git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Kuniyuki Iwashima <kuniyu@amazon.com>
	Wed, 21 May 2025 15:27:24 +0000 (16:27 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 4 Jun 2025 12:40:24 +0000 (14:40 +0200)
commit	28201f38dc5f65cf7f5f54eceea5e7b12122535e
tree	6c495dced9c60a54b89501f94af24d23c0919592	tree
parent	f9977b176f512a83ccedcc2b8229b6590b374fe7	commit \| diff

af_unix: Add dead flag to struct scm_fp_list.

commit 7172dc93d621d5dc302d007e95ddd1311ec64283 upstream.

Commit 1af2dface5d2 ("af_unix: Don't access successor in unix_del_edges()
during GC.") fixed use-after-free by avoid accessing edge->successor while
GC is in progress.

However, there could be a small race window where another process could
call unix_del_edges() while gc_in_progress is true and __skb_queue_purge()
is on the way.

So, we need another marker for struct scm_fp_list which indicates if the
skb is garbage-collected.

This patch adds dead flag in struct scm_fp_list and set it true before
calling __skb_queue_purge().

Fixes: 1af2dface5d2 ("af_unix: Don't access successor in unix_del_edges() during GC.")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Link: https://lore.kernel.org/r/20240508171150.50601-1-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

include/net/scm.h		diff \| blob \| blame \| history
net/core/scm.c		diff \| blob \| blame \| history
net/unix/garbage.c		diff \| blob \| blame \| history