lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20190228125259.xhih5osz6obtbwzn@zion.uk.xensource.com>
Date:   Thu, 28 Feb 2019 12:52:59 +0000
From:   Wei Liu <wei.liu2@...rix.com>
To:     Igor Druzhinin <igor.druzhinin@...rix.com>
CC:     <xen-devel@...ts.xenproject.org>, <netdev@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>, <wei.liu2@...rix.com>,
        <paul.durrant@...rix.com>, <davem@...emloft.net>
Subject: Re: [PATCH v2] xen-netback: fix occasional leak of grant ref
 mappings under memory pressure

On Thu, Feb 28, 2019 at 12:48:03PM +0000, Igor Druzhinin wrote:
> Zero-copy callback flag is not yet set on frag list skb at the moment
> xenvif_handle_frag_list() returns -ENOMEM. This eventually results in
> leaking grant ref mappings since xenvif_zerocopy_callback() is never
> called for these fragments. Those eventually build up and cause Xen
> to kill Dom0 as the slots get reused for new mappings:
> 
> "d0v0 Attempt to implicitly unmap a granted PTE c010000329fce005"
> 
> That behavior is observed under certain workloads where sudden spikes
> of page cache writes coexist with active atomic skb allocations from
> network traffic. Additionally, rework the logic to deal with frag_list
> deallocation in a single place.
> 
> Signed-off-by: Paul Durrant <paul.durrant@...rix.com>
> Signed-off-by: Igor Druzhinin <igor.druzhinin@...rix.com>

Acked-by: Wei Liu <wei.liu2@...rix.com>

> ---
>  drivers/net/xen-netback/netback.c | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
> index 80aae3a..f09948b 100644
> --- a/drivers/net/xen-netback/netback.c
> +++ b/drivers/net/xen-netback/netback.c
> @@ -1072,11 +1072,6 @@ static int xenvif_handle_frag_list(struct xenvif_queue *queue, struct sk_buff *s
>  		skb_frag_size_set(&frags[i], len);
>  	}
>  
> -	/* Copied all the bits from the frag list -- free it. */
> -	skb_frag_list_init(skb);
> -	xenvif_skb_zerocopy_prepare(queue, nskb);
> -	kfree_skb(nskb);
> -
>  	/* Release all the original (foreign) frags. */
>  	for (f = 0; f < skb_shinfo(skb)->nr_frags; f++)
>  		skb_frag_unref(skb, f);
> @@ -1145,6 +1140,8 @@ static int xenvif_tx_submit(struct xenvif_queue *queue)
>  		xenvif_fill_frags(queue, skb);
>  
>  		if (unlikely(skb_has_frag_list(skb))) {
> +			struct sk_buff *nskb = skb_shinfo(skb)->frag_list;
> +			xenvif_skb_zerocopy_prepare(queue, nskb);
>  			if (xenvif_handle_frag_list(queue, skb)) {
>  				if (net_ratelimit())
>  					netdev_err(queue->vif->dev,
> @@ -1153,6 +1150,9 @@ static int xenvif_tx_submit(struct xenvif_queue *queue)
>  				kfree_skb(skb);
>  				continue;
>  			}
> +			/* Copied all the bits from the frag list -- free it. */
> +			skb_frag_list_init(skb);
> +			kfree_skb(nskb);
>  		}
>  
>  		skb->dev      = queue->vif->dev;
> -- 
> 2.7.4
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ