diff options
| author | Kuniyuki Iwashima <kuniyu@amazon.com> | 2024-05-08 10:11:50 -0700 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2024-05-10 18:52:45 -0700 |
| commit | 7172dc93d621d5dc302d007e95ddd1311ec64283 (patch) | |
| tree | 9dcbc685a20185bd292a3e7042c42da430bf310f /include/net | |
| parent | 84c8b7ad5e748c0b93415b060c7071f8c524f4f5 (diff) | |
| download | lwn-7172dc93d621d5dc302d007e95ddd1311ec64283.tar.gz lwn-7172dc93d621d5dc302d007e95ddd1311ec64283.zip | |
af_unix: Add dead flag to struct scm_fp_list.
Commit 1af2dface5d2 ("af_unix: Don't access successor in unix_del_edges()
during GC.") fixed use-after-free by avoid accessing edge->successor while
GC is in progress.
However, there could be a small race window where another process could
call unix_del_edges() while gc_in_progress is true and __skb_queue_purge()
is on the way.
So, we need another marker for struct scm_fp_list which indicates if the
skb is garbage-collected.
This patch adds dead flag in struct scm_fp_list and set it true before
calling __skb_queue_purge().
Fixes: 1af2dface5d2 ("af_unix: Don't access successor in unix_del_edges() during GC.")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Link: https://lore.kernel.org/r/20240508171150.50601-1-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'include/net')
| -rw-r--r-- | include/net/scm.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/net/scm.h b/include/net/scm.h index bbc5527809d1..0d35c7c77a74 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -33,6 +33,7 @@ struct scm_fp_list { short max; #ifdef CONFIG_UNIX bool inflight; + bool dead; struct list_head vertices; struct unix_edge *edges; #endif |