From: Kuniyuki Iwashima <kuniyu@amazon.com>
To: <mhal@rbox.co>
Cc: <davem@davemloft.net>, <edumazet@google.com>, <kuba@kernel.org>,
<kuni1840@gmail.com>, <kuniyu@amazon.com>,
<netdev@vger.kernel.org>, <pabeni@redhat.com>
Subject: Re: [PATCH v5 net 1/2] af_unix: Fix garbage collection of embryos carrying OOB/SCM_RIGHTS.
Date: Wed, 15 May 2024 22:35:47 +0900 [thread overview]
Message-ID: <20240515133547.47276-1-kuniyu@amazon.com> (raw)
In-Reply-To: <c6eb5987-4ffa-47cf-a0c7-dcc7b969d2ca@rbox.co>
From: Michal Luczaj <mhal@rbox.co>
Date: Wed, 15 May 2024 11:34:51 +0200
> On 5/15/24 02:32, Kuniyuki Iwashima wrote:
> > ...
> > The python script below [0] sends a listener's fd to its embryo as OOB
> > data. Then, GC does not iterates the embryo from the listener to drop
> > the OOB skb's refcount, and the skb in embryo's receive queue keeps the
> > listener's refcount. As a result, the listener is leaked and the warning
> > [1] is hit.
> > ...
>
> Sorry, this does not convey what I wrote. And I think your edit is
> incorrect.
>
> GC starts from the in-flight listener and *does* iterate the embryo; see
> scan_children() where scan_inflight() is called for all the embryos.
I meant the current code does not call skb_unref() for embryos's OOB skb
because it's done _after_ scan_inflight(), not in scan_inflight().
> The skb in embryo's RQ *does not* keep the listener's refcount; skb from RQ
> ends up in the hit list and is purged.
unix_sk(sk)->oob_skb is a pointer to skb in recvq. Perhaps I should
have written "the skb which was in embryo's receive queue stays as
unix_sk(sk)->oob_skb and keeps the listener's refcount".
> It is embryo's oob_skb that holds the refcount; see how __unix_gc() goes
> over gc_candidates attempting to kfree_skb(u->oob_skb), notice that `u`
> here is a listener, not an embryo.
>
> I understand you're "in rush for the merge window", but would it be okay if
> I ask you not to edit my commit messages so heavily?
I noticed the new gc code was merged in Linus' tree. It's still not
synced with net.git, but I guess it will be done soon and your patch
will not apply on net.git. Then, I cannot include your patch as a
series, so please feel free to send it to each stable tree.
Thanks
next prev parent reply other threads:[~2024-05-15 13:36 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-15 0:32 [PATCH v5 net 0/2] af_unix: Fix memleak and null-ptr-deref around MSG_OOB and GC Kuniyuki Iwashima
2024-05-15 0:32 ` [PATCH v5 net 1/2] af_unix: Fix garbage collection of embryos carrying OOB/SCM_RIGHTS Kuniyuki Iwashima
2024-05-15 9:34 ` Michal Luczaj
2024-05-15 13:35 ` Kuniyuki Iwashima [this message]
2024-05-16 10:33 ` Michal Luczaj
2024-05-16 12:19 ` Kuniyuki Iwashima
2024-05-15 0:32 ` [PATCH v5 net 2/2] af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock Kuniyuki Iwashima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240515133547.47276-1-kuniyu@amazon.com \
--to=kuniyu@amazon.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=kuni1840@gmail.com \
--cc=mhal@rbox.co \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).