From: Eric Dumazet via Linux-kernel-mentees <linux-kernel-mentees@lists.linuxfoundation.org>
To: Nguyen Dinh Phi <phind.uet@gmail.com>
Cc: "Song Liu" <songliubraving@fb.com>,
"Alexander Lobakin" <alobakin@pm.me>,
syzbot+989efe781c74de1ddb54@syzkaller.appspotmail.com,
"Alexei Starovoitov" <ast@kernel.org>,
"Wei Wang" <weiwan@google.com>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"John Fastabend" <john.fastabend@gmail.com>,
"Andrii Nakryiko" <andrii@kernel.org>,
"Yonghong Song" <yhs@fb.com>,
linux-kernel-mentees@lists.linuxfoundation.org,
"Jesper Dangaard Brouer" <hawk@kernel.org>,
kpsingh@kernel.org, memxor@gmail.com,
"Jakub Kicinski" <kuba@kernel.org>,
netdev <netdev@vger.kernel.org>,
"Antoine Tenart" <atenart@kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
"David Miller" <davem@davemloft.net>,
"Björn Töpel" <bjorn@kernel.org>, bpf <bpf@vger.kernel.org>,
"Martin KaFai Lau" <kafai@fb.com>,
"Taehee Yoo" <ap420073@gmail.com>
Subject: Re: [PATCH] net: drop skbs in napi->rx_list when removing the napi context.
Date: Thu, 12 Aug 2021 09:07:25 +0200 [thread overview]
Message-ID: <CANn89iLQj4Xm-6Bcygtkd5QqDzmJBDALznL8mEJrF1Fh_W32iQ@mail.gmail.com> (raw)
In-Reply-To: <20210811235959.1099333-1-phind.uet@gmail.com>
On Thu, Aug 12, 2021 at 2:00 AM Nguyen Dinh Phi <phind.uet@gmail.com> wrote:
>
> The napi->rx_list is used to hold the GRO_NORMAL skbs before passing
> them to the stack, these skbs only passed to stack at the flush time or
> when the list's weight matches the predefined condition. In case the
> rx_list contains pending skbs when we remove the napi context, we need
> to clean out this list, otherwise, a memory leak will happen.
>
> Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
> Reported-by: syzbot+989efe781c74de1ddb54@syzkaller.appspotmail.com
Thank you for working on this.
Please add a Fixes: tag, otherwise you are asking maintainers and
stable teams to find the original bug,
while you are in a much better position, since you spent time on
fixing the issue.
Also I object to this fix.
If packets have been stored temporarily in GRO, they should be
released at some point,
normally at the end of a napi poll.
By released, I mean that these packets should reach the upper stack,
instead of being dropped without
any notification.
It seems a call to gro_normal_list() is missing somewhere.
Can you find where ?
Thanks !
> ---
> net/core/dev.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/net/core/dev.c b/net/core/dev.c
> index b51e41d0a7fe..319fffc62ce6 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -7038,6 +7038,13 @@ void __netif_napi_del(struct napi_struct *napi)
> list_del_rcu(&napi->dev_list);
> napi_free_frags(napi);
>
> + if (napi->rx_count) {
> + struct sk_buff *skb, *n;
> +
> + list_for_each_entry_safe(skb, n, &napi->rx_list, list)
> + kfree_skb(skb);
> + }
> +
> flush_gro_hash(napi);
> napi->gro_bitmask = 0;
>
> --
> 2.25.1
>
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
next prev parent reply other threads:[~2021-08-12 7:07 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-11 23:59 [PATCH] net: drop skbs in napi->rx_list when removing the napi context Nguyen Dinh Phi
2021-08-12 4:50 ` Hillf Danton
2021-08-12 5:19 ` [syzbot] memory leak in packet_sendmsg syzbot
2021-08-12 7:07 ` Eric Dumazet via Linux-kernel-mentees [this message]
2021-08-12 19:17 ` [PATCH] net: drop skbs in napi->rx_list when removing the napi context Phi Nguyen
2021-08-13 10:16 ` Eric Dumazet
2021-08-13 10:51 ` Nguyen Dinh Phi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CANn89iLQj4Xm-6Bcygtkd5QqDzmJBDALznL8mEJrF1Fh_W32iQ@mail.gmail.com \
--to=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=alobakin@pm.me \
--cc=andrii@kernel.org \
--cc=ap420073@gmail.com \
--cc=ast@kernel.org \
--cc=atenart@kernel.org \
--cc=bjorn@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=hawk@kernel.org \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=memxor@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=phind.uet@gmail.com \
--cc=songliubraving@fb.com \
--cc=syzbot+989efe781c74de1ddb54@syzkaller.appspotmail.com \
--cc=weiwan@google.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).