All of lore.kernel.org
 help / color / mirror / Atom feed
From: Paolo Abeni <pabeni@redhat.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: netdev@vger.kernel.org, "David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Sam Edwards <CFSworks@gmail.com>,
	Marc Haber <mh+netdev@zugschlus.de>,
	Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Subject: Re: [PATCH net] udp6: fix socket leak on early demux
Date: Thu, 27 Jul 2017 11:31:33 +0200	[thread overview]
Message-ID: <1501147893.3930.1.camel@redhat.com> (raw)
In-Reply-To: <1501139161.12695.20.camel@edumazet-glaptop3.roam.corp.google.com>

On Thu, 2017-07-27 at 00:06 -0700, Eric Dumazet wrote:
> On Wed, 2017-07-26 at 17:29 +0200, Paolo Abeni wrote:
> > When an early demuxed packet reaches __udp6_lib_lookup_skb(), the
> > sk reference is retrieved and used, but the relevant reference
> > count is leaked and the socket destructor is never called.
> > Beyond leaking the sk memory, if there are pending UDP packets
> > in the receive queue, even the related accounted memory is leaked.
> > 
> > In the long run, this will cause persistent forward allocation errors
> > and no UDP skbs (both ipv4 and ipv6) will be able to reach the
> > user-space.
> > 
> > Fix this by explicitly accessing the early demux reference before
> > the lookup, and properly decreasing the socket reference count
> > after usage.
> > 
> > Also drop the skb_steal_sock() in __udp6_lib_lookup_skb(), and
> > the now obsoleted comment about "socket cache".
> > 
> > The newly added code is derived from the current ipv4 code for the
> > similar path.
> 
> 
> Nice catch Paolo.
> 
> I believe there is one point to discuss, see below.
> 
> > 
> > Reported-by: Sam Edwards <CFSworks@gmail.com>
> > Reported-by: Marc Haber <mh+netdev@zugschlus.de>
> > Fixes: 5425077d73e0 ("net: ipv6: Add early demux handler for UDP unicast")
> > Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> > ---
> >  include/net/udp.h |  1 +
> >  net/ipv4/udp.c    |  3 ++-
> >  net/ipv6/udp.c    | 28 +++++++++++++++++++---------
> >  3 files changed, 22 insertions(+), 10 deletions(-)
> > 
> > diff --git a/include/net/udp.h b/include/net/udp.h
> > index 56ce2d2a612d..cc8036987dcb 100644
> > --- a/include/net/udp.h
> > +++ b/include/net/udp.h
> > @@ -260,6 +260,7 @@ static inline struct sk_buff *skb_recv_udp(struct sock *sk, unsigned int flags,
> >  }
> >  
> >  void udp_v4_early_demux(struct sk_buff *skb);
> > +void udp_sk_rx_dst_set(struct sock *sk, struct dst_entry *dst);
> >  int udp_get_port(struct sock *sk, unsigned short snum,
> >  		 int (*saddr_cmp)(const struct sock *,
> >  				  const struct sock *));
> > diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
> > index fac7cb9e3b0f..e6276fa3750b 100644
> > --- a/net/ipv4/udp.c
> > +++ b/net/ipv4/udp.c
> > @@ -1928,7 +1928,7 @@ static int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
> >  /* For TCP sockets, sk_rx_dst is protected by socket lock
> >   * For UDP, we use xchg() to guard against concurrent changes.
> >   */
> > -static void udp_sk_rx_dst_set(struct sock *sk, struct dst_entry *dst)
> > +void udp_sk_rx_dst_set(struct sock *sk, struct dst_entry *dst)
> >  {
> >  	struct dst_entry *old;
> >  
> > @@ -1937,6 +1937,7 @@ static void udp_sk_rx_dst_set(struct sock *sk, struct dst_entry *dst)
> >  		dst_release(old);
> >  	}
> >  }
> > +EXPORT_SYMBOL(udp_sk_rx_dst_set);
> >  
> >  /*
> >   *	Multicasts and broadcasts go to each listener.
> > diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
> > index 4a3e65626e8b..e74fe497d823 100644
> > --- a/net/ipv6/udp.c
> > +++ b/net/ipv6/udp.c
> > @@ -291,11 +291,7 @@ static struct sock *__udp6_lib_lookup_skb(struct sk_buff *skb,
> >  					  struct udp_table *udptable)
> >  {
> >  	const struct ipv6hdr *iph = ipv6_hdr(skb);
> > -	struct sock *sk;
> >  
> > -	sk = skb_steal_sock(skb);
> > -	if (unlikely(sk))
> > -		return sk;
> >  	return __udp6_lib_lookup(dev_net(skb->dev), &iph->saddr, sport,
> >  				 &iph->daddr, dport, inet6_iif(skb),
> >  				 udptable, skb);
> > @@ -804,6 +800,25 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
> >  	if (udp6_csum_init(skb, uh, proto))
> >  		goto csum_error;
> >  
> > +	/* Check if the socket is already available, e.g. due to early demux */
> > +	sk = skb_steal_sock(skb);
> > +	if (sk) {
> > +		struct dst_entry *dst = skb_dst(skb);
> > +		int ret;
> > +
> > +		if (unlikely(sk->sk_rx_dst != dst))
> > +			udp_sk_rx_dst_set(sk, dst);
> > +
> > +		ret = udpv6_queue_rcv_skb(sk, skb);
> > +		sock_put(sk);
> > +		/* a return value > 0 means to resubmit the input, but
> > +		 * it wants the return to be -protocol, or 0
> > +		 */
> > +		if (ret > 0)
> > +			return -ret;
> 
> IPv6 and IPv4 have different behavior for resubmit
> 
> I believe "return ret;"  would be more appropriate here.

Thank you for the feedback!

You are very right. I stared at the correct UDPv6 code for unicast
packets, a few lines below, for a lot of time before noticing the
difference :-(

I'll resubmit a v2 soon, thanks!

Paolo
 

  reply	other threads:[~2017-07-27  9:31 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-07-26 15:29 [PATCH net] udp6: fix socket leak on early demux Paolo Abeni
2017-07-27  7:06 ` Eric Dumazet
2017-07-27  9:31   ` Paolo Abeni [this message]
  -- strict thread matches above, loose matches on Subject: below --
2017-07-27 12:45 Paolo Abeni
2017-07-27 12:56 ` Paolo Abeni
2017-07-27 13:35 ` Eric Dumazet
2017-07-29 21:19 ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1501147893.3930.1.camel@redhat.com \
    --to=pabeni@redhat.com \
    --cc=CFSworks@gmail.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=eric.dumazet@gmail.com \
    --cc=mh+netdev@zugschlus.de \
    --cc=netdev@vger.kernel.org \
    --cc=subashab@codeaurora.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.