All of lore.kernel.org
 help / color / mirror / Atom feed
From: Hawkins Jiawei <yin31149@gmail.com>
To: kuba@kernel.org
Cc: 18801353760@163.com, davem@davemloft.net, edumazet@google.com,
	jhs@mojatatu.com, jiri@resnulli.us, linux-kernel@vger.kernel.org,
	netdev@vger.kernel.org, pabeni@redhat.com,
	syzbot+232ebdbd36706c965ebf@syzkaller.appspotmail.com,
	syzkaller-bugs@googlegroups.com, xiyou.wangcong@gmail.com,
	yin31149@gmail.com
Subject: Re: [PATCH] net: sched: fix memory leak in tcindex_set_parms
Date: Sat,  5 Nov 2022 22:11:56 +0800	[thread overview]
Message-ID: <20221105141156.28093-1-yin31149@gmail.com> (raw)
In-Reply-To: <20221103192308.581a9124@kernel.org>

On Fri, 4 Nov 2022 at 10:23, Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Fri,  4 Nov 2022 00:07:00 +0800 Hawkins Jiawei wrote:
> > > Can't you localize all the changes to this if block?
> > >
> > > Maybe add a function called tcindex_filter_result_reinit()
> > > which will act more appropriately? 
> >
> > I think we shouldn't put the tcf_exts_destroy(&old_e)
> > into this if block, or other RCU readers may derefer the
> > freed memory (Please correct me If I am wrong).
> >
> > So I put the tcf_exts_destroy(&old_e) near the tcindex
> > destroy work, after the RCU updateing.
>
> I'm not sure what this code is trying to do, to be honest.
> Your concern that there may be a concurrent reader is valid,
> but then again tcindex_filter_result_init() just wipes the
> entire structure with a memset() so concurrent readers are
> already likely broken?
>
> Maybe tcindex_filter_result_init() dates back to times when
> exts were a list (see commit 22dc13c837c) and calling
> tcf_exts_init() wasn't that different than cleaning it up?
> In other words this code is trying to destroy old_r, not
> reinitialize it?
Yes, I also think this code is just trying to destroy the old_r.

In my opinion, the context here is a bit like, this filter's some
properties has been changed, so kernel should drop its old filter
result and update a new one.

Before kernel finishes RCU updating, concurrent readers should
see an empty result(or a valid old result), cleaned by
tcindex_filter_result_init().

This won't trigger the memory leak before commit b9a24bb76bf6
("net_sched: properly handle failure case of tcf_exts_init()"),
I think. Because the new filter result still uses the old_r->exts.

Yet after this commit, kernel allocates the new struct tcf_exts for
new filter result in tcindex_alloc_perfect_hash(), which triggers
the memory leak if kernel cleans the old_r without destroying its
newly allocted struct tcf_exts.

As for the patch, I think we'd better free this struct tcf_exts
after RCU updating, to make sure that concurrent readers can only
see an empty result or a valid old result, before finishing updating
(Please correct me if I am wrong).
>
> > > 
> > > >               err = tcindex_filter_result_init(old_r, cp, net);

  reply	other threads:[~2022-11-05 14:16 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-31  6:08 [PATCH] net: sched: fix memory leak in tcindex_set_parms Hawkins Jiawei
2022-11-03  3:26 ` Jakub Kicinski
2022-11-03 16:07   ` Hawkins Jiawei
2022-11-04  2:23     ` Jakub Kicinski
2022-11-05 14:11       ` Hawkins Jiawei [this message]
2022-11-05 19:50 ` Cong Wang
2022-11-06 14:55   ` Hawkins Jiawei
2022-11-06 17:49     ` Cong Wang
2022-11-07 16:00       ` Hawkins Jiawei

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221105141156.28093-1-yin31149@gmail.com \
    --to=yin31149@gmail.com \
    --cc=18801353760@163.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=jhs@mojatatu.com \
    --cc=jiri@resnulli.us \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=syzbot+232ebdbd36706c965ebf@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.