* [PATCH] memory leak in netlink user->kernel processing
@ 2007-10-01 14:29 Denis V. Lunev
2007-10-01 14:36 ` Patrick McHardy
0 siblings, 1 reply; 5+ messages in thread
From: Denis V. Lunev @ 2007-10-01 14:29 UTC (permalink / raw)
To: davem; +Cc: netdev
netlink_kernel_create can be called with NULL as an input callback in several
places, f.e. in kobject_uevent_init. This means that if one sends packet from
user to kernel for such a socket, the packet will be leaked in the socket
queue forever.
This patch adds a simple generic cleanup callback for these sockets.
Signed-off-by: Denis V. Lunev <den@openvz.org>
--- ./net/netlink/af_netlink.c.nlk4 2007-08-26 19:30:38.000000000 +0400
+++ ./net/netlink/af_netlink.c 2007-10-01 18:00:58.000000000 +0400
@@ -1301,6 +1301,13 @@ out:
return err ? : copied;
}
+static void netlink_rcv_drop(struct sock *sk, int len)
+{
+ struct sk_buff *skb;
+ while ((skb = skb_dequeue(&sk->sk_receive_queue)) != NULL)
+ kfree_skb(skb);
+}
+
static void netlink_data_ready(struct sock *sk, int len)
{
struct netlink_sock *nlk = nlk_sk(sk);
@@ -1346,8 +1353,7 @@ netlink_kernel_create(struct net *net, i
sk = sock->sk;
sk->sk_data_ready = netlink_data_ready;
- if (input)
- nlk_sk(sk)->data_ready = input;
+ nlk_sk(sk)->data_ready = input != NULL ? input : netlink_rcv_drop;
if (netlink_insert(sk, net, 0))
goto out_sock_release;
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] memory leak in netlink user->kernel processing
2007-10-01 14:29 [PATCH] memory leak in netlink user->kernel processing Denis V. Lunev
@ 2007-10-01 14:36 ` Patrick McHardy
2007-10-01 14:58 ` Denis V. Lunev
0 siblings, 1 reply; 5+ messages in thread
From: Patrick McHardy @ 2007-10-01 14:36 UTC (permalink / raw)
To: Denis V. Lunev; +Cc: davem, netdev
Denis V. Lunev wrote:
> netlink_kernel_create can be called with NULL as an input callback in several
> places, f.e. in kobject_uevent_init. This means that if one sends packet from
> user to kernel for such a socket, the packet will be leaked in the socket
> queue forever.
>
> This patch adds a simple generic cleanup callback for these sockets.
This should already be handled by netlink_getsockbypid:
/* Don't bother queuing skb if kernel socket has no input
function */
nlk = nlk_sk(sock);
if ((nlk->pid == 0 && !nlk->data_ready) ||
(sock->sk_state == NETLINK_CONNECTED &&
nlk->dst_pid != nlk_sk(ssk)->pid)) {
sock_put(sock);
return ERR_PTR(-ECONNREFUSED);
}
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] memory leak in netlink user->kernel processing
2007-10-01 14:36 ` Patrick McHardy
@ 2007-10-01 14:58 ` Denis V. Lunev
2007-10-01 15:03 ` Patrick McHardy
0 siblings, 1 reply; 5+ messages in thread
From: Denis V. Lunev @ 2007-10-01 14:58 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Denis V. Lunev, davem, netdev, Eric W. Biederman
Patrick McHardy wrote:
> Denis V. Lunev wrote:
>> netlink_kernel_create can be called with NULL as an input callback in several
>> places, f.e. in kobject_uevent_init. This means that if one sends packet from
>> user to kernel for such a socket, the packet will be leaked in the socket
>> queue forever.
>>
>> This patch adds a simple generic cleanup callback for these sockets.
>
>
> This should already be handled by netlink_getsockbypid:
>
> /* Don't bother queuing skb if kernel socket has no input
> function */
> nlk = nlk_sk(sock);
> if ((nlk->pid == 0 && !nlk->data_ready) ||
> (sock->sk_state == NETLINK_CONNECTED &&
> nlk->dst_pid != nlk_sk(ssk)->pid)) {
> sock_put(sock);
> return ERR_PTR(-ECONNREFUSED);
> }
> -
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
Looks so...
By the way, Patrick, this looks like nlk->pid == 0 if and only if this
is a kernel socket. Right?
I have told with Alexey Kuznetsov and we have discrovered a way to get
rid of
skb_queue_tail(&sk->sk_receive_queue, skb);
sk->sk_data_ready(sk, len);
in netlink_sendskb/etc for kernel sockets and make user->kernel packets
processing truly synchronous.
The idea is simple, we should queue/wakeup in kernel->user direction and
simply call nlk->data_ready for user->kernel direction. This will remove
all the crap we have now. But we need a mark to determine the direction.
Which one will be better? (nlk->data_ready) or (nlk->pid == 0)
Regards,
Den
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] memory leak in netlink user->kernel processing
2007-10-01 14:58 ` Denis V. Lunev
@ 2007-10-01 15:03 ` Patrick McHardy
2007-10-01 16:42 ` Eric W. Biederman
0 siblings, 1 reply; 5+ messages in thread
From: Patrick McHardy @ 2007-10-01 15:03 UTC (permalink / raw)
To: Denis V. Lunev; +Cc: Denis V. Lunev, davem, netdev, Eric W. Biederman
Denis V. Lunev wrote:
> By the way, Patrick, this looks like nlk->pid == 0 if and only if this
> is a kernel socket. Right?
>
Thats correct.
> I have told with Alexey Kuznetsov and we have discrovered a way to get
> rid of
> skb_queue_tail(&sk->sk_receive_queue, skb);
> sk->sk_data_ready(sk, len);
> in netlink_sendskb/etc for kernel sockets and make user->kernel packets
> processing truly synchronous.
>
> The idea is simple, we should queue/wakeup in kernel->user direction and
> simply call nlk->data_ready for user->kernel direction. This will remove
> all the crap we have now. But we need a mark to determine the direction.
> Which one will be better? (nlk->data_ready) or (nlk->pid == 0)
Both would work fine, but I think nlk->pid is better since its
actually the "address".
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] memory leak in netlink user->kernel processing
2007-10-01 15:03 ` Patrick McHardy
@ 2007-10-01 16:42 ` Eric W. Biederman
0 siblings, 0 replies; 5+ messages in thread
From: Eric W. Biederman @ 2007-10-01 16:42 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Denis V. Lunev, Denis V. Lunev, davem, netdev
Patrick McHardy <kaber@trash.net> writes:
> Denis V. Lunev wrote:
>> By the way, Patrick, this looks like nlk->pid == 0 if and only if this
>> is a kernel socket. Right?
>>
>
> Thats correct.
>
>> I have told with Alexey Kuznetsov and we have discrovered a way to get
>> rid of
>> skb_queue_tail(&sk->sk_receive_queue, skb);
>> sk->sk_data_ready(sk, len);
>> in netlink_sendskb/etc for kernel sockets and make user->kernel packets
>> processing truly synchronous.
>>
>> The idea is simple, we should queue/wakeup in kernel->user direction and
>> simply call nlk->data_ready for user->kernel direction. This will remove
>> all the crap we have now. But we need a mark to determine the direction.
>> Which one will be better? (nlk->data_ready) or (nlk->pid == 0)
>
>
> Both would work fine, but I think nlk->pid is better since its
> actually the "address".
Maybe. nlk->pid is also 0, before the socket is bound so it does
not serve as a reliable indicator that you have a kernel socket.
My gut feel says the best test is:
(nlk->flags & NETLINK_KERNEL_SOCKET)
There is no confusion in that and it is dead obvious what we
are testing for. Although we do still need to properly handle
the case when netlink_kernel_create is called with a NULL
input method. As long as get the proper -ECONNREFUSED the
code path doesn't look like it matters.
Eric
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2007-10-01 16:43 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-10-01 14:29 [PATCH] memory leak in netlink user->kernel processing Denis V. Lunev
2007-10-01 14:36 ` Patrick McHardy
2007-10-01 14:58 ` Denis V. Lunev
2007-10-01 15:03 ` Patrick McHardy
2007-10-01 16:42 ` Eric W. Biederman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).