From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, lee@kernel.org
Cc: Sasha Levin <sashal@kernel.org>
Subject: Re: [PATCH v6.1 21/27] af_unix: Replace garbage collection algorithm.
Date: Wed, 21 May 2025 22:07:03 -0400 [thread overview]
Message-ID: <20250521211957-b55d025cab4bc4ca@stable.kernel.org> (raw)
In-Reply-To: <20250521152920.1116756-22-lee@kernel.org>
[ Sasha's backport helper bot ]
Hi,
Summary of potential issues:
ℹ️ This is part 21/27 of a series
⚠️ Found follow-up fixes in mainline
The upstream commit SHA1 provided is correct: 4090fa373f0e763c43610853d2774b5979915959
WARNING: Author mismatch between patch and upstream commit:
Backport author: Lee Jones<lee@kernel.org>
Commit author: Kuniyuki Iwashima<kuniyu@amazon.com>
Status in newer kernel trees:
6.14.y | Present (exact SHA1)
6.12.y | Present (exact SHA1)
6.6.y | Not found
Found fixes commits:
041933a1ec7b af_unix: Fix garbage collection of embryos carrying OOB with SCM_RIGHTS
Note: The patch differs from the upstream commit:
---
1: 4090fa373f0e7 ! 1: 5bd268b2b0ecc af_unix: Replace garbage collection algorithm.
@@ Metadata
## Commit message ##
af_unix: Replace garbage collection algorithm.
+ [ Upstream commit 4090fa373f0e763c43610853d2774b5979915959 ]
+
If we find a dead SCC during iteration, we call unix_collect_skb()
to splice all skb in the SCC to the global sk_buff_head, hitlist.
@@ Commit message
Acked-by: Paolo Abeni <pabeni@redhat.com>
Link: https://lore.kernel.org/r/20240325202425.60930-15-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+ (cherry picked from commit 4090fa373f0e763c43610853d2774b5979915959)
+ Signed-off-by: Lee Jones <lee@kernel.org>
## include/net/af_unix.h ##
@@ include/net/af_unix.h: static inline struct unix_sock *unix_get_socket(struct file *filp)
@@ net/unix/garbage.c: static void unix_walk_scc_fast(void)
- * receive queues. Other, non candidate sockets _can_ be
- * added to queue, so we must make sure only to touch
- * candidates.
+- *
+- * Embryos, though never candidates themselves, affect which
+- * candidates are reachable by the garbage collector. Before
+- * being added to a listener's queue, an embryo may already
+- * receive data carrying SCM_RIGHTS, potentially making the
+- * passed socket a candidate that is not yet reachable by the
+- * collector. It becomes reachable once the embryo is
+- * enqueued. Therefore, we must ensure that no SCM-laden
+- * embryo appears in a (candidate) listener's queue between
+- * consecutive scan_children() calls.
- */
- list_for_each_entry_safe(u, next, &gc_inflight_list, link) {
+- struct sock *sk = &u->sk;
- long total_refs;
-
-- total_refs = file_count(u->sk.sk_socket->file);
+- total_refs = file_count(sk->sk_socket->file);
-
- WARN_ON_ONCE(!u->inflight);
- WARN_ON_ONCE(total_refs < u->inflight);
@@ net/unix/garbage.c: static void unix_walk_scc_fast(void)
- list_move_tail(&u->link, &gc_candidates);
- __set_bit(UNIX_GC_CANDIDATE, &u->gc_flags);
- __set_bit(UNIX_GC_MAYBE_CYCLE, &u->gc_flags);
+-
+- if (sk->sk_state == TCP_LISTEN) {
+- unix_state_lock_nested(sk, U_LOCK_GC_LISTENER);
+- unix_state_unlock(sk);
+- }
- }
- }
-
---
NOTE: These results are for this patch alone. Full series testing will be
performed when all parts are received.
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.6.y | Success | Success |
next prev parent reply other threads:[~2025-05-22 2:07 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-21 15:26 [PATCH v6.1 00/27] af_unix: Align with upstream to avoid a potential UAF Lee Jones
2025-05-21 15:27 ` [PATCH v6.1 01/27] af_unix: Kconfig: make CONFIG_UNIX bool Lee Jones
2025-05-22 2:08 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 02/27] af_unix: Return struct unix_sock from unix_get_socket() Lee Jones
2025-05-22 2:07 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 03/27] af_unix: Run GC on only one CPU Lee Jones
2025-05-22 2:08 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 04/27] af_unix: Try to run GC async Lee Jones
2025-05-22 2:04 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 05/27] af_unix: Replace BUG_ON() with WARN_ON_ONCE() Lee Jones
2025-05-22 2:05 ` Sasha Levin
2025-05-23 21:14 ` David Laight
2025-06-04 13:43 ` Lee Jones
2025-06-04 18:45 ` Kuniyuki Iwashima
2025-05-21 15:27 ` [PATCH v6.1 06/27] af_unix: Remove io_uring code for GC Lee Jones
2025-05-22 2:05 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 07/27] af_unix: Remove CONFIG_UNIX_SCM Lee Jones
2025-05-22 2:07 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 08/27] af_unix: Allocate struct unix_vertex for each inflight AF_UNIX fd Lee Jones
2025-05-22 2:05 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 09/27] af_unix: Allocate struct unix_edge " Lee Jones
2025-05-22 2:04 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 10/27] af_unix: Link struct unix_edge when queuing skb Lee Jones
2025-05-22 2:05 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 11/27] af_unix: Bulk update unix_tot_inflight/unix_inflight " Lee Jones
2025-05-22 2:05 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 12/27] af_unix: Iterate all vertices by DFS Lee Jones
2025-05-22 2:06 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 13/27] af_unix: Detect Strongly Connected Components Lee Jones
2025-05-22 2:04 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 14/27] af_unix: Save listener for embryo socket Lee Jones
2025-05-22 2:08 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 15/27] af_unix: Fix up unix_edge.successor " Lee Jones
2025-05-22 2:05 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 16/27] af_unix: Save O(n) setup of Tarjan's algo Lee Jones
2025-05-22 2:05 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 17/27] af_unix: Skip GC if no cycle exists Lee Jones
2025-05-22 2:05 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 18/27] af_unix: Avoid Tarjan's algorithm if unnecessary Lee Jones
2025-05-22 2:05 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 19/27] af_unix: Assign a unique index to SCC Lee Jones
2025-05-22 2:04 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 20/27] af_unix: Detect dead SCC Lee Jones
2025-05-22 2:06 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 21/27] af_unix: Replace garbage collection algorithm Lee Jones
2025-05-22 2:07 ` Sasha Levin [this message]
2025-05-21 15:27 ` [PATCH v6.1 22/27] af_unix: Remove lock dance in unix_peek_fds() Lee Jones
2025-05-22 2:05 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 23/27] af_unix: Try not to hold unix_gc_lock during accept() Lee Jones
2025-05-22 2:05 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 24/27] af_unix: Don't access successor in unix_del_edges() during GC Lee Jones
2025-05-22 2:07 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 25/27] af_unix: Add dead flag to struct scm_fp_list Lee Jones
2025-05-22 2:07 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 26/27] af_unix: Fix garbage collection of embryos carrying OOB with SCM_RIGHTS Lee Jones
2025-05-22 2:06 ` Sasha Levin
2025-05-21 15:27 ` [PATCH v6.1 27/27] af_unix: Fix uninit-value in __unix_walk_scc() Lee Jones
2025-05-22 2:04 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250521211957-b55d025cab4bc4ca@stable.kernel.org \
--to=sashal@kernel.org \
--cc=lee@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.