[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250329180541.34968-1-kuniyu@amazon.com>
Date: Sat, 29 Mar 2025 11:05:10 -0700
From: Kuniyuki Iwashima <kuniyu@...zon.com>
To: Willem de Bruijn <willemdebruijn.kernel@...il.com>, "David S. Miller"
<davem@...emloft.net>, David Ahern <dsahern@...nel.org>, Eric Dumazet
<edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni
<pabeni@...hat.com>
CC: Simon Horman <horms@...nel.org>, Kuniyuki Iwashima <kuniyu@...zon.com>,
Kuniyuki Iwashima <kuni1840@...il.com>, <netdev@...r.kernel.org>
Subject: [PATCH v4 net 0/3] udp: Fix two integer overflows when sk->sk_rcvbuf is close to INT_MAX.
I got a report that UDP mem usage in /proc/net/sockstat did not
drop even after an application was terminated.
The issue could happen if sk->sk_rmem_alloc wraps around due
to a large sk->sk_rcvbuf, which was INT_MAX in our case.
The patch 2 fixes the issue, and the patch 1 fixes yet another
overflow I found while investigating the issue.
v4:
* Patch 4
* Wait RCU for at most 30 sec
v3: https://lore.kernel.org/netdev/20250327202722.63756-1-kuniyu@amazon.com/
* Rebase
* Add Willem's tags
v2: https://lore.kernel.org/netdev/20250325195826.52385-1-kuniyu@amazon.com/
* Patch 1
* Define rmem and rcvbuf as unsigned int (Eric)
* Take skb->truesize into account for sk with large rcvbuf (Willem)
* Patch 3
* Add a comment
v1: https://lore.kernel.org/netdev/20250323231016.74813-1-kuniyu@amazon.com/
Kuniyuki Iwashima (3):
udp: Fix multiple wraparounds of sk->sk_rmem_alloc.
udp: Fix memory accounting leak.
selftest: net: Check wraparounds for sk->sk_rmem_alloc.
net/ipv4/udp.c | 40 ++---
tools/testing/selftests/net/.gitignore | 3 +-
tools/testing/selftests/net/Makefile | 2 +-
tools/testing/selftests/net/so_rcvbuf.c | 188 ++++++++++++++++++++++++
4 files changed, 214 insertions(+), 19 deletions(-)
create mode 100644 tools/testing/selftests/net/so_rcvbuf.c
--
2.48.1
Powered by blists - more mailing lists