| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-id: <1385051583.176751453111860930.JavaMail.weblogic@ep2mlwas01a>
Date: Mon, 18 Jan 2016 10:11:05 +0000 (GMT)
From: Vaneet Narang <v.narang@...sung.com>
To: Daniel Borkmann <daniel@...earbox.net>,
Maninder Singh <maninder1.s@...sung.com>
Cc: "davem@...emloft.net" <davem@...emloft.net>,
"willemb@...gle.com" <willemb@...gle.com>,
"edumazet@...gle.com" <edumazet@...gle.com>,
"eyal.birger@...il.com" <eyal.birger@...il.com>,
"tklauser@...tanz.ch" <tklauser@...tanz.ch>,
"fruggeri@...stanetworks.com" <fruggeri@...stanetworks.com>,
"dwmw2@...radead.org" <dwmw2@...radead.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
PANKAJ MISHRA <pankaj.m@...sung.com>,
Geon-ho Kim <gh007.kim@...sung.com>,
Hak-Bong Lee <hakbong5.lee@...sung.com>
Subject: Re: [PATCH] af_packet: Raw socket destruction warning fix
Hi,
>> __do_softirq
>> run_ksoftirqd
>>
>> Signed-off-by: Vaneet Narang <v.narang@...sung.com>
>> Signed-off-by: Maninder Singh <maninder1.s@...sung.com>
> Thanks for the fix. While it fixes the WARN_ON(), I believe some more
> investigation is needed here on why it is happening:
>
> We call first into packet_release(), which removes the socket hook from
> the kernel (unregister_prot_hook()), later calls synchronize_net() to
> make sure no more skbs will come in. The receive queue is purged right
> after the synchronize_net() already.
>
> packet_sock_destruct() will be called afterwards, when there are no more
> refs on the socket anymore and no af_packet skbs in tx waiting for completion.
> Only then, in sk_destruct(), we'll call into packet_sock_destruct().
>
> So, eventually double purging the sk_receive_queue seems not the right
> thing to do at first look, and w/o any deeper analysis in the commit description.
>
> Could you look a bit further into the issue? Do you have a reproducer to
> trigger it?
It is Suspend Resume scenario and in this case close(sock_id) is
not called and hence packet_release is also not called.
In case of suspend, driver power down its ethernet port and release all the
sk_buff stored in RX and TX ring. driver calls dev_kfree_skb_any to release all
the sk_buff in tx ring and if last tx buff of socket is called then
packet_sock_destruct() will be invoked and will result in warning if and recevive sk_buff is
still in receive queue.
Driver calls dev_kfree_skb_any->dev_kfree_skb_irq
and it adds buffer in completion queue to free and raises softirq NET_TX_SOFTIRQ
net_tx_action->__kfree_skb->skb_release_all->skb_release_head_state->sock_wfree->
__sk_free->packet_sock_destruct
Also purging of receive queue has been taken care in other protocols.
// IP protocol
void inet_sock_destruct(struct sock *sk)
{
struct inet_sock *inet = inet_sk(sk);
__skb_queue_purge(&sk->sk_receive_queue); // Purge Receive queue
__skb_queue_purge(&sk->sk_error_queue);
....
WARN_ON(atomic_read(&sk->sk_rmem_alloc));
WARN_ON(atomic_read(&sk->sk_wmem_alloc));
}
So i think it should be done in Raw sockets also.
>> ---
>> net/packet/af_packet.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
>> index 81b4b81..bcb37ba 100644
Thanks
Vaneet Narang
Powered by blists - more mailing lists