| Message ID | 20210702001123.728035-2-john.fastabend@gmail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | BPF |
| Headers | show |
| Series | potential sockmap memleak and proc stats fix | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Link |
| netdev/fixes_present | success | Link |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Clearly marked for bpf |
| netdev/subject_prefix | success | Link |
| netdev/cc_maintainers | fail | 1 blamed authors not CCed: jakub@cloudflare.com; 9 maintainers not CCed: yhs@fb.com kpsingh@kernel.org andrii@kernel.org kafai@fb.com lmb@cloudflare.com songliubraving@fb.com davem@davemloft.net jakub@cloudflare.com kuba@kernel.org |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Link |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | success | Errors and warnings before: 1 this patch: 1 |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/verify_fixes | success | Link |
| netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 11 lines checked |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 1 this patch: 1 |
| netdev/header_inline | success | Link |
On Thu, Jul 1, 2021 at 5:12 PM John Fastabend <john.fastabend@gmail.com> wrote: > > If skb_linearize is needed and fails we could leak a msg on the error > handling. To fix ensure we kfree the msg block before returning error. > Found during code review. > > Fixes: 4363023d2668e ("bpf, sockmap: Avoid failures from skb_to_sgvec when skb has frag_list") > Signed-off-by: John Fastabend <john.fastabend@gmail.com> > --- > net/core/skmsg.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/net/core/skmsg.c b/net/core/skmsg.c > index 9b6160a191f8..22603289c2b2 100644 > --- a/net/core/skmsg.c > +++ b/net/core/skmsg.c > @@ -505,8 +505,10 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb, > * drop the skb. We need to linearize the skb so that the mapping > * in skb_to_sgvec can not error. > */ > - if (skb_linearize(skb)) > + if (skb_linearize(skb)) { > + kfree(msg); > return -EAGAIN; > + } > num_sge = skb_to_sgvec(skb, msg->sg.data, 0, skb->len); > if (unlikely(num_sge < 0)) { > kfree(msg); I think it is better to let whoever allocates msg free it, IOW, let sk_psock_skb_ingress_enqueue()'s callers handle its failure. Thanks.
Cong Wang wrote: > On Thu, Jul 1, 2021 at 5:12 PM John Fastabend <john.fastabend@gmail.com> wrote: > > > > If skb_linearize is needed and fails we could leak a msg on the error > > handling. To fix ensure we kfree the msg block before returning error. > > Found during code review. > > > > Fixes: 4363023d2668e ("bpf, sockmap: Avoid failures from skb_to_sgvec when skb has frag_list") > > Signed-off-by: John Fastabend <john.fastabend@gmail.com> > > --- > > net/core/skmsg.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/net/core/skmsg.c b/net/core/skmsg.c > > index 9b6160a191f8..22603289c2b2 100644 > > --- a/net/core/skmsg.c > > +++ b/net/core/skmsg.c > > @@ -505,8 +505,10 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb, > > * drop the skb. We need to linearize the skb so that the mapping > > * in skb_to_sgvec can not error. > > */ > > - if (skb_linearize(skb)) > > + if (skb_linearize(skb)) { > > + kfree(msg); > > return -EAGAIN; > > + } > > num_sge = skb_to_sgvec(skb, msg->sg.data, 0, skb->len); > > if (unlikely(num_sge < 0)) { > > kfree(msg); > > I think it is better to let whoever allocates msg free it, IOW, > let sk_psock_skb_ingress_enqueue()'s callers handle its failure. Sure, although we already have the one kfree(msg) below. Anyways I'll just move these back a bit. Agree it is slightly nicer. Thanks.
diff --git a/net/core/skmsg.c b/net/core/skmsg.c index 9b6160a191f8..22603289c2b2 100644 --- a/net/core/skmsg.c +++ b/net/core/skmsg.c @@ -505,8 +505,10 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb, * drop the skb. We need to linearize the skb so that the mapping * in skb_to_sgvec can not error. */ - if (skb_linearize(skb)) + if (skb_linearize(skb)) { + kfree(msg); return -EAGAIN; + } num_sge = skb_to_sgvec(skb, msg->sg.data, 0, skb->len); if (unlikely(num_sge < 0)) { kfree(msg);
If skb_linearize is needed and fails we could leak a msg on the error handling. To fix ensure we kfree the msg block before returning error. Found during code review. Fixes: 4363023d2668e ("bpf, sockmap: Avoid failures from skb_to_sgvec when skb has frag_list") Signed-off-by: John Fastabend <john.fastabend@gmail.com> --- net/core/skmsg.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)