[v5,net,0/2] udp: Fix two integer overflows when sk->sk_rcvbuf is close to INT_MAX.

Message ID	20250401184501.67377-1-kuniyu@amazon.com (mailing list archive)
Headers	show Received: from smtp-fw-80006.amazon.com (smtp-fw-80006.amazon.com [99.78.197.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 92AD91E51E7 for <netdev@vger.kernel.org>; Tue, 1 Apr 2025 18:45:15 +0000 (UTC) From: Kuniyuki Iwashima <kuniyu@amazon.com> To: Willem de Bruijn <willemdebruijn.kernel@gmail.com>, "David S. Miller" <davem@davemloft.net>, David Ahern <dsahern@kernel.org>, Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com> CC: Simon Horman <horms@kernel.org>, Kuniyuki Iwashima <kuniyu@amazon.com>, Kuniyuki Iwashima <kuni1840@gmail.com>, <netdev@vger.kernel.org> Subject: [PATCH v5 net 0/2] udp: Fix two integer overflows when sk->sk_rcvbuf is close to INT_MAX. Date: Tue, 1 Apr 2025 11:44:41 -0700 Message-ID: <20250401184501.67377-1-kuniyu@amazon.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	udp: Fix two integer overflows when sk->sk_rcvbuf is close to INT_MAX. \| expand [v5,net,0/2] udp: Fix two integer overflows when sk->sk_rcvbuf is close to INT_MAX. [v5,net,1/2] udp: Fix multiple wraparounds of sk->sk_rmem_alloc. [v5,net,2/2] udp: Fix memory accounting leak.

Message ID

20250401184501.67377-1-kuniyu@amazon.com (mailing list archive)

Headers

From: Kuniyuki Iwashima <kuniyu@amazon.com>
To: Willem de Bruijn <willemdebruijn.kernel@gmail.com>, "David S. Miller"
	<davem@davemloft.net>, David Ahern <dsahern@kernel.org>, Eric Dumazet
	<edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni
	<pabeni@redhat.com>
CC: Simon Horman <horms@kernel.org>, Kuniyuki Iwashima <kuniyu@amazon.com>,
	Kuniyuki Iwashima <kuni1840@gmail.com>, <netdev@vger.kernel.org>
Subject: [PATCH v5 net 0/2] udp: Fix two integer overflows when sk->sk_rcvbuf
 is close to INT_MAX.
Date: Tue, 1 Apr 2025 11:44:41 -0700
Message-ID: <20250401184501.67377-1-kuniyu@amazon.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

udp: Fix two integer overflows when sk->sk_rcvbuf is close to INT_MAX. | expand

Message

Kuniyuki Iwashima April 1, 2025, 6:44 p.m. UTC

I got a report that UDP mem usage in /proc/net/sockstat did not
drop even after an application was terminated.

The issue could happen if sk->sk_rmem_alloc wraps around due
to a large sk->sk_rcvbuf, which was INT_MAX in our case.

The patch 2 fixes the issue, and the patch 1 fixes yet another
overflow I found while investigating the issue.


v5:
  * Drop flaky test
  * Patch 1
    * Update size after skb_condense()

v4:
  * Patch 3
    * Wait RCU for at most 30 sec

v3: https://lore.kernel.org/netdev/20250327202722.63756-1-kuniyu@amazon.com/
  * Rebase
  * Add Willem's tags

v2: https://lore.kernel.org/netdev/20250325195826.52385-1-kuniyu@amazon.com/
  * Patch 1
    * Define rmem and rcvbuf as unsigned int (Eric)
    * Take skb->truesize into account for sk with large rcvbuf (Willem)

  * Patch 3
    * Add a comment

v1: https://lore.kernel.org/netdev/20250323231016.74813-1-kuniyu@amazon.com/


Kuniyuki Iwashima (2):
  udp: Fix multiple wraparounds of sk->sk_rmem_alloc.
  udp: Fix memory accounting leak.

 net/ipv4/udp.c | 42 ++++++++++++++++++++++++------------------
 1 file changed, 24 insertions(+), 18 deletions(-)

Comments

patchwork-bot+netdevbpf@kernel.org April 3, 2025, 12:30 a.m. UTC | #1

Hello:

This series was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Tue, 1 Apr 2025 11:44:41 -0700 you wrote:
> I got a report that UDP mem usage in /proc/net/sockstat did not
> drop even after an application was terminated.
> 
> The issue could happen if sk->sk_rmem_alloc wraps around due
> to a large sk->sk_rcvbuf, which was INT_MAX in our case.
> 
> The patch 2 fixes the issue, and the patch 1 fixes yet another
> overflow I found while investigating the issue.
> 
> [...]

Here is the summary with links:
  - [v5,net,1/2] udp: Fix multiple wraparounds of sk->sk_rmem_alloc.
    https://git.kernel.org/netdev/net/c/5a465a0da13e
  - [v5,net,2/2] udp: Fix memory accounting leak.
    https://git.kernel.org/netdev/net/c/df207de9d9e7

You are awesome, thank you!