Received: by 2002:a05:6358:e9c4:b0:b2:91dc:71ab with SMTP id hc4csp1455805rwb; Fri, 5 Aug 2022 02:09:53 -0700 (PDT) X-Google-Smtp-Source: AA6agR4RplB08JNEt46az4Gq3TwpiQ2qynkeWVQgQI6U5V5hOQu1W/YzpgTO8BItHVxB0GvhGLIj X-Received: by 2002:a17:903:25d2:b0:16d:d026:daed with SMTP id jc18-20020a17090325d200b0016dd026daedmr5927994plb.101.1659690593641; Fri, 05 Aug 2022 02:09:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1659690593; cv=none; d=google.com; s=arc-20160816; b=LwFR0FkoeAq3z6DFg6mq3ZMiaDQGYbewV5lEVtda4+A6ENAyuCe6+lOyYy5dHTL06s MbDBE2jysBzZGI2fC/y9tIj5XcW1uLJuyRzB5BXWaD3yTx3Dl9ds5fvUWyPe0gfKcDhe 9R5IH12Sf8r3tNkYMd2x7Sq7VsI2UQeXnEm6fuVw1uabZRN/NGpd8HAFjDKZKoaALwUc TMvixi0DvLrZCFM+3kE4HwNly5VV66xFXSeMoPa7LiccJBHeNuYhfWhwjsYkB9b8dcYt VffyR61bVVJYoqL9KT7W5Dp6dHL1LQLKsZlDVFMgPKCVQsMFlEc47jSevgD2SfOsBuHa MNfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=6xGjM1QDeDzDFJ6jsOcK4f9GFcQvuwPNPurDe79kEQo=; b=LbJkRMtPEMnnZB/5gWMJr7En/s2X5Oaoy9tKKE5C+xUGGg3+TQNtMEHQOFU7wmWmWa 7rRjmlHAgdh26H8gJDB6Q+Vbqfs0qi1rbFIoAecIgQ/HLK9A5m+lnOOvfjfpIgSxdW6t eNy8P4SkrdoAW2o11QbS1CXKx95ER29kPBHT8+ysJoKLYeuA8rVt5XJ6R1bOLzoDj661 qsVeMUPPwDkQLfuQ3urfo4u3nDhlE7HhoKMqfZ/Og/9jTkkuHizWeGItMlj5wpgOw0x2 7iD9rf/erqeeHFkjTBOfFHdzvt3CI52layuiQYoiN8niq1tyZUI+fEIWTttInJALhUQU 4T7A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q19-20020a170902bd9300b0016d43e38858si3122584pls.605.2022.08.05.02.09.39; Fri, 05 Aug 2022 02:09:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240286AbiHEI4e (ORCPT + 99 others); Fri, 5 Aug 2022 04:56:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39078 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234856AbiHEI41 (ORCPT ); Fri, 5 Aug 2022 04:56:27 -0400 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ABA896AA3C; Fri, 5 Aug 2022 01:56:25 -0700 (PDT) Received: from [192.168.31.174] (unknown [95.31.173.239]) by mail.ispras.ru (Postfix) with ESMTPSA id BBDCD40737C5; Fri, 5 Aug 2022 08:56:19 +0000 (UTC) Message-ID: <18aa0617-0afe-2543-89cf-2f04c682ea88@ispras.ru> Date: Fri, 5 Aug 2022 11:56:18 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0 Subject: Re: [PATCH] can: j1939: fix memory leak of skbs Content-Language: en-US To: Oleksij Rempel Cc: Robin van der Gracht , Oleksij Rempel , kernel@pengutronix.de, Oliver Hartkopp , Marc Kleine-Budde , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-can@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, ldv-project@linuxtesting.org, Alexey Khoroshilov References: <20220708175949.539064-1-pchelkin@ispras.ru> <20220729042244.GC30201@pengutronix.de> From: Fedor Pchelkin In-Reply-To: <20220729042244.GC30201@pengutronix.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NICE_REPLY_A, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Oleksij, On 29.07.2022 07:22, Oleksij Rempel wrote: > Initial issue can be reproduced by using real (slow) CAN with j1939cat[1] > tool. Both parts should be started to make sure the j1939_session_tx_dat() will > actually start using the queue. After pushing about 100K of data, application > will try to close the socket and exit. After socket is closed, all skb related > to this socket will be freed and j1939_session_tx_dat() will use freed skbs. Ok, the patch I suggested was a kind of a guess, now I understand that it breaks important logic. On 29.07.2022 07:22, Oleksij Rempel wrote: > This skb_get() is counter part of skb_unref() > j1939_session_skb_drop_old(). However, we have a case [1] where j1939_session_skb_queue() is called but the corresponding j1939_session_skb_drop_old() is not called and it causes a memory leak. I tried to investigate it a little bit: the thing is that j1939_session_skb_drop_old() can be called only when processing J1939_ETP_CMD_CTS. On the contrary, as I can see, j1939_session_skb_queue() can be called independently from J1939_ETP_CMD_CTS so the two functions obviously do not correspond to each other. In reproducer case there is a J1939_ETP_CMD_RTS processing, then we send some messages (where j1939_session_skb_queue() is called) and after that J1939_ETP_CMD_ABORT is processed and we lose those skbs. [1] https://forge.ispras.ru/issues/11743