Re: Returning negative values repeatedly from a SOCK_FILTER ebpf prog stalls kernel thread

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Zac Ecob <zacecob@xxxxxxxxxxxxxx>
Date: Sat, 22 Jun 2024 12:20:05 +0000
> Problem is title.
> 
> To trigger, I attached an EBPF prof that just returned -1, and send ~1000
> packets through it.

If you want to drop the packet, the prog must return 0.

You can see sk_filter_trim_cap() where the returned value from bpf prog
is cast to unsigned int.  Then, pskb_trim() does nothing because skb->len
is smaller than (unsigned int)-1, and 0 is set to err.

  unsigned int pkt_len;

  pkt_len = bpf_prog_run_save_cb(filter->prog, skb);
  err = pkt_len ? pskb_trim(skb, max(cap, pkt_len)) : -EPERM;

After calling sk_filter() from unix_dgram_sendmsg(), the skb is just queued
to the peer.


> 
> After doing some investigation, the `sk_wmem_alloc` member of `struct sk`
> seems to only be increasing, presumably missing some refcnt_dec somewhere.

So, no refcnt is leaked.
What is missing is recv() on the peer side.


> 
> At a certain point, in `sock_alloc_send_pskb`, we fail the check: 
> 
> `
> if (sk_wmem_alloc_get(sk) < READ_ONCE(sk->sk_sndbuf))
> ` 
> 
> Upon which we enter `sock_wait_for_wmem` and schedule a massive timeout
> (at least that's what happened in my tests).
> 
> Not sure where the missing refcnt subs are, must admit unfamiliarity with
> the network code.

The paired sub is sock_wfree() in unix_destruct_scm(), which is set
to skb->destructor() in unix_scm_to_skb() and called from kfree_skb().


> 
> Please let me know if I need to add anything. 
> 
> Thanks




[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux