From: Lee Jones <lee@kernel.org>
To: lee@kernel.org, "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Christian Brauner <brauner@kernel.org>,
Kuniyuki Iwashima <kuniyu@amazon.com>,
Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>,
Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>,
Michal Luczaj <mhal@rbox.co>, Rao Shoaib <Rao.Shoaib@oracle.com>,
Pavel Begunkov <asml.silence@gmail.com>,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org
Cc: stable@vger.kernel.org
Subject: [PATCH v6.1 10/27] af_unix: Link struct unix_edge when queuing skb.
Date: Wed, 21 May 2025 16:27:09 +0100 [thread overview]
Message-ID: <20250521152920.1116756-11-lee@kernel.org> (raw)
In-Reply-To: <20250521152920.1116756-1-lee@kernel.org>
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 42f298c06b30bfe0a8cbee5d38644e618699e26e ]
Just before queuing skb with inflight fds, we call scm_stat_add(),
which is a good place to set up the preallocated struct unix_vertex
and struct unix_edge in UNIXCB(skb).fp.
Then, we call unix_add_edges() and construct the directed graph
as follows:
1. Set the inflight socket's unix_sock to unix_edge.predecessor.
2. Set the receiver's unix_sock to unix_edge.successor.
3. Set the preallocated vertex to inflight socket's unix_sock.vertex.
4. Link inflight socket's unix_vertex.entry to unix_unvisited_vertices.
5. Link unix_edge.vertex_entry to the inflight socket's unix_vertex.edges.
Let's say we pass the fd of AF_UNIX socket A to B and the fd of B
to C. The graph looks like this:
+-------------------------+
| unix_unvisited_vertices | <-------------------------.
+-------------------------+ |
+ |
| +--------------+ +--------------+ | +--------------+
| | unix_sock A | <---. .---> | unix_sock B | <-|-. .---> | unix_sock C |
| +--------------+ | | +--------------+ | | | +--------------+
| .-+ | vertex | | | .-+ | vertex | | | | | vertex |
| | +--------------+ | | | +--------------+ | | | +--------------+
| | | | | | | |
| | +--------------+ | | | +--------------+ | | |
| '-> | unix_vertex | | | '-> | unix_vertex | | | |
| +--------------+ | | +--------------+ | | |
`---> | entry | +---------> | entry | +-' | |
|--------------| | | |--------------| | |
| edges | <-. | | | edges | <-. | |
+--------------+ | | | +--------------+ | | |
| | | | | |
.----------------------' | | .----------------------' | |
| | | | | |
| +--------------+ | | | +--------------+ | |
| | unix_edge | | | | | unix_edge | | |
| +--------------+ | | | +--------------+ | |
`-> | vertex_entry | | | `-> | vertex_entry | | |
|--------------| | | |--------------| | |
| predecessor | +---' | | predecessor | +---' |
|--------------| | |--------------| |
| successor | +-----' | successor | +-----'
+--------------+ +--------------+
Henceforth, we denote such a graph as A -> B (-> C).
Now, we can express all inflight fd graphs that do not contain
embryo sockets. We will support the particular case later.
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Link: https://lore.kernel.org/r/20240325202425.60930-4-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 42f298c06b30bfe0a8cbee5d38644e618699e26e)
Signed-off-by: Lee Jones <lee@kernel.org>
---
include/net/af_unix.h | 2 +
include/net/scm.h | 1 +
net/core/scm.c | 2 +
net/unix/af_unix.c | 8 +++-
net/unix/garbage.c | 90 ++++++++++++++++++++++++++++++++++++++++++-
5 files changed, 100 insertions(+), 3 deletions(-)
diff --git a/include/net/af_unix.h b/include/net/af_unix.h
index 279087595966..08cc90348043 100644
--- a/include/net/af_unix.h
+++ b/include/net/af_unix.h
@@ -22,6 +22,8 @@ extern unsigned int unix_tot_inflight;
void unix_inflight(struct user_struct *user, struct file *fp);
void unix_notinflight(struct user_struct *user, struct file *fp);
+void unix_add_edges(struct scm_fp_list *fpl, struct unix_sock *receiver);
+void unix_del_edges(struct scm_fp_list *fpl);
int unix_prepare_fpl(struct scm_fp_list *fpl);
void unix_destroy_fpl(struct scm_fp_list *fpl);
void unix_gc(void);
diff --git a/include/net/scm.h b/include/net/scm.h
index 19d7d802ed6c..19789096424d 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -30,6 +30,7 @@ struct scm_fp_list {
short count_unix;
short max;
#ifdef CONFIG_UNIX
+ bool inflight;
struct list_head vertices;
struct unix_edge *edges;
#endif
diff --git a/net/core/scm.c b/net/core/scm.c
index 4c343729f960..1ff78bd4ee83 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -90,6 +90,7 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
fpl->max = SCM_MAX_FD;
fpl->user = NULL;
#if IS_ENABLED(CONFIG_UNIX)
+ fpl->inflight = false;
fpl->edges = NULL;
INIT_LIST_HEAD(&fpl->vertices);
#endif
@@ -380,6 +381,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
new_fpl->max = new_fpl->count;
new_fpl->user = get_uid(fpl->user);
#if IS_ENABLED(CONFIG_UNIX)
+ new_fpl->inflight = false;
new_fpl->edges = NULL;
INIT_LIST_HEAD(&new_fpl->vertices);
#endif
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 0d3ba0d210c0..658a1680a92e 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1910,8 +1910,10 @@ static void scm_stat_add(struct sock *sk, struct sk_buff *skb)
struct scm_fp_list *fp = UNIXCB(skb).fp;
struct unix_sock *u = unix_sk(sk);
- if (unlikely(fp && fp->count))
+ if (unlikely(fp && fp->count)) {
atomic_add(fp->count, &u->scm_stat.nr_fds);
+ unix_add_edges(fp, u);
+ }
}
static void scm_stat_del(struct sock *sk, struct sk_buff *skb)
@@ -1919,8 +1921,10 @@ static void scm_stat_del(struct sock *sk, struct sk_buff *skb)
struct scm_fp_list *fp = UNIXCB(skb).fp;
struct unix_sock *u = unix_sk(sk);
- if (unlikely(fp && fp->count))
+ if (unlikely(fp && fp->count)) {
atomic_sub(fp->count, &u->scm_stat.nr_fds);
+ unix_del_edges(fp);
+ }
}
/*
diff --git a/net/unix/garbage.c b/net/unix/garbage.c
index 912b7945692c..b5b4a200dbf3 100644
--- a/net/unix/garbage.c
+++ b/net/unix/garbage.c
@@ -101,6 +101,38 @@ struct unix_sock *unix_get_socket(struct file *filp)
return NULL;
}
+static LIST_HEAD(unix_unvisited_vertices);
+
+static void unix_add_edge(struct scm_fp_list *fpl, struct unix_edge *edge)
+{
+ struct unix_vertex *vertex = edge->predecessor->vertex;
+
+ if (!vertex) {
+ vertex = list_first_entry(&fpl->vertices, typeof(*vertex), entry);
+ vertex->out_degree = 0;
+ INIT_LIST_HEAD(&vertex->edges);
+
+ list_move_tail(&vertex->entry, &unix_unvisited_vertices);
+ edge->predecessor->vertex = vertex;
+ }
+
+ vertex->out_degree++;
+ list_add_tail(&edge->vertex_entry, &vertex->edges);
+}
+
+static void unix_del_edge(struct scm_fp_list *fpl, struct unix_edge *edge)
+{
+ struct unix_vertex *vertex = edge->predecessor->vertex;
+
+ list_del(&edge->vertex_entry);
+ vertex->out_degree--;
+
+ if (!vertex->out_degree) {
+ edge->predecessor->vertex = NULL;
+ list_move_tail(&vertex->entry, &fpl->vertices);
+ }
+}
+
static void unix_free_vertices(struct scm_fp_list *fpl)
{
struct unix_vertex *vertex, *next_vertex;
@@ -111,6 +143,60 @@ static void unix_free_vertices(struct scm_fp_list *fpl)
}
}
+DEFINE_SPINLOCK(unix_gc_lock);
+
+void unix_add_edges(struct scm_fp_list *fpl, struct unix_sock *receiver)
+{
+ int i = 0, j = 0;
+
+ spin_lock(&unix_gc_lock);
+
+ if (!fpl->count_unix)
+ goto out;
+
+ do {
+ struct unix_sock *inflight = unix_get_socket(fpl->fp[j++]);
+ struct unix_edge *edge;
+
+ if (!inflight)
+ continue;
+
+ edge = fpl->edges + i++;
+ edge->predecessor = inflight;
+ edge->successor = receiver;
+
+ unix_add_edge(fpl, edge);
+ } while (i < fpl->count_unix);
+
+out:
+ spin_unlock(&unix_gc_lock);
+
+ fpl->inflight = true;
+
+ unix_free_vertices(fpl);
+}
+
+void unix_del_edges(struct scm_fp_list *fpl)
+{
+ int i = 0;
+
+ spin_lock(&unix_gc_lock);
+
+ if (!fpl->count_unix)
+ goto out;
+
+ do {
+ struct unix_edge *edge = fpl->edges + i++;
+
+ unix_del_edge(fpl, edge);
+ } while (i < fpl->count_unix);
+
+out:
+ spin_unlock(&unix_gc_lock);
+
+ fpl->inflight = false;
+}
+
int unix_prepare_fpl(struct scm_fp_list *fpl)
{
struct unix_vertex *vertex;
@@ -141,11 +227,13 @@ int unix_prepare_fpl(struct scm_fp_list *fpl)
void unix_destroy_fpl(struct scm_fp_list *fpl)
{
+ if (fpl->inflight)
+ unix_del_edges(fpl);
+
kvfree(fpl->edges);
unix_free_vertices(fpl);
}
-DEFINE_SPINLOCK(unix_gc_lock);
unsigned int unix_tot_inflight;
static LIST_HEAD(gc_candidates);
static LIST_HEAD(gc_inflight_list);
--
2.49.0.1143.g0be31eac6b-goog
next prev parent reply other threads:[~2025-05-21 15:33 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-21 15:26 [PATCH v6.1 00/27] af_unix: Align with upstream to avoid a potential UAF Lee Jones
2025-05-21 15:27 ` [PATCH v6.1 01/27] af_unix: Kconfig: make CONFIG_UNIX bool Lee Jones
2025-05-22 2:08 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 02/27] af_unix: Return struct unix_sock from unix_get_socket() Lee Jones
2025-05-22 2:07 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 03/27] af_unix: Run GC on only one CPU Lee Jones
2025-05-22 2:08 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 04/27] af_unix: Try to run GC async Lee Jones
2025-05-22 2:04 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 05/27] af_unix: Replace BUG_ON() with WARN_ON_ONCE() Lee Jones
2025-05-22 2:05 ` Sasha Levin
2025-05-23 21:14 ` David Laight
2025-06-04 13:43 ` Lee Jones
2025-06-04 18:45 ` Kuniyuki Iwashima
2025-05-21 15:27 ` [PATCH v6.1 06/27] af_unix: Remove io_uring code for GC Lee Jones
2025-05-22 2:05 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 07/27] af_unix: Remove CONFIG_UNIX_SCM Lee Jones
2025-05-22 2:07 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 08/27] af_unix: Allocate struct unix_vertex for each inflight AF_UNIX fd Lee Jones
2025-05-22 2:05 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 09/27] af_unix: Allocate struct unix_edge " Lee Jones
2025-05-22 2:04 ` Sasha Levin
2025-05-21 15:27 ` Lee Jones [this message]
2025-05-22 2:05 ` [PATCH v6.1 10/27] af_unix: Link struct unix_edge when queuing skb Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 11/27] af_unix: Bulk update unix_tot_inflight/unix_inflight " Lee Jones
2025-05-22 2:05 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 12/27] af_unix: Iterate all vertices by DFS Lee Jones
2025-05-22 2:06 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 13/27] af_unix: Detect Strongly Connected Components Lee Jones
2025-05-22 2:04 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 14/27] af_unix: Save listener for embryo socket Lee Jones
2025-05-22 2:08 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 15/27] af_unix: Fix up unix_edge.successor " Lee Jones
2025-05-22 2:05 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 16/27] af_unix: Save O(n) setup of Tarjan's algo Lee Jones
2025-05-22 2:05 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 17/27] af_unix: Skip GC if no cycle exists Lee Jones
2025-05-22 2:05 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 18/27] af_unix: Avoid Tarjan's algorithm if unnecessary Lee Jones
2025-05-22 2:05 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 19/27] af_unix: Assign a unique index to SCC Lee Jones
2025-05-22 2:04 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 20/27] af_unix: Detect dead SCC Lee Jones
2025-05-22 2:06 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 21/27] af_unix: Replace garbage collection algorithm Lee Jones
2025-05-22 2:07 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 22/27] af_unix: Remove lock dance in unix_peek_fds() Lee Jones
2025-05-22 2:05 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 23/27] af_unix: Try not to hold unix_gc_lock during accept() Lee Jones
2025-05-22 2:05 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 24/27] af_unix: Don't access successor in unix_del_edges() during GC Lee Jones
2025-05-22 2:07 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 25/27] af_unix: Add dead flag to struct scm_fp_list Lee Jones
2025-05-22 2:07 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 26/27] af_unix: Fix garbage collection of embryos carrying OOB with SCM_RIGHTS Lee Jones
2025-05-22 2:06 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 27/27] af_unix: Fix uninit-value in __unix_walk_scc() Lee Jones
2025-05-22 2:04 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250521152920.1116756-11-lee@kernel.org \
--to=lee@kernel.org \
--cc=Rao.Shoaib@oracle.com \
--cc=aleksandr.mikhalitsyn@canonical.com \
--cc=asml.silence@gmail.com \
--cc=axboe@kernel.dk \
--cc=brauner@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mhal@rbox.co \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.