* [PATCH net v2] net: tun: Fix memory leaks of napi_get_frags
@ 2022-11-02 9:41 Wang Yufen
2022-11-02 18:03 ` Eric Dumazet
2022-11-04 11:00 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 3+ messages in thread
From: Wang Yufen @ 2022-11-02 9:41 UTC (permalink / raw)
To: netdev, bpf; +Cc: davem, edumazet, kuba, pabeni, peterpenkov96, Wang Yufen
kmemleak reports after running test_progs:
unreferenced object 0xffff8881b1672dc0 (size 232):
comm "test_progs", pid 394388, jiffies 4354712116 (age 841.975s)
hex dump (first 32 bytes):
e0 84 d7 a8 81 88 ff ff 80 2c 67 b1 81 88 ff ff .........,g.....
00 40 c5 9b 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............
backtrace:
[<00000000c8f01748>] napi_skb_cache_get+0xd4/0x150
[<0000000041c7fc09>] __napi_build_skb+0x15/0x50
[<00000000431c7079>] __napi_alloc_skb+0x26e/0x540
[<000000003ecfa30e>] napi_get_frags+0x59/0x140
[<0000000099b2199e>] tun_get_user+0x183d/0x3bb0 [tun]
[<000000008a5adef0>] tun_chr_write_iter+0xc0/0x1b1 [tun]
[<0000000049993ff4>] do_iter_readv_writev+0x19f/0x320
[<000000008f338ea2>] do_iter_write+0x135/0x630
[<000000008a3377a4>] vfs_writev+0x12e/0x440
[<00000000a6b5639a>] do_writev+0x104/0x280
[<00000000ccf065d8>] do_syscall_64+0x3b/0x90
[<00000000d776e329>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
The issue occurs in the following scenarios:
tun_get_user()
napi_gro_frags()
napi_frags_finish()
case GRO_NORMAL:
gro_normal_one()
list_add_tail(&skb->list, &napi->rx_list);
<-- While napi->rx_count < READ_ONCE(gro_normal_batch),
<-- gro_normal_list() is not called, napi->rx_list is not empty
<-- not ask to complete the gro work, will cause memory leaks in
<-- following tun_napi_del()
...
tun_napi_del()
netif_napi_del()
__netif_napi_del()
<-- &napi->rx_list is not empty, which caused memory leaks
To fix, add napi_complete() after napi_gro_frags().
Fixes: 90e33d459407 ("tun: enable napi_gro_frags() for TUN/TAP driver")
Signed-off-by: Wang Yufen <wangyufen@huawei.com>
---
drivers/net/tun.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 27c6d23..07a0a61 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1976,6 +1976,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
local_bh_disable();
napi_gro_frags(&tfile->napi);
+ napi_complete(&tfile->napi);
local_bh_enable();
mutex_unlock(&tfile->napi_mutex);
} else if (tfile->napi_enabled) {
--
1.8.3.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH net v2] net: tun: Fix memory leaks of napi_get_frags
2022-11-02 9:41 [PATCH net v2] net: tun: Fix memory leaks of napi_get_frags Wang Yufen
@ 2022-11-02 18:03 ` Eric Dumazet
2022-11-04 11:00 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: Eric Dumazet @ 2022-11-02 18:03 UTC (permalink / raw)
To: Wang Yufen; +Cc: netdev, bpf, davem, kuba, pabeni, peterpenkov96
On Wed, Nov 2, 2022 at 2:20 AM Wang Yufen <wangyufen@huawei.com> wrote:
>
> kmemleak reports after running test_progs:
>
> unreferenced object 0xffff8881b1672dc0 (size 232):
> comm "test_progs", pid 394388, jiffies 4354712116 (age 841.975s)
> hex dump (first 32 bytes):
> e0 84 d7 a8 81 88 ff ff 80 2c 67 b1 81 88 ff ff .........,g.....
> 00 40 c5 9b 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............
> backtrace:
> [<00000000c8f01748>] napi_skb_cache_get+0xd4/0x150
> [<0000000041c7fc09>] __napi_build_skb+0x15/0x50
> [<00000000431c7079>] __napi_alloc_skb+0x26e/0x540
> [<000000003ecfa30e>] napi_get_frags+0x59/0x140
> [<0000000099b2199e>] tun_get_user+0x183d/0x3bb0 [tun]
> [<000000008a5adef0>] tun_chr_write_iter+0xc0/0x1b1 [tun]
> [<0000000049993ff4>] do_iter_readv_writev+0x19f/0x320
> [<000000008f338ea2>] do_iter_write+0x135/0x630
> [<000000008a3377a4>] vfs_writev+0x12e/0x440
> [<00000000a6b5639a>] do_writev+0x104/0x280
> [<00000000ccf065d8>] do_syscall_64+0x3b/0x90
> [<00000000d776e329>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
> The issue occurs in the following scenarios:
> tun_get_user()
> napi_gro_frags()
> napi_frags_finish()
> case GRO_NORMAL:
> gro_normal_one()
> list_add_tail(&skb->list, &napi->rx_list);
> <-- While napi->rx_count < READ_ONCE(gro_normal_batch),
> <-- gro_normal_list() is not called, napi->rx_list is not empty
> <-- not ask to complete the gro work, will cause memory leaks in
> <-- following tun_napi_del()
> ...
> tun_napi_del()
> netif_napi_del()
> __netif_napi_del()
> <-- &napi->rx_list is not empty, which caused memory leaks
>
> To fix, add napi_complete() after napi_gro_frags().
>
> Fixes: 90e33d459407 ("tun: enable napi_gro_frags() for TUN/TAP driver")
> Signed-off-by: Wang Yufen <wangyufen@huawei.com>
> ---
> drivers/net/tun.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> index 27c6d23..07a0a61 100644
> --- a/drivers/net/tun.c
> +++ b/drivers/net/tun.c
> @@ -1976,6 +1976,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
>
> local_bh_disable();
> napi_gro_frags(&tfile->napi);
> + napi_complete(&tfile->napi);
> local_bh_enable();
> mutex_unlock(&tfile->napi_mutex);
> } else if (tfile->napi_enabled) {
> --
> 1.8.3.1
>
I think the intent of this code was to allow user space to send
multiple packets to GRO layer for test purposes.
(Check that GRO can aggregate multiple MSS, with respect of standard GRO rules)
This fix might break some tests, but they can be updated if needed
(using /sys/class/net/xxx/gro_flush_timeout)
Reviewed-by: Eric Dumazet <edumazet@google.com>
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH net v2] net: tun: Fix memory leaks of napi_get_frags
2022-11-02 9:41 [PATCH net v2] net: tun: Fix memory leaks of napi_get_frags Wang Yufen
2022-11-02 18:03 ` Eric Dumazet
@ 2022-11-04 11:00 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-11-04 11:00 UTC (permalink / raw)
To: Wang Yufen; +Cc: netdev, bpf, davem, edumazet, kuba, pabeni, peterpenkov96
Hello:
This patch was applied to netdev/net.git (master)
by David S. Miller <davem@davemloft.net>:
On Wed, 2 Nov 2022 17:41:19 +0800 you wrote:
> kmemleak reports after running test_progs:
>
> unreferenced object 0xffff8881b1672dc0 (size 232):
> comm "test_progs", pid 394388, jiffies 4354712116 (age 841.975s)
> hex dump (first 32 bytes):
> e0 84 d7 a8 81 88 ff ff 80 2c 67 b1 81 88 ff ff .........,g.....
> 00 40 c5 9b 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............
> backtrace:
> [<00000000c8f01748>] napi_skb_cache_get+0xd4/0x150
> [<0000000041c7fc09>] __napi_build_skb+0x15/0x50
> [<00000000431c7079>] __napi_alloc_skb+0x26e/0x540
> [<000000003ecfa30e>] napi_get_frags+0x59/0x140
> [<0000000099b2199e>] tun_get_user+0x183d/0x3bb0 [tun]
> [<000000008a5adef0>] tun_chr_write_iter+0xc0/0x1b1 [tun]
> [<0000000049993ff4>] do_iter_readv_writev+0x19f/0x320
> [<000000008f338ea2>] do_iter_write+0x135/0x630
> [<000000008a3377a4>] vfs_writev+0x12e/0x440
> [<00000000a6b5639a>] do_writev+0x104/0x280
> [<00000000ccf065d8>] do_syscall_64+0x3b/0x90
> [<00000000d776e329>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
> [...]
Here is the summary with links:
- [net,v2] net: tun: Fix memory leaks of napi_get_frags
https://git.kernel.org/netdev/net/c/1118b2049d77
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-11-04 11:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-11-02 9:41 [PATCH net v2] net: tun: Fix memory leaks of napi_get_frags Wang Yufen
2022-11-02 18:03 ` Eric Dumazet
2022-11-04 11:00 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).