAM
> UNIX-STREAM 1024 0 -1 NI 0 yes kernel ...
>
> # python3
> >>> from array import array
> >>> from socket import *
> >>>
> >>> s = socket(AF_UNIX, SOCK_STREAM)
> >>> s.bind('\0test\0')
> >>> s.listen()
> >>>
> >>> c = socket(AF_UNIX, SOCK_STREAM)
> >>> c.connect(s.getsockname())
> >>> c.sendmsg([b'x'], [(SOL_SOCKET, SCM_RIGHTS, array('i', [s.fileno()]))], MSG_OOB)
> 1
> >>> quit()
>
> # cat /proc/net/protocols | grep UNIX-STREAM
> UNIX-STREAM 1024 3 -1 NI 0 yes kernel ...
> ^^^
> 3 sockets still in use after FDs are close()d
>
> Let's drop the embryo socket's oob_skb ref in scan_inflight().
>
> This also fixes a racy access to oob_skb that commit 9841991a446c
> ("af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue
> lock.") fixed for the new Tarjan's algo-based GC.
>
> Fixes: 314001f0bf92 ("af_unix: Add OOB support")
> Reported-by: Lei Lu <llfamsec@xxxxxxxxx>
> Signed-off-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
> ---
> This has no upstream commit because I replaced the entire GC in
> 6.10 and the new GC does not have this bug, and this fix is only
> applicable to the old GC (<= 6.9), thus for 5.15/6.1/6.6.
You need to get the networking maintainers to review and agree that this
is ok for us to take, as we really don't want to take "custom" stuff
like thi s at all. Why not just take the commits that are in newer
kernels instead?
thanks,
greg k-h
