lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 Jun 2018 15:24:31 +0800 From: Yunsheng Lin <linyunsheng@...wei.com> To: "Kalluru, Sudarsana" <Sudarsana.Kalluru@...ium.com>, "davem@...emloft.net" <davem@...emloft.net> CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "Elior, Ariel" <Ariel.Elior@...ium.com>, "Kalderon, Michal" <Michal.Kalderon@...ium.com> Subject: Re: [PATCH net 1/3] qed: Fix possible memory leak in Rx error path handling. On 2018/6/19 14:42, Kalluru, Sudarsana wrote: > > > -----Original Message----- > From: Yunsheng Lin [mailto:linyunsheng@...wei.com] > Sent: 19 June 2018 11:32 > To: Kalluru, Sudarsana <Sudarsana.Kalluru@...ium.com>; davem@...emloft.net > Cc: netdev@...r.kernel.org; Elior, Ariel <Ariel.Elior@...ium.com>; Kalderon, Michal <Michal.Kalderon@...ium.com> > Subject: Re: [PATCH net 1/3] qed: Fix possible memory leak in Rx error path handling. > > External Email > > On 2018/6/19 12:58, Sudarsana Reddy Kalluru wrote: >> Memory for packet buffers need to be freed in the error paths as there >> is no consumer (e.g., upper layer) for such packets and that memory >> will never get freed. >> The issue was uncovered when port was attacked with flood of isatap >> packets, these are multicast packets hence were directed at all the PFs. >> For foce PF, this meant they were routed to the ll2 module which in >> turn drops such packets. >> >> Fixes: 0a7fb11c ("qed: Add Light L2 support") >> Signed-off-by: Sudarsana Reddy Kalluru <Sudarsana.Kalluru@...ium.com> >> Signed-off-by: Ariel Elior <ariel.elior@...ium.com> >> Signed-off-by: Michal Kalderon <Michal.Kalderon@...ium.com> >> --- >> drivers/net/ethernet/qlogic/qed/qed_ll2.c | 11 +++++++++-- >> 1 file changed, 9 insertions(+), 2 deletions(-) >> >> diff --git a/drivers/net/ethernet/qlogic/qed/qed_ll2.c >> b/drivers/net/ethernet/qlogic/qed/qed_ll2.c >> index c97ebd6..012973d 100644 >> --- a/drivers/net/ethernet/qlogic/qed/qed_ll2.c >> +++ b/drivers/net/ethernet/qlogic/qed/qed_ll2.c >> @@ -201,8 +201,9 @@ void qed_ll2b_complete_rx_packet(void *cxt, struct >> qed_ll2_comp_rx_data *data) >> >> skb = build_skb(buffer->data, 0); >> if (!skb) { >> - rc = -ENOMEM; >> - goto out_post; >> + DP_INFO(cdev, "Failed to build SKB\n"); >> + kfree(buffer->data); >> + goto out_post1; >> } >> >> data->u.placement_offset += NET_SKB_PAD; @@ -224,8 +225,14 @@ >> void qed_ll2b_complete_rx_packet(void *cxt, struct qed_ll2_comp_rx_data *data) >> cdev->ll2->cbs->rx_cb(cdev->ll2->cb_cookie, skb, >> data->opaque_data_0, >> data->opaque_data_1); >> + } else { >> + DP_VERBOSE(p_hwfn, (NETIF_MSG_RX_STATUS | NETIF_MSG_PKTDATA | >> + QED_MSG_LL2 | QED_MSG_STORAGE), >> + "Dropping the packet\n"); >> + kfree(buffer->data); > > What about the memory used by skb itself? > Does skb need to be freed by kfree_skb or something like that? > > [Sudarsana] Thanks for reviewing the changes. qed_ll2_alloc_buffer() allocates this memory. The allocated buffer (i.e., buffer->data) holds complete memory for 'skb + data' as required by build_skb() implementation. Hence freeing of (buffer->data) would suffice here. As I read through the code, the skb itself is allocated by kmem_cache_alloc, see below: build_skb -> __build_skb -> kmem_cache_alloc Hope I am not missing something here. > >> } >> >> +out_post1: >> /* Update Buffer information and update FW producer */ >> buffer->data = new_data; >> buffer->phys_addr = new_phys_addr; >> >
Powered by blists - more mailing lists