lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <56A6BA2D.2090604@iogearbox.net> Date: Tue, 26 Jan 2016 01:13:33 +0100 From: Daniel Borkmann <daniel@...earbox.net> To: maninder1.s@...sung.com, Vaneet Narang <v.narang@...sung.com> CC: "davem@...emloft.net" <davem@...emloft.net>, "willemb@...gle.com" <willemb@...gle.com>, "edumazet@...gle.com" <edumazet@...gle.com>, "eyal.birger@...il.com" <eyal.birger@...il.com>, "tklauser@...tanz.ch" <tklauser@...tanz.ch>, "fruggeri@...stanetworks.com" <fruggeri@...stanetworks.com>, "dwmw2@...radead.org" <dwmw2@...radead.org>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, PANKAJ MISHRA <pankaj.m@...sung.com>, Geon-ho Kim <gh007.kim@...sung.com>, Hak-Bong Lee <hakbong5.lee@...sung.com> Subject: Re: [PATCH] af_packet: Raw socket destruction warning fix On 01/21/2016 12:40 PM, Maninder Singh wrote: >> The other sock_put() in packet_release() to drop the final ref and call into >> sk_free(), which drops the 1 ref on the sk_wmem_alloc from init time. Since you >> got into __sk_free() via sock_wfree() destructor, your socket must have invoked >> packet_release() prior to this (perhaps kernel destroying the process). >> >> What kernel do you use? > > Issue is coming for 3.10.58. [ sorry for late reply ] What driver are you using (is that in-tree)? Can you reproduce the same issue with a latest -net kernel, for example (or, a 'reasonably' recent one like 4.3 or 4.4)? There has been quite a bit of changes in err queue handling (which also accounts rmem) as well. How reliably can you trigger the issue? Does it trigger with a completely different in-tree network driver as well with your tests? Would be useful to track/debug sk_rmem_alloc increases/decreases to see from which path new rmem is being charged in the time between packet_release() and packet_sock_destruct() for that socket ... >>> Driver calls dev_kfree_skb_any->dev_kfree_skb_irq >>> and it adds buffer in completion queue to free and raises softirq NET_TX_SOFTIRQ >>> >>> net_tx_action->__kfree_skb->skb_release_all->skb_release_head_state->sock_wfree-> >>> __sk_free->packet_sock_destruct >>> >>> Also purging of receive queue has been taken care in other protocols.
Powered by blists - more mailing lists