| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <f85798386e18578290bba923bc4f0f8c399f903cf5d6c5efd580698e940ad3ec@mail.kernel.org>
Date: Fri, 21 Nov 2025 05:27:18 +0000 (UTC)
From: bot+bpf-ci@...nel.org
To: jiayuan.chen@...ux.dev,bpf@...r.kernel.org
Cc: jiayuan.chen@...ux.dev,john.fastabend@...il.com,jakub@...udflare.com,davem@...emloft.net,edumazet@...gle.com,kuba@...nel.org,pabeni@...hat.com,horms@...nel.org,ncardwell@...gle.com,kuniyu@...gle.com,dsahern@...nel.org,andrii@...nel.org,eddyz87@...il.com,ast@...nel.org,daniel@...earbox.net,martin.lau@...ux.dev,song@...nel.org,yonghong.song@...ux.dev,kpsingh@...nel.org,sdf@...ichev.me,haoluo@...gle.com,jolsa@...nel.org,shuah@...nel.org,mhal@...x.co,sgarzare@...hat.com,cong.wang@...edance.com,netdev@...r.kernel.org,linux-kernel@...r.kernel.org,linux-kselftest@...r.kernel.org,ast@...nel.org,andrii@...nel.org,daniel@...earbox.net,martin.lau@...nel.org,eddyz87@...il.com,yonghong.song@...ux.dev,clm@...a.com,ihor.solodrai@...ux.dev
Subject: Re: [PATCH bpf-next v2 2/3] bpf, sockmap: Fix FIONREAD for sockmap
> diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h
> index 0323a2b6c..49069b519 100644
> --- a/include/linux/skmsg.h
> +++ b/include/linux/skmsg.h
[ ... ]
> diff --git a/net/core/skmsg.c b/net/core/skmsg.c
> index d73e03f77..4390deaeb 100644
> --- a/net/core/skmsg.c
> +++ b/net/core/skmsg.c
[ ... ]
> @@ -820,8 +821,11 @@ static void __sk_psock_purge_ingress_msg(struct sk_psock *psock)
> if (!msg->skb)
> atomic_sub(msg->sg.size, &psock->sk->sk_rmem_alloc);
> sk_msg_free(psock->sk, msg);
> + sk_psock_inc_msg_size(psock, -msg->sg.size);
> kfree(msg);
> }
> +
> + WARN_ON_ONCE(psock->ingress_size);
> }
Can msg->sg.size be read after sk_msg_free()? Looking at sk_msg_free():
int sk_msg_free(struct sock *sk, struct sk_msg *msg)
{
return __sk_msg_free(sk, msg, msg->sg.start, true);
}
And __sk_msg_free() at net/core/skmsg.c:207:
static int __sk_msg_free(struct sock *sk, struct sk_msg *msg, u32 i,
bool charge)
{
...
while (msg->sg.size) {
msg->sg.size -= sge->length;
...
}
consume_skb(msg->skb);
sk_msg_init(msg); // <-- this zeros the entire msg structure
return freed;
}
And sk_msg_init() at include/linux/skmsg.h:193:
static inline void sk_msg_init(struct sk_msg *msg)
{
BUILD_BUG_ON(ARRAY_SIZE(msg->sg.data) - 1 != NR_MSG_FRAG_IDS);
memset(msg, 0, sizeof(*msg)); // <-- zeros everything
sg_init_marker(msg->sg.data, NR_MSG_FRAG_IDS);
}
After sk_msg_free() completes, msg->sg.size is zero, so the line
"sk_psock_inc_msg_size(psock, -msg->sg.size)" subtracts 0 instead of
the actual message size. This means ingress_size will never be
decremented during cleanup, and WARN_ON_ONCE(psock->ingress_size) will
trigger whenever the ingress_msg queue contained messages.
The fix would be to save msg->sg.size before calling sk_msg_free():
u32 msg_size = msg->sg.size;
if (!msg->skb)
atomic_sub(msg_size, &psock->sk->sk_rmem_alloc);
sk_msg_free(psock->sk, msg);
sk_psock_inc_msg_size(psock, -msg_size);
kfree(msg);
[ ... ]
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/19558612316
Powered by blists - more mailing lists