On Thu, Aug 12, 2021 at 2:00 AM Nguyen Dinh Phi <phind.uet@xxxxxxxxx> wrote:
>
> The napi->rx_list is used to hold the GRO_NORMAL skbs before passing
> them to the stack, these skbs only passed to stack at the flush time or
> when the list's weight matches the predefined condition. In case the
> rx_list contains pending skbs when we remove the napi context, we need
> to clean out this list, otherwise, a memory leak will happen.
>
> Signed-off-by: Nguyen Dinh Phi <phind.uet@xxxxxxxxx>
> Reported-by: syzbot+989efe781c74de1ddb54@xxxxxxxxxxxxxxxxxxxxxxxxx
Thank you for working on this.
Please add a Fixes: tag, otherwise you are asking maintainers and
stable teams to find the original bug,
while you are in a much better position, since you spent time on
fixing the issue.
Also I object to this fix.
If packets have been stored temporarily in GRO, they should be
released at some point,
normally at the end of a napi poll.
By released, I mean that these packets should reach the upper stack,
instead of being dropped without
any notification.
It seems a call to gro_normal_list() is missing somewhere.
Can you find where ?
Thanks !
> ---
> net/core/dev.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/net/core/dev.c b/net/core/dev.c
> index b51e41d0a7fe..319fffc62ce6 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -7038,6 +7038,13 @@ void __netif_napi_del(struct napi_struct *napi)
> list_del_rcu(&napi->dev_list);
> napi_free_frags(napi);
>
> + if (napi->rx_count) {
> + struct sk_buff *skb, *n;
> +
> + list_for_each_entry_safe(skb, n, &napi->rx_list, list)
> + kfree_skb(skb);
> + }
> +
> flush_gro_hash(napi);
> napi->gro_bitmask = 0;
>
> --
> 2.25.1
>
