Commit 085e6cba authored by Kuniyuki Iwashima's avatar Kuniyuki Iwashima Committed by Jakub Kicinski
Browse files

af_unix: Use consume_skb() in connect() and sendmsg(). 

This is based on Donald Hunter's patch.

These functions could fail for various reasons, sometimes
triggering kfree_skb().

  * unix_stream_connect() : connect()
  * unix_stream_sendmsg() : sendmsg()
  * queue_oob()           : sendmsg(MSG_OOB)
  * unix_dgram_sendmsg()  : sendmsg()

Such kfree_skb() is tied to the errno of connect() and
sendmsg(), and we need not define skb drop reasons.

Let's use consume_skb() not to churn kfree_skb() events.

Link: https://lore.kernel.org/netdev/eb30b164-7f86-46bf-a5d3-0f8bda5e9398@redhat.com/


Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20250116053441.5758-10-kuniyu@amazon.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 3b2d40dc

net/unix/af_unix.c

+14 −14
Original line number Diff line number Diff line
@@ -1701,7 +1701,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, 
	unix_state_unlock(other);

	sock_put(other);

out_free_skb:

	kfree_skb(skb);

	consume_skb(skb);

out_free_sk:

	unix_release_sock(newsk, 0);

out:
@@ -2172,7 +2172,7 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, 
out_sock_put:

	sock_put(other);

out_free:

	kfree_skb(skb);

	consume_skb(skb);

out:

	scm_destroy(&scm);

	return err;
@@ -2189,7 +2189,7 @@ static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other 
{

	struct unix_sock *ousk = unix_sk(other);

	struct sk_buff *skb;

	int err = 0;

	int err;



	skb = sock_alloc_send_skb(sock->sk, 1, msg->msg_flags & MSG_DONTWAIT, &err);
@@ -2197,25 +2197,22 @@ static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other 
		return err;



	err = unix_scm_to_skb(scm, skb, !fds_sent);

	if (err < 0) {

		kfree_skb(skb);

		return err;

	}

	if (err < 0)

		goto out;



	skb_put(skb, 1);

	err = skb_copy_datagram_from_iter(skb, 0, &msg->msg_iter, 1);



	if (err) {

		kfree_skb(skb);

		return err;

	}

	if (err)

		goto out;



	unix_state_lock(other);



	if (sock_flag(other, SOCK_DEAD) ||

	    (other->sk_shutdown & RCV_SHUTDOWN)) {

		unix_state_unlock(other);

		kfree_skb(skb);

		return -EPIPE;

		err = -EPIPE;

		goto out;

	}



	maybe_add_creds(skb, sock, other);
@@ -2230,6 +2227,9 @@ static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other 
	unix_state_unlock(other);

	other->sk_data_ready(other);



	return 0;

out:

	consume_skb(skb);

	return err;

}

#endif
@@ -2359,7 +2359,7 @@ static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg, 
		send_sig(SIGPIPE, current, 0);

	err = -EPIPE;

out_free:

	kfree_skb(skb);

	consume_skb(skb);

out_err:

	scm_destroy(&scm);

	return sent ? : err;