lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <56A6BA2D.2090604@iogearbox.net>
Date:	Tue, 26 Jan 2016 01:13:33 +0100
From:	Daniel Borkmann <daniel@...earbox.net>
To:	maninder1.s@...sung.com, Vaneet Narang <v.narang@...sung.com>
CC:	"davem@...emloft.net" <davem@...emloft.net>,
	"willemb@...gle.com" <willemb@...gle.com>,
	"edumazet@...gle.com" <edumazet@...gle.com>,
	"eyal.birger@...il.com" <eyal.birger@...il.com>,
	"tklauser@...tanz.ch" <tklauser@...tanz.ch>,
	"fruggeri@...stanetworks.com" <fruggeri@...stanetworks.com>,
	"dwmw2@...radead.org" <dwmw2@...radead.org>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	PANKAJ MISHRA <pankaj.m@...sung.com>,
	Geon-ho Kim <gh007.kim@...sung.com>,
	Hak-Bong Lee <hakbong5.lee@...sung.com>
Subject: Re: [PATCH] af_packet: Raw socket destruction warning fix

On 01/21/2016 12:40 PM, Maninder Singh wrote:
>> The other sock_put() in packet_release() to drop the final ref and call into
>> sk_free(), which drops the 1 ref on the sk_wmem_alloc from init time. Since you
>> got into __sk_free() via sock_wfree() destructor, your socket must have invoked
>> packet_release() prior to this (perhaps kernel destroying the process).
>>
>> What kernel do you use?
>
> Issue is coming for 3.10.58.

[ sorry for late reply ]

What driver are you using (is that in-tree)? Can you reproduce the same issue
with a latest -net kernel, for example (or, a 'reasonably' recent one like 4.3 or
4.4)? There has been quite a bit of changes in err queue handling (which also
accounts rmem) as well. How reliably can you trigger the issue? Does it trigger
with a completely different in-tree network driver as well with your tests? Would
be useful to track/debug sk_rmem_alloc increases/decreases to see from which path
new rmem is being charged in the time between packet_release() and packet_sock_destruct()
for that socket ...

>>> Driver calls dev_kfree_skb_any->dev_kfree_skb_irq
>>> and it adds buffer in completion queue to free and raises softirq NET_TX_SOFTIRQ
>>>
>>> net_tx_action->__kfree_skb->skb_release_all->skb_release_head_state->sock_wfree->
>>> __sk_free->packet_sock_destruct
>>>
>>> Also purging of receive queue has been taken care in other protocols.

Powered by blists - more mailing lists