[ Sasha's backport helper bot ]
Hi,
Summary of potential issues: ℹ️ This is part 21/27 of a series ⚠️ Found follow-up fixes in mainline
The upstream commit SHA1 provided is correct: 4090fa373f0e763c43610853d2774b5979915959
WARNING: Author mismatch between patch and upstream commit: Backport author: Lee Joneslee@kernel.org Commit author: Kuniyuki Iwashimakuniyu@amazon.com
Status in newer kernel trees: 6.14.y | Present (exact SHA1) 6.12.y | Present (exact SHA1) 6.6.y | Not found
Found fixes commits: 041933a1ec7b af_unix: Fix garbage collection of embryos carrying OOB with SCM_RIGHTS
Note: The patch differs from the upstream commit: --- 1: 4090fa373f0e7 ! 1: 5bd268b2b0ecc af_unix: Replace garbage collection algorithm. @@ Metadata ## Commit message ## af_unix: Replace garbage collection algorithm.
+ [ Upstream commit 4090fa373f0e763c43610853d2774b5979915959 ] + If we find a dead SCC during iteration, we call unix_collect_skb() to splice all skb in the SCC to the global sk_buff_head, hitlist.
@@ Commit message Acked-by: Paolo Abeni pabeni@redhat.com Link: https://lore.kernel.org/r/20240325202425.60930-15-kuniyu@amazon.com Signed-off-by: Jakub Kicinski kuba@kernel.org + (cherry picked from commit 4090fa373f0e763c43610853d2774b5979915959) + Signed-off-by: Lee Jones lee@kernel.org
## include/net/af_unix.h ## @@ include/net/af_unix.h: static inline struct unix_sock *unix_get_socket(struct file *filp) @@ net/unix/garbage.c: static void unix_walk_scc_fast(void) - * receive queues. Other, non candidate sockets _can_ be - * added to queue, so we must make sure only to touch - * candidates. +- * +- * Embryos, though never candidates themselves, affect which +- * candidates are reachable by the garbage collector. Before +- * being added to a listener's queue, an embryo may already +- * receive data carrying SCM_RIGHTS, potentially making the +- * passed socket a candidate that is not yet reachable by the +- * collector. It becomes reachable once the embryo is +- * enqueued. Therefore, we must ensure that no SCM-laden +- * embryo appears in a (candidate) listener's queue between +- * consecutive scan_children() calls. - */ - list_for_each_entry_safe(u, next, &gc_inflight_list, link) { +- struct sock *sk = &u->sk; - long total_refs; - -- total_refs = file_count(u->sk.sk_socket->file); +- total_refs = file_count(sk->sk_socket->file); - - WARN_ON_ONCE(!u->inflight); - WARN_ON_ONCE(total_refs < u->inflight); @@ net/unix/garbage.c: static void unix_walk_scc_fast(void) - list_move_tail(&u->link, &gc_candidates); - __set_bit(UNIX_GC_CANDIDATE, &u->gc_flags); - __set_bit(UNIX_GC_MAYBE_CYCLE, &u->gc_flags); +- +- if (sk->sk_state == TCP_LISTEN) { +- unix_state_lock_nested(sk, U_LOCK_GC_LISTENER); +- unix_state_unlock(sk); +- } - } - } - ---
NOTE: These results are for this patch alone. Full series testing will be performed when all parts are received.
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.6.y | Success | Success |