lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8eb7c0b3-afc7-4dca-b614-397514a1994b@kernel.dk>
Date: Mon, 12 Feb 2024 10:47:20 -0700
From: Jens Axboe <axboe@...nel.dk>
To: Pengfei Xu <pengfei.xu@...el.com>, Kuniyuki Iwashima <kuniyu@...zon.com>
Cc: "David S. Miller" <davem@...emloft.net>,
 Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>,
 Paolo Abeni <pabeni@...hat.com>, Pavel Begunkov <asml.silence@...il.com>,
 Kuniyuki Iwashima <kuni1840@...il.com>, netdev@...r.kernel.org
Subject: Re: [PATCH v1 net-next 2/3] af_unix: Remove io_uring code for GC.

On 2/11/24 7:17 PM, Pengfei Xu wrote:
> Hi,
> 
> On 2024-01-29 at 11:04:34 -0800, Kuniyuki Iwashima wrote:
>> Since commit 705318a99a13 ("io_uring/af_unix: disable sending
>> io_uring over sockets"), io_uring's unix socket cannot be passed
>> via SCM_RIGHTS, so it does not contribute to cyclic reference and
>> no longer be candidate for garbage collection.
>>
>> Also, commit 6e5e6d274956 ("io_uring: drop any code related to
>> SCM_RIGHTS") cleaned up SCM_RIGHTS code in io_uring.
>>
>> Let's do it in AF_UNIX as well by reverting commit 0091bfc81741
>> ("io_uring/af_unix: defer registered files gc to io_uring release")
>> and commit 10369080454d ("net: reclaim skb->scm_io_uring bit").
>>
>> Signed-off-by: Kuniyuki Iwashima <kuniyu@...zon.com>
>> ---
>>  include/net/af_unix.h |  1 -
>>  net/unix/garbage.c    | 25 ++-----------------------
>>  net/unix/scm.c        |  6 ------
>>  3 files changed, 2 insertions(+), 30 deletions(-)
>>
>> diff --git a/include/net/af_unix.h b/include/net/af_unix.h
>> index f045bbd9017d..9e39b2ec4524 100644
>> --- a/include/net/af_unix.h
>> +++ b/include/net/af_unix.h
>> @@ -20,7 +20,6 @@ static inline struct unix_sock *unix_get_socket(struct file *filp)
>>  void unix_inflight(struct user_struct *user, struct file *fp);
>>  void unix_notinflight(struct user_struct *user, struct file *fp);
>>  void unix_destruct_scm(struct sk_buff *skb);
>> -void io_uring_destruct_scm(struct sk_buff *skb);
>>  void unix_gc(void);
>>  void wait_for_unix_gc(struct scm_fp_list *fpl);
>>  struct sock *unix_peer_get(struct sock *sk);
>> diff --git a/net/unix/garbage.c b/net/unix/garbage.c
>> index af676bb8fb67..ce5b5f87b16e 100644
>> --- a/net/unix/garbage.c
>> +++ b/net/unix/garbage.c
>> @@ -184,12 +184,10 @@ static bool gc_in_progress;
>>  
>>  static void __unix_gc(struct work_struct *work)
>>  {
>> -	struct sk_buff *next_skb, *skb;
>> -	struct unix_sock *u;
>> -	struct unix_sock *next;
>>  	struct sk_buff_head hitlist;
>> -	struct list_head cursor;
>> +	struct unix_sock *u, *next;
>>  	LIST_HEAD(not_cycle_list);
>> +	struct list_head cursor;
>>  
>>  	spin_lock(&unix_gc_lock);
>>  
>> @@ -269,30 +267,11 @@ static void __unix_gc(struct work_struct *work)
>>  
>>  	spin_unlock(&unix_gc_lock);
>>  
>> -	/* We need io_uring to clean its registered files, ignore all io_uring
>> -	 * originated skbs. It's fine as io_uring doesn't keep references to
>> -	 * other io_uring instances and so killing all other files in the cycle
>> -	 * will put all io_uring references forcing it to go through normal
>> -	 * release.path eventually putting registered files.
>> -	 */
>> -	skb_queue_walk_safe(&hitlist, skb, next_skb) {
>> -		if (skb->destructor == io_uring_destruct_scm) {
>> -			__skb_unlink(skb, &hitlist);
>> -			skb_queue_tail(&skb->sk->sk_receive_queue, skb);
>> -		}
>> -	}
>> -
>>  	/* Here we are. Hitlist is filled. Die. */
>>  	__skb_queue_purge(&hitlist);
>>  
>>  	spin_lock(&unix_gc_lock);
>>  
>> -	/* There could be io_uring registered files, just push them back to
>> -	 * the inflight list
>> -	 */
>> -	list_for_each_entry_safe(u, next, &gc_candidates, link)
>> -		list_move_tail(&u->link, &gc_inflight_list);
>> -
>>  	/* All candidates should have been detached by now. */
>>  	WARN_ON_ONCE(!list_empty(&gc_candidates));
>>  
>> diff --git a/net/unix/scm.c b/net/unix/scm.c
>> index 505e56cf02a2..db65b0ab5947 100644
>> --- a/net/unix/scm.c
>> +++ b/net/unix/scm.c
>> @@ -148,9 +148,3 @@ void unix_destruct_scm(struct sk_buff *skb)
>>  	sock_wfree(skb);
>>  }
>>  EXPORT_SYMBOL(unix_destruct_scm);
>> -
>> -void io_uring_destruct_scm(struct sk_buff *skb)
>> -{
>> -	unix_destruct_scm(skb);
>> -}
>> -EXPORT_SYMBOL(io_uring_destruct_scm);
> 
> Syzkaller found below issue.
> There is WARNING in __unix_gc in v6.8-rc3_internal-devel_hourly-20240205-094544,
> the kernel contains kernel-next patches.
> 
> Bisected and found first bad commit:
> "
> 11498715f266 af_unix: Remove io_uring code for GC.
> "
> It's the same patch as above.

It should be fixed by:

commit 1279f9d9dec2d7462823a18c29ad61359e0a007d
Author: Kuniyuki Iwashima <kuniyu@...zon.com>
Date:   Sat Feb 3 10:31:49 2024 -0800

    af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.

which is in Linus's tree.

-- 
Jens Axboe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ