Menu
▾
▴
tipc-discussion
|
From: Hoang Le <hoa...@de...> - 2021-04-12 09:02:27
|
This reverts commit 6bf24dc0cc0cc43b29ba344b66d78590e687e046.
Above fix is not correct and caused memory leak issue:
In the function tipc_skb_peek, skb's refcnt increasing. Then
we have to call kfree_skb twice to decrease skb's refcnt and
free a skb.
Signed-off-by: Hoang Le <hoa...@de...>
---
net/tipc/socket.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 58935cd0d068..f21162aa0cf7 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -1262,7 +1262,7 @@ void tipc_sk_mcast_rcv(struct net *net, struct sk_buff_head *arrvq,
spin_lock_bh(&inputq->lock);
if (skb_peek(arrvq) == skb) {
skb_queue_splice_tail_init(&tmpq, inputq);
- __skb_dequeue(arrvq);
+ kfree_skb(__skb_dequeue(arrvq));
}
spin_unlock_bh(&inputq->lock);
__skb_queue_purge(&tmpq);
--
2.25.1
|
|
From: Hoang Le <hoa...@de...> - 2021-05-14 01:23:41
|
This reverts commit 6bf24dc0cc0cc43b29ba344b66d78590e687e046.
Above fix is not correct and caused memory leak issue.
Fixes: 6bf24dc0cc0c ("net:tipc: Fix a double free in tipc_sk_mcast_rcv")
Acked-by: Jon Maloy <jm...@re...>
Acked-by: Tung Nguyen <tun...@de...>
Signed-off-by: Hoang Le <hoa...@de...>
---
net/tipc/socket.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 58935cd0d068..53af72824c9c 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -1262,7 +1262,10 @@ void tipc_sk_mcast_rcv(struct net *net, struct sk_buff_head *arrvq,
spin_lock_bh(&inputq->lock);
if (skb_peek(arrvq) == skb) {
skb_queue_splice_tail_init(&tmpq, inputq);
- __skb_dequeue(arrvq);
+ /* Decrease the skb's refcnt as increasing in the
+ * function tipc_skb_peek
+ */
+ kfree_skb(__skb_dequeue(arrvq));
}
spin_unlock_bh(&inputq->lock);
__skb_queue_purge(&tmpq);
--
2.25.1
|
|
From: Hoang Le <hoa...@de...> - 2021-04-20 04:48:37
|
This reverts commit 6bf24dc0cc0cc43b29ba344b66d78590e687e046.
Above fix is not correct and caused memory leak issue.
Acked-by: Tung Nguyen <tun...@de...>
Signed-off-by: Hoang Le <hoa...@de...>
---
net/tipc/socket.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 58935cd0d068..53af72824c9c 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -1262,7 +1262,10 @@ void tipc_sk_mcast_rcv(struct net *net, struct sk_buff_head *arrvq,
spin_lock_bh(&inputq->lock);
if (skb_peek(arrvq) == skb) {
skb_queue_splice_tail_init(&tmpq, inputq);
- __skb_dequeue(arrvq);
+ /* Decrease the skb's refcnt as increasing in the
+ * function tipc_skb_peek
+ */
+ kfree_skb(__skb_dequeue(arrvq));
}
spin_unlock_bh(&inputq->lock);
__skb_queue_purge(&tmpq);
--
2.25.1
|
|
From: Jon M. <jm...@re...> - 2021-05-14 23:18:31
|
On 5/14/21 6:10 PM, pat...@ke... wrote:
> Hello:
>
> This patch was applied to netdev/net.git (refs/heads/master):
>
> On Fri, 14 May 2021 08:23:03 +0700 you wrote:
>> This reverts commit 6bf24dc0cc0cc43b29ba344b66d78590e687e046.
>> Above fix is not correct and caused memory leak issue.
I just convinced Xin (and myself) that the crash (double free) he was
observing, and which he wanted to fix with the "tipc: fix a race in
tipc_sk_mcast_rcv" patch was due to this bug.
Now, realizing that this is causing a memory leak and not a double free
I suspect there might still be an issue.
Does anybody have a theory?
///jon
>>
>> Fixes: 6bf24dc0cc0c ("net:tipc: Fix a double free in tipc_sk_mcast_rcv")
>> Acked-by: Jon Maloy <jm...@re...>
>> Acked-by: Tung Nguyen <tun...@de...>
>> Signed-off-by: Hoang Le <hoa...@de...>
>>
>> [...]
> Here is the summary with links:
> - [net] Revert "net:tipc: Fix a double free in tipc_sk_mcast_rcv"
> https://git.kernel.org/netdev/net/c/75016891357a
>
> You are awesome, thank you!
> --
> Deet-doot-dot, I am a bot.
> https://korg.docs.kernel.org/patchwork/pwbot.html
>
>
|
|
From: Xin L. <luc...@gm...> - 2021-05-15 15:59:09
|
On Fri, May 14, 2021 at 7:18 PM Jon Maloy <jm...@re...> wrote:
>
>
>
> On 5/14/21 6:10 PM, pat...@ke... wrote:
> > Hello:
> >
> > This patch was applied to netdev/net.git (refs/heads/master):
> >
> > On Fri, 14 May 2021 08:23:03 +0700 you wrote:
> >> This reverts commit 6bf24dc0cc0cc43b29ba344b66d78590e687e046.
> >> Above fix is not correct and caused memory leak issue.
>
> I just convinced Xin (and myself) that the crash (double free) he was
> observing, and which he wanted to fix with the "tipc: fix a race in
> tipc_sk_mcast_rcv" patch was due to this bug.
> Now, realizing that this is causing a memory leak and not a double free
> I suspect there might still be an issue.
> Does anybody have a theory?
Hi Jon, I think the double free issue was due to the one I fixed in the patch
I posted:
[PATCH net] tipc: skb_linearize the head skb when reassembling msgs
see the changelog.
>
> ///jon
>
> >>
> >> Fixes: 6bf24dc0cc0c ("net:tipc: Fix a double free in tipc_sk_mcast_rcv")
> >> Acked-by: Jon Maloy <jm...@re...>
> >> Acked-by: Tung Nguyen <tun...@de...>
> >> Signed-off-by: Hoang Le <hoa...@de...>
> >>
> >> [...]
> > Here is the summary with links:
> > - [net] Revert "net:tipc: Fix a double free in tipc_sk_mcast_rcv"
> > https://git.kernel.org/netdev/net/c/75016891357a
> >
> > You are awesome, thank you!
> > --
> > Deet-doot-dot, I am a bot.
> > https://korg.docs.kernel.org/patchwork/pwbot.html
> >
> >
>
|
|
From: Jon M. <jm...@re...> - 2021-05-15 17:07:34
|
On 5/15/21 11:58 AM, Xin Long wrote:
> On Fri, May 14, 2021 at 7:18 PM Jon Maloy <jm...@re...> wrote:
>>
>>
>> On 5/14/21 6:10 PM, pat...@ke... wrote:
>>> Hello:
>>>
>>> This patch was applied to netdev/net.git (refs/heads/master):
>>>
>>> On Fri, 14 May 2021 08:23:03 +0700 you wrote:
>>>> This reverts commit 6bf24dc0cc0cc43b29ba344b66d78590e687e046.
>>>> Above fix is not correct and caused memory leak issue.
>> I just convinced Xin (and myself) that the crash (double free) he was
>> observing, and which he wanted to fix with the "tipc: fix a race in
>> tipc_sk_mcast_rcv" patch was due to this bug.
>> Now, realizing that this is causing a memory leak and not a double free
>> I suspect there might still be an issue.
>> Does anybody have a theory?
> Hi Jon, I think the double free issue was due to the one I fixed in the patch
> I posted:
>
> [PATCH net] tipc: skb_linearize the head skb when reassembling msgs
>
> see the changelog.
That makes sense. So, just backport Hoang's patch and re-run the tests,
and we'll have that one confirmed.
///jon
>> ///jon
>>
>>>> Fixes: 6bf24dc0cc0c ("net:tipc: Fix a double free in tipc_sk_mcast_rcv")
>>>> Acked-by: Jon Maloy <jm...@re...>
>>>> Acked-by: Tung Nguyen <tun...@de...>
>>>> Signed-off-by: Hoang Le <hoa...@de...>
>>>>
>>>> [...]
>>> Here is the summary with links:
>>> - [net] Revert "net:tipc: Fix a double free in tipc_sk_mcast_rcv"
>>> https://git.kernel.org/netdev/net/c/75016891357a
>>>
>>> You are awesome, thank you!
>>> --
>>> Deet-doot-dot, I am a bot.
>>> https://korg.docs.kernel.org/patchwork/pwbot.html
>>>
>>>
|
|
From: Tung Q. N. <tun...@de...> - 2021-04-12 10:59:44
|
Acked-by: Tung Nguyen <tun...@de...>
-----Original Message-----
From: Hoang Huu Le <hoa...@de...>
Sent: Monday, April 12, 2021 4:02 PM
To: ly...@ma...; da...@da...; tip...@li...; jm...@re...; ma...@do...; yin...@wi...; Tung Quang Nguyen <tun...@de...>
Subject: [net] Revert "net:tipc: Fix a double free in tipc_sk_mcast_rcv"
This reverts commit 6bf24dc0cc0cc43b29ba344b66d78590e687e046.
Above fix is not correct and caused memory leak issue:
In the function tipc_skb_peek, skb's refcnt increasing. Then
we have to call kfree_skb twice to decrease skb's refcnt and
free a skb.
Signed-off-by: Hoang Le <hoa...@de...>
---
net/tipc/socket.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 58935cd0d068..f21162aa0cf7 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -1262,7 +1262,7 @@ void tipc_sk_mcast_rcv(struct net *net, struct sk_buff_head *arrvq,
spin_lock_bh(&inputq->lock);
if (skb_peek(arrvq) == skb) {
skb_queue_splice_tail_init(&tmpq, inputq);
- __skb_dequeue(arrvq);
+ kfree_skb(__skb_dequeue(arrvq));
}
spin_unlock_bh(&inputq->lock);
__skb_queue_purge(&tmpq);
--
2.25.1
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X