lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <569CB419.6050102@iogearbox.net>
Date:	Mon, 18 Jan 2016 10:44:57 +0100
From:	Daniel Borkmann <daniel@...earbox.net>
To:	Maninder Singh <maninder1.s@...sung.com>
CC:	davem@...emloft.net, willemb@...gle.com, edumazet@...gle.com,
	eyal.birger@...il.com, tklauser@...tanz.ch,
	fruggeri@...stanetworks.com, dwmw2@...radead.org,
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
	pankaj.m@...sung.com, gh007.kim@...sung.com,
	hakbong5.lee@...sung.com, Vaneet Narang <v.narang@...sung.com>
Subject: Re: [PATCH] af_packet: Raw socket destruction warning fix

On 01/18/2016 07:37 AM, Maninder Singh wrote:
> Receieve queue is not purged when socket dectruction is called
> results in kernel warning because of non zero sk_rmem_alloc.
>
> WARNING: at net/packet/af_packet.c:1142 packet_sock_destruct
>
> Backtrace:
> WARN_ON(atomic_read(&sk->sk_rmem_alloc)
> packet_sock_destruct
> __sk_free
> sock_wfree
> skb_release_head_state
> skb_release_all
> __kfree_skb
> net_tx_action
> __do_softirq
> run_ksoftirqd
>
> Signed-off-by: Vaneet Narang <v.narang@...sung.com>
> Signed-off-by: Maninder Singh <maninder1.s@...sung.com>

Thanks for the fix. While it fixes the WARN_ON(), I believe some more
investigation is needed here on why it is happening:

We call first into packet_release(), which removes the socket hook from
the kernel (unregister_prot_hook()), later calls synchronize_net() to
make sure no more skbs will come in. The receive queue is purged right
after the synchronize_net() already.

packet_sock_destruct() will be called afterwards, when there are no more
refs on the socket anymore and no af_packet skbs in tx waiting for completion.
Only then, in sk_destruct(), we'll call into packet_sock_destruct().

So, eventually double purging the sk_receive_queue seems not the right
thing to do at first look, and w/o any deeper analysis in the commit description.

Could you look a bit further into the issue? Do you have a reproducer to
trigger it?

Thanks,
Daniel

> ---
>   net/packet/af_packet.c |    1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
> index 81b4b81..bcb37ba 100644
> --- a/net/packet/af_packet.c
> +++ b/net/packet/af_packet.c
> @@ -1310,6 +1310,7 @@ static bool packet_rcv_has_room(struct packet_sock *po, struct sk_buff *skb)
>
>   static void packet_sock_destruct(struct sock *sk)
>   {
> +	skb_queue_purge(&sk->sk_receive_queue);
>   	skb_queue_purge(&sk->sk_error_queue);
>
>   	WARN_ON(atomic_read(&sk->sk_rmem_alloc));
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ