From: Jakub Kicinski <kuba@kernel.org>
Date: Tue, 10 Sep 2024 00:14:28 +0000 (-0700)
Subject: Merge branch 'af_unix-correct-manage_oob-when-oob-follows-a-consumed-oob'
X-Git-Tag: v6.12-rc1~232^2~66
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=228fa9b1e86d13b4031f18793048643384eb4e51;p=thirdparty%2Fkernel%2Flinux.git

Merge branch 'af_unix-correct-manage_oob-when-oob-follows-a-consumed-oob'

Kuniyuki Iwashima says:

====================
af_unix: Correct manage_oob() when OOB follows a consumed OOB.

Recently syzkaller reported UAF of OOB skb.

The bug was introduced by commit 93c99f21db36 ("af_unix: Don't stop
recv(MSG_DONTWAIT) if consumed OOB skb is at the head.") but uncovered
by another recent commit 8594d9b85c07 ("af_unix: Don't call skb_get()
for OOB skb.").

[0]: https://lore.kernel.org/netdev/00000000000083b05a06214c9ddc@google.com/
====================

Link: https://patch.msgid.link/20240905193240.17565-1-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---

228fa9b1e86d13b4031f18793048643384eb4e51