Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp1252587rwb; Tue, 27 Sep 2022 10:19:14 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4i2R76OzGkATuJFL4rPVBd1srKnO4erPkKzjqYS65VFgvI7ANLWEF/4iKRb+kIKkbbPFnS X-Received: by 2002:a05:6402:156:b0:440:b458:93df with SMTP id s22-20020a056402015600b00440b45893dfmr29618302edu.337.1664299153817; Tue, 27 Sep 2022 10:19:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664299153; cv=none; d=google.com; s=arc-20160816; b=Tq0cqO8Zc28rzftAniJYpgLZddyTe5lDurENeyApWmQbK61zMVecbII+hrdY6AHExx snI7iQU8FhcjdFSjHbWcVnzLe+5IQr8/fBILGhyGh3avRuIQh6vfvzrSwrpswV2z1J2h Z+RZoWeQtpMQ4YQFwWtmPHskJY1IkMJurvcLDNqIPnrnpIUTgTnXRNPnmid8unCTyCnY Q0dle1qM09f/09wjYUIHjNoGzXffPtC3vV9l7lqjskP+93WXZ5w4gnulytZKPiOiCSsh kQRO0Y+UOyLmKvpVRwgl0QnbhjwAmRvRDBBOUN9eSfGIzCNU/c+K2lHvMP/FhQwH4MUP KFuw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=vESNePe9n7uejPFfs1w+utJ1cwyq3VqYeQvjK+K3YTk=; b=PL7RClgsAVeWPLRqIQRIgcxFv52JQBjejYc+41wZ9+ZYWW2e8GsvppWC8olgy3rBKx kUYQe4z8UpIWrtwFe0jR5riWZZnj7Eaa8sntKpeymsnw8JKHaU3T8qPlJtdJm91N5yGh /VnAvpEe8blWMUFDOsGyyk8ypV9WeX/FrEpRgKD1eLVISraQk6qm6X24X8VL0qzDH27L 4Wao81I8qNxmAtZgu3/vdLt0HkIuwrgG9Dxro48nXhgVysrHj2ni+xxJT+fe9nrSeK29 y1UHS0noZYhje6+7pWQjkfUXoLFkzon6T1qULkz+96tFhpEaDJaCjsxcZhGK6ujzHSoZ jkRA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=aU3mY4mP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id gs11-20020a1709072d0b00b0078014756419si2335425ejc.66.2022.09.27.10.18.47; Tue, 27 Sep 2022 10:19:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=aU3mY4mP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231804AbiI0Qvk (ORCPT + 99 others); Tue, 27 Sep 2022 12:51:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53890 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233271AbiI0QuU (ORCPT ); Tue, 27 Sep 2022 12:50:20 -0400 Received: from mail-yw1-x1136.google.com (mail-yw1-x1136.google.com [IPv6:2607:f8b0:4864:20::1136]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3907D1F2CD for ; Tue, 27 Sep 2022 09:50:18 -0700 (PDT) Received: by mail-yw1-x1136.google.com with SMTP id 00721157ae682-3321c2a8d4cso106154737b3.5 for ; Tue, 27 Sep 2022 09:50:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=vESNePe9n7uejPFfs1w+utJ1cwyq3VqYeQvjK+K3YTk=; b=aU3mY4mPAPL8Y2DkTOPUbIiQVySXBNqOsUTLmktA49l3UNs9/YlO2TV60ZgYj3vPXZ LUGZiSASvDb4yvODdmRKdB+QR/4fxv4qGnjLDH8pPMvHwX+7R+0OGDzUxQkYLgnRIMTA s6vBuGVmKpH2zduXU0kTUJmobtmghsBvRVEvcc3GVDwwY1ndmksJk0uGCYaGhIsS3OzW owBLL5/oNHuHgwYyJzghsb4sqQGRaJOSwkP3qQDaZUBLaMj3Tlcx5lUQDwb5itDbRZXp GqQi0FsJiZbiSsARlgbB0/xIorzd2ftsumw6B0mGhOfJ3OrYzLTvL9KRbSgjImhU2afu knNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=vESNePe9n7uejPFfs1w+utJ1cwyq3VqYeQvjK+K3YTk=; b=s/MXeSDUsdWNxySsuRZWVurgHa+c3hTgNkUMO+9diS8I7jldaKOfVR+CdOsEPHugxK MF0HREi24K61dsxJ104FoPbIyYF3nL2JpGMiislu23raAI0wlJwSFUjDAEVWThhDflOv XWogIrrkZGs/Y4bPJ5SIibH+E/LUyQa2RMCHviTvROa8mrdPStVHB0dSruXqr3M40UDb spQHO2NcFAdOXe4vCMAk9qUcMVHqAAcN4/7BxmlYtTrc1LmH/dAbDOV6jQ6rsnfokFfM Worw2ytnFXVRHgU3XGtd9J4+Ll6CdMJILcMrqn1tQboHrEf8zs71jI2KKWocqoBAUyFZ oKTQ== X-Gm-Message-State: ACrzQf0/kAIgjZF8mCLc63H6rm5sB5SRuVAvNVhq5Ig/8JmTYTu1HntG R20pUJ3V7DdEErHZk4p5te8UYZr5SfPB7BERc47bCg== X-Received: by 2002:a0d:d508:0:b0:352:43a6:7ddc with SMTP id x8-20020a0dd508000000b0035243a67ddcmr2574418ywd.55.1664297416738; Tue, 27 Sep 2022 09:50:16 -0700 (PDT) MIME-Version: 1.0 References: <20220927161209.32939-1-kuniyu@amazon.com> <20220927161209.32939-4-kuniyu@amazon.com> In-Reply-To: <20220927161209.32939-4-kuniyu@amazon.com> From: Eric Dumazet Date: Tue, 27 Sep 2022 09:50:04 -0700 Message-ID: Subject: Re: [PATCH v1 net 3/5] tcp/udp: Call inet6_destroy_sock() in IPv4 sk_prot->destroy(). To: Kuniyuki Iwashima Cc: "David S. Miller" , Jakub Kicinski , Paolo Abeni , David Ahern , Kuniyuki Iwashima , netdev , syzkaller-bugs , LKML , Vladislav Yasevich Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 27, 2022 at 9:13 AM Kuniyuki Iwashima wrote: > > Originally, inet6_sk(sk)->XXX were changed under lock_sock(), so we were > able to clean them up by calling inet6_destroy_sock() during the IPv6 -> > IPv4 conversion by IPV6_ADDRFORM. However, commit 03485f2adcde ("udpv6: > Add lockless sendmsg() support") added a lockless memory allocation path, > which could cause a memory leak: > > setsockopt(IPV6_ADDRFORM) sendmsg() > +-----------------------+ +-------+ > - do_ipv6_setsockopt(sk, ...) - udpv6_sendmsg(sk, ...) > - lock_sock(sk) ^._ called via udpv6_prot > - WRITE_ONCE(sk->sk_prot, &tcp_prot) before WRITE_ONCE() > - inet6_destroy_sock() > - release_sock(sk) - ip6_make_skb(sk, ...) > ^._ lockless fast path for > the non-corking case > > - __ip6_append_data(sk, ...) > - ipv6_local_rxpmtu(sk, ...) > - xchg(&np->rxpmtu, skb) > ^._ rxpmtu is never freed. > > - lock_sock(sk) > > For now, rxpmtu is only the case, but let's call inet6_destroy_sock() > in both TCP/UDP v4 destroy functions not to miss the future change. > > We can consolidate TCP/UDP v4/v6 destroy functions, but such changes > are too invasive to backport to stable. So, they can be posted as a > follow-up later for net-next. > > Fixes: 03485f2adcde ("udpv6: Add lockless sendmsg() support") > Signed-off-by: Kuniyuki Iwashima > --- > Cc: Vladislav Yasevich > --- > net/ipv4/tcp_ipv4.c | 5 +++++ > net/ipv4/udp.c | 6 ++++++ > net/ipv6/tcp_ipv6.c | 1 - > 3 files changed, 11 insertions(+), 1 deletion(-) > > diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c > index 5b019ba2b9d2..035b6c52a243 100644 > --- a/net/ipv4/tcp_ipv4.c > +++ b/net/ipv4/tcp_ipv4.c > @@ -2263,6 +2263,11 @@ void tcp_v4_destroy_sock(struct sock *sk) > tcp_saved_syn_free(tp); > > sk_sockets_allocated_dec(sk); > + > +#if IS_ENABLED(CONFIG_IPV6) > + if (sk->sk_prot_creator == &tcpv6_prot) > + inet6_destroy_sock(sk); > +#endif > } This is ugly, and will not compile with CONFIG_IPV6=m, right ? > EXPORT_SYMBOL(tcp_v4_destroy_sock); > > diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c > index 560d9eadeaa5..cdf131c0a819 100644 > --- a/net/ipv4/udp.c > +++ b/net/ipv4/udp.c > @@ -115,6 +115,7 @@ > #include > #if IS_ENABLED(CONFIG_IPV6) > #include > +#include > #endif > > struct udp_table udp_table __read_mostly; > @@ -2666,6 +2667,11 @@ void udp_destroy_sock(struct sock *sk) > if (up->encap_enabled) > static_branch_dec(&udp_encap_needed_key); > } > + > +#if IS_ENABLED(CONFIG_IPV6) > + if (sk->sk_prot_creator == &udpv6_prot) > + inet6_destroy_sock(sk); > +#endif > } > > /* > diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c > index e54eee80ce5f..1ff6a92f7774 100644 > --- a/net/ipv6/tcp_ipv6.c > +++ b/net/ipv6/tcp_ipv6.c > @@ -1945,7 +1945,6 @@ static int tcp_v6_init_sock(struct sock *sk) > static void tcp_v6_destroy_sock(struct sock *sk) > { > tcp_v4_destroy_sock(sk); > - inet6_destroy_sock(sk); > } > > #ifdef CONFIG_PROC_FS > -- > 2.30.2 >