lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 27 Feb 2022 11:21:12 -0800 From: Cong Wang <xiyou.wangcong@...il.com> To: Wang Yufen <wangyufen@...wei.com> Cc: john.fastabend@...il.com, daniel@...earbox.net, jakub@...udflare.com, lmb@...udflare.com, davem@...emloft.net, bpf@...r.kernel.org, edumazet@...gle.com, yoshfuji@...ux-ipv6.org, dsahern@...nel.org, kuba@...nel.org, ast@...nel.org, andrii@...nel.org, kafai@...com, songliubraving@...com, yhs@...com, kpsingh@...nel.org, netdev@...r.kernel.org Subject: Re: [PATCH bpf-next 1/4] bpf, sockmap: Fix memleak in sk_psock_queue_msg On Fri, Feb 25, 2022 at 09:49:26AM +0800, Wang Yufen wrote: > If tcp_bpf_sendmsg is running during a tear down operation we may enqueue > data on the ingress msg queue while tear down is trying to free it. > > sk1 (redirect sk2) sk2 > ------------------- --------------- > tcp_bpf_sendmsg() > tcp_bpf_send_verdict() > tcp_bpf_sendmsg_redir() > bpf_tcp_ingress() > sock_map_close() > lock_sock() > lock_sock() ... blocking > sk_psock_stop > sk_psock_clear_state(psock, SK_PSOCK_TX_ENABLED); > release_sock(sk); > lock_sock() > sk_mem_charge() > get_page() > sk_psock_queue_msg() > sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED); > drop_sk_msg() > release_sock() > > While drop_sk_msg(), the msg has charged memory form sk by sk_mem_charge > and has sg pages need to put. To fix we use sk_msg_free() and then kfee() > msg. > What about the other code path? That is, sk_psock_skb_ingress_enqueue(). I don't see skmsg is charged there. Thanks.
Powered by blists - more mailing lists