From: Cong Wang <xiyou.wangcong@gmail.com>
To: Ding Tianhong <dingtianhong@huawei.com>
Cc: "liujian (CE)" <liujian56@huawei.com>,
Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
Dave Jones <davej@codemonkey.org.uk>,
"alexander.levin@verizon.com" <alexander.levin@verizon.com>,
"davem@davemloft.net" <davem@davemloft.net>,
"edumazet@google.com" <edumazet@google.com>,
"willemb@google.com" <willemb@google.com>,
"daniel@iogearbox.net" <daniel@iogearbox.net>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: af_packet: use after free in prb_retire_rx_blk_timer_expired
Date: Sat, 22 Jul 2017 22:59:08 -0700 [thread overview]
Message-ID: <CAM_iQpXdyNeeojLfh0ZPMy1LQwOoQZfV7Az2=Q5WALM00Za9SA@mail.gmail.com> (raw)
In-Reply-To: <aa4874ba-3eaf-bf19-ea60-c7b76a972833@huawei.com>
On Sat, Jul 22, 2017 at 8:40 PM, Ding Tianhong <dingtianhong@huawei.com> wrote:
> Hi, Cong:
>
> Thanks for your quirk solution, but I still has some doubts about it,
> it looks like fix the problem in the packet_setsockopt->packet_set_ring processing,
> but when in packet_release processing, it may could not release the
> real pg_vec for the TPACKET_V3 ring, and then cause the mem leak,
> maybe I miss something here, nice to hear from your feedback. :)
Yes you miss that packet_release() has memset()'s so we won't hit
that path. :)
However, I missed the swap() in this messy function, actually I
believe the bug is that we modify tpacket_kbdq_core inside rx_ring
in non-closing case without actually stopping its timer. I feel
more confident with the following patch:
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 008bb34ee324..267b181fef15 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4263,6 +4263,7 @@ static int packet_set_ring(struct sock *sk,
union tpacket_req_u *req_u,
case TPACKET_V3:
/* Block transmit is not supported yet */
if (!tx_ring) {
+ prb_shutdown_retire_blk_timer(po, rb_queue);
init_prb_bdqc(po, rb, pg_vec, req_u);
} else {
struct tpacket_req3 *req3 = &req_u->req3;
next prev parent reply other threads:[~2017-07-23 5:59 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-10 19:03 af_packet: use after free in prb_retire_rx_blk_timer_expired alexander.levin
2017-04-10 19:23 ` Dave Jones
2017-04-11 23:22 ` Willem de Bruijn
2017-07-22 9:55 ` liujian (CE)
2017-07-22 19:02 ` Cong Wang
2017-07-23 3:40 ` Ding Tianhong
2017-07-23 5:59 ` Cong Wang [this message]
2017-07-23 8:21 ` liujian (CE)
2017-07-23 9:47 ` liujian (CE)
2017-07-23 12:48 ` liujian (CE)
2017-07-23 17:03 ` Cong Wang
2017-07-24 1:09 ` Ding Tianhong
2017-07-24 1:28 ` Ding Tianhong
2017-07-24 10:29 ` liujian (CE)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAM_iQpXdyNeeojLfh0ZPMy1LQwOoQZfV7Az2=Q5WALM00Za9SA@mail.gmail.com' \
--to=xiyou.wangcong@gmail.com \
--cc=alexander.levin@verizon.com \
--cc=daniel@iogearbox.net \
--cc=davej@codemonkey.org.uk \
--cc=davem@davemloft.net \
--cc=dingtianhong@huawei.com \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=liujian56@huawei.com \
--cc=netdev@vger.kernel.org \
--cc=willemb@google.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).