From patchwork Thu Nov 7 20:46:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michal Luczaj X-Patchwork-Id: 13867096 Received: from mailtransmit04.runbox.com (mailtransmit04.runbox.com [185.226.149.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 51FD72185A4 for ; Thu, 7 Nov 2024 20:46:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.226.149.37 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731012416; cv=none; b=tOlAQ9t65IZzcRJqLqil7oOGeAr4QA1Vj41TkwEg2J8ZgumTrRrDmhSyN2akmaY7XWxQFZ7YKftIR6yDtm3QVS2j7q4yhB/dOTkNF8shgSd1Z8S3sPyXkyEveb2vxLkIL5IniuMD8TGPQyWSd7edii1ji/iy6d90qsFWShNkHW4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731012416; c=relaxed/simple; bh=C5Woc6f29HIbt3MkBVqMlI8wGQiocL1DVd3Cqii/ztU=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=aArkb9bNQYE3Zx0NY9KqPJ4+ly0l1jI8PLByAy9RdCXTno5P3Yi06qbo7BrAlQVozN9wc3qzfzEEMfXvBG0pYKHydWv7GiCDa8mh39LiZVk4LRQUp+6yAVCdUVNW/zo7hMfHaOtoT7dQw9XVWQrqqU2jdK3MAXgH9B0XHGh9U/M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co; spf=pass smtp.mailfrom=rbox.co; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b=GHsepUqH; arc=none smtp.client-ip=185.226.149.37 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rbox.co Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b="GHsepUqH" Received: from mailtransmit03.runbox ([10.9.9.163] helo=aibo.runbox.com) by mailtransmit04.runbox.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1t99P2-001cz3-C7; Thu, 07 Nov 2024 21:46:52 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=rbox.co; s=selector2; h=Cc:To:In-Reply-To:References:Message-Id: Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From; bh=LrIIKhPNJVyF8vcxicWn1N/DeE44H0paAvo1GcrIHII=; b=GHsepUqHcue46vv1NgtHY0KlmM EaaCq0DlezYAfwQtciUc/RAi0gLoJRZGMDFYMaxm6Xn32V/X5I3S7ch1AG2Zkx/pF4e4PiqbrvduQ hE3AR2B2YzVqWJcTYnUGh9vfZWSxrQjIcymWls/hboL7YeKHqfEp3dMsD62SqqDgRh+xYydbXz9Qk Ua+YknN/yybYjICWrzkSFCia9hQmgy+4n+H+SVlnvpX+8Wi33QKFqdfzZv52QA/v0Sc9whjjyMKt0 pMddRXV/+pFgN2gn13Sd5Z0uVbq+l9y1Tfmh0Doslb7CPOH+99lOlP2q5g0Kg6ejKZReT88IYH63D ZzwfPodQ==; Received: from [10.9.9.73] (helo=submission02.runbox) by mailtransmit03.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1t99P1-0002ht-UH; Thu, 07 Nov 2024 21:46:52 +0100 Received: by submission02.runbox with esmtpsa [Authenticated ID (604044)] (TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.93) id 1t99Of-00303e-UO; Thu, 07 Nov 2024 21:46:30 +0100 From: Michal Luczaj Date: Thu, 07 Nov 2024 21:46:12 +0100 Subject: [PATCH net v2 1/3] virtio/vsock: Fix accept_queue memory leak Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20241107-vsock-mem-leaks-v2-1-4e21bfcfc818@rbox.co> References: <20241107-vsock-mem-leaks-v2-0-4e21bfcfc818@rbox.co> In-Reply-To: <20241107-vsock-mem-leaks-v2-0-4e21bfcfc818@rbox.co> To: Stefan Hajnoczi , Stefano Garzarella , "Michael S. Tsirkin" , Jason Wang , Xuan Zhuo , =?utf-8?q?Eugenio_P=C3=A9rez?= , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Jia He , Arseniy Krasnov , Dmitry Torokhov , Andy King , George Zhang Cc: kvm@vger.kernel.org, virtualization@lists.linux.dev, netdev@vger.kernel.org, Michal Luczaj X-Mailer: b4 0.14.2 As the final stages of socket destruction may be delayed, it is possible that virtio_transport_recv_listen() will be called after the accept_queue has been flushed, but before the SOCK_DONE flag has been set. As a result, sockets enqueued after the flush would remain unremoved, leading to a memory leak. vsock_release __vsock_release lock virtio_transport_release virtio_transport_close schedule_delayed_work(close_work) sk_shutdown = SHUTDOWN_MASK (!) flush accept_queue release virtio_transport_recv_pkt vsock_find_bound_socket lock if flag(SOCK_DONE) return virtio_transport_recv_listen child = vsock_create_connected (!) vsock_enqueue_accept(child) release close_work lock virtio_transport_do_close set_flag(SOCK_DONE) virtio_transport_remove_sock vsock_remove_sock vsock_remove_bound release Introduce a sk_shutdown check to disallow vsock_enqueue_accept() during socket destruction. unreferenced object 0xffff888109e3f800 (size 2040): comm "kworker/5:2", pid 371, jiffies 4294940105 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 28 00 0b 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............ backtrace (crc 9e5f4e84): [] kmem_cache_alloc_noprof+0x2c1/0x360 [] sk_prot_alloc+0x30/0x120 [] sk_alloc+0x2c/0x4b0 [] __vsock_create.constprop.0+0x2a/0x310 [] virtio_transport_recv_pkt+0x4dc/0x9a0 [] vsock_loopback_work+0xfd/0x140 [] process_one_work+0x20c/0x570 [] worker_thread+0x1bf/0x3a0 [] kthread+0xdd/0x110 [] ret_from_fork+0x2d/0x50 [] ret_from_fork_asm+0x1a/0x30 Fixes: 3fe356d58efa ("vsock/virtio: discard packets only when socket is really closed") Reviewed-by: Stefano Garzarella Signed-off-by: Michal Luczaj --- net/vmw_vsock/virtio_transport_common.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c index ccbd2bc0d2109aea4f19e79a0438f85893e1d89c..cd075f608d4f6f48f894543e5e9c966d3e5f22df 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -1512,6 +1512,14 @@ virtio_transport_recv_listen(struct sock *sk, struct sk_buff *skb, return -ENOMEM; } + /* __vsock_release() might have already flushed accept_queue. + * Subsequent enqueues would lead to a memory leak. + */ + if (sk->sk_shutdown == SHUTDOWN_MASK) { + virtio_transport_reset_no_sock(t, skb); + return -ESHUTDOWN; + } + child = vsock_create_connected(sk); if (!child) { virtio_transport_reset_no_sock(t, skb); From patchwork Thu Nov 7 20:46:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michal Luczaj X-Patchwork-Id: 13867094 Received: from mailtransmit05.runbox.com (mailtransmit05.runbox.com [185.226.149.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 37CAF322E; Thu, 7 Nov 2024 20:46:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.226.149.38 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731012413; cv=none; b=CbJo2+29B7Ln+WKwNgqtsiCxDqdlSnu2htOYv7x20P8x1GRsOwvux80lf0Tl4yuGrdyPXkg4/YvXBY4bLABBec+4XKXS205QNc0gEf2G7AfEUEOkWcc/0FB2hh7vAj+rMZ3XHu7WE7xxAcqF4c3kvnP6QLYFl7oUi33rcPrE0Lw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731012413; c=relaxed/simple; bh=e5IKfunyoGb0Ek5V916MuqEwrlPLdy6g8yrqoCFGBok=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=OiiwSIq53O+UcgQ/exuz8hGILl21RVvpetYVS9vniD7ky4A41xv0kri1ZsqsyzUIFqhLV7wS9zp4it6lU+9FmdE7d63Dn/H0qXjlDTdih1zD/rTIU6b8Mq28wLcMrUWgc/X69KxCFT3NtC/mnGp7wqs0iGFF1t5UF8PNsaWnLS4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co; spf=pass smtp.mailfrom=rbox.co; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b=P96u32QF; arc=none smtp.client-ip=185.226.149.38 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rbox.co Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b="P96u32QF" Received: from mailtransmit02.runbox ([10.9.9.162] helo=aibo.runbox.com) by mailtransmit05.runbox.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1t99Oo-001am5-De; Thu, 07 Nov 2024 21:46:38 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=rbox.co; s=selector2; h=Cc:To:In-Reply-To:References:Message-Id: Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From; bh=HRZX8buQz6RmBI2DZF8lqBqN9e2vWZHgaP9nDHLV7tM=; b=P96u32QFvgzjiFL+52Wvb5uwZA uPOPISdQuotLj7aDj93t6BIcJ3yYGJjRX2N9X1zZHF/sEu1AyKXQND4uYGctPxG4mj2qE5HCGReIf 6yLVm5c/6s4an7+8zm5qMXRv0GmfCuKavFkCUYY09OZ4qZc6uZ2nFBAZTmsagxmtUkYBF9W95bgKs vsjykjLvhQXzCuCbt/A5+EHac9U5csKbji6XTvjmC7PQMwfShCYMbgd9GsMQR0AbyimU2kU4++kI0 Jed8FgrPU3fb0E1nJ6wQFOUQqX+f+7PCFlBqwvPrynwc7uamFboPfObT6tpRKzFuDJJ1Dlf39a92V KZb5Es+g==; Received: from [10.9.9.73] (helo=submission02.runbox) by mailtransmit02.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1t99Oi-0003Ew-FY; Thu, 07 Nov 2024 21:46:32 +0100 Received: by submission02.runbox with esmtpsa [Authenticated ID (604044)] (TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.93) id 1t99Oh-00303e-9I; Thu, 07 Nov 2024 21:46:31 +0100 From: Michal Luczaj Date: Thu, 07 Nov 2024 21:46:13 +0100 Subject: [PATCH net v2 2/3] vsock: Fix sk_error_queue memory leak Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20241107-vsock-mem-leaks-v2-2-4e21bfcfc818@rbox.co> References: <20241107-vsock-mem-leaks-v2-0-4e21bfcfc818@rbox.co> In-Reply-To: <20241107-vsock-mem-leaks-v2-0-4e21bfcfc818@rbox.co> To: Stefan Hajnoczi , Stefano Garzarella , "Michael S. Tsirkin" , Jason Wang , Xuan Zhuo , =?utf-8?q?Eugenio_P=C3=A9rez?= , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Jia He , Arseniy Krasnov , Dmitry Torokhov , Andy King , George Zhang Cc: kvm@vger.kernel.org, virtualization@lists.linux.dev, netdev@vger.kernel.org, Michal Luczaj X-Mailer: b4 0.14.2 Kernel queues MSG_ZEROCOPY completion notifications on the error queue. Where they remain, until explicitly recv()ed. To prevent memory leaks, clean up the queue when the socket is destroyed. unreferenced object 0xffff8881028beb00 (size 224): comm "vsock_test", pid 1218, jiffies 4294694897 hex dump (first 32 bytes): 90 b0 21 17 81 88 ff ff 90 b0 21 17 81 88 ff ff ..!.......!..... 00 00 00 00 00 00 00 00 00 b0 21 17 81 88 ff ff ..........!..... backtrace (crc 6c7031ca): [] kmem_cache_alloc_node_noprof+0x2f7/0x370 [] __alloc_skb+0x132/0x180 [] sock_omalloc+0x4b/0x80 [] msg_zerocopy_realloc+0x9e/0x240 [] virtio_transport_send_pkt_info+0x412/0x4c0 [] virtio_transport_stream_enqueue+0x43/0x50 [] vsock_connectible_sendmsg+0x373/0x450 [] ____sys_sendmsg+0x365/0x3a0 [] ___sys_sendmsg+0x84/0xd0 [] __sys_sendmsg+0x47/0x80 [] do_syscall_64+0x93/0x180 [] entry_SYSCALL_64_after_hwframe+0x76/0x7e Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support") Signed-off-by: Michal Luczaj Reviewed-by: Stefano Garzarella Acked-by: Arseniy Krasnov --- net/vmw_vsock/af_vsock.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c index 35681adedd9aaec3565495158f5342b8aa76c9bc..dfd29160fe11c4675f872c1ee123d65b2da0dae6 100644 --- a/net/vmw_vsock/af_vsock.c +++ b/net/vmw_vsock/af_vsock.c @@ -836,6 +836,9 @@ static void vsock_sk_destruct(struct sock *sk) { struct vsock_sock *vsk = vsock_sk(sk); + /* Flush MSG_ZEROCOPY leftovers. */ + __skb_queue_purge(&sk->sk_error_queue); + vsock_deassign_transport(vsk); /* When clearing these addresses, there's no need to set the family and From patchwork Thu Nov 7 20:46:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michal Luczaj X-Patchwork-Id: 13867093 Received: from mailtransmit04.runbox.com (mailtransmit04.runbox.com [185.226.149.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7CB02194C92; Thu, 7 Nov 2024 20:46:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.226.149.37 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731012413; cv=none; b=VHwXxBue3gUAZuIqNXSAmI9j4ybmkDFPXdj8NFDjWm+BFbKm/H2UTtdJkh8f01cxnEDtqVzqbtJDlePZ/BmGvK/xAhrPkAeLMS0Gs4ean7wnf8oSSVZ4rQ6QKXWA0S7CbpKFOrBlV4hB99Cjfz7Jfs6SZGy75QQG0U+ZUIL2yns= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731012413; c=relaxed/simple; bh=kLr7cOclroyf5zVvYnQrQ2CcjkVEuNICECl91R8pvZA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=MlhNV9vkfrYBWIpH1Vx968FUwrT9HDe/nrTUr57P/CYhHu5oShoeBAV4RUnkkzwwPB5N22/4dJ5sncAs8qme1TTcs8Y26Vjs5OtRnxBy0l+sLS0KM8f05yeAy1QjAxActYzyuMcmiQWMMf+mTjZNa3BfdKNtdkwGfBtQeNhUsRA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co; spf=pass smtp.mailfrom=rbox.co; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b=Dz6r7CR5; arc=none smtp.client-ip=185.226.149.37 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rbox.co Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b="Dz6r7CR5" Received: from mailtransmit02.runbox ([10.9.9.162] helo=aibo.runbox.com) by mailtransmit04.runbox.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1t99Op-001cy6-6x; Thu, 07 Nov 2024 21:46:39 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=rbox.co; s=selector2; h=Cc:To:In-Reply-To:References:Message-Id: Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From; bh=s52+eMLfek4vBrlWTawS+NMGo3ZdEqQlahGa6OYNJF4=; b=Dz6r7CR5wDT+ZtZF595bhaKEfu kxWO6bfhAifZPleGJZEVQnhhTLbkv7BOBwxQR6uRRqGc0JiSNyC6rD0D9rPAZ+hQ0YQEM6cKgE6tA Efh6l8A1R+UTDU2I3Gmm5smLxeHTy//+e7QI6LFYewxLd4ypnaT68Th8jnJNymp4Hh7WAZhze+MjE F07BANiCiLO+Vp1ktYqX2WUcSBRYD3oBzrY7Cf8sznfXeZeSIjiXvDslUmB9xY1eoiMtf5qkHzviC LWF14FB6SvpByieEJ1cA47rMERqKYxwTSa0QsVdn6H5LMcZkuumHSrgdMHeu/1B6h/psFTtbzK3IU ct5REk3A==; Received: from [10.9.9.73] (helo=submission02.runbox) by mailtransmit02.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1t99Oj-0003F0-T5; Thu, 07 Nov 2024 21:46:34 +0100 Received: by submission02.runbox with esmtpsa [Authenticated ID (604044)] (TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.93) id 1t99Oi-00303e-3b; Thu, 07 Nov 2024 21:46:32 +0100 From: Michal Luczaj Date: Thu, 07 Nov 2024 21:46:14 +0100 Subject: [PATCH net v2 3/3] virtio/vsock: Improve MSG_ZEROCOPY error handling Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20241107-vsock-mem-leaks-v2-3-4e21bfcfc818@rbox.co> References: <20241107-vsock-mem-leaks-v2-0-4e21bfcfc818@rbox.co> In-Reply-To: <20241107-vsock-mem-leaks-v2-0-4e21bfcfc818@rbox.co> To: Stefan Hajnoczi , Stefano Garzarella , "Michael S. Tsirkin" , Jason Wang , Xuan Zhuo , =?utf-8?q?Eugenio_P=C3=A9rez?= , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Jia He , Arseniy Krasnov , Dmitry Torokhov , Andy King , George Zhang Cc: kvm@vger.kernel.org, virtualization@lists.linux.dev, netdev@vger.kernel.org, Michal Luczaj X-Mailer: b4 0.14.2 Add a missing kfree_skb() to prevent memory leaks. Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support") Reviewed-by: Stefano Garzarella Signed-off-by: Michal Luczaj Acked-by: Arseniy Krasnov --- net/vmw_vsock/virtio_transport_common.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c index cd075f608d4f6f48f894543e5e9c966d3e5f22df..e2e6a30b759bdc6371bb0d63ee2e77c0ba148fd2 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -400,6 +400,7 @@ static int virtio_transport_send_pkt_info(struct vsock_sock *vsk, if (virtio_transport_init_zcopy_skb(vsk, skb, info->msg, can_zcopy)) { + kfree_skb(skb); ret = -ENOMEM; break; }