Re: [PATCH] af_packet: Raw socket destruction warning fix

[Daniel Borkmann]

On 01/21/2016 12:40 PM, Maninder Singh wrote:
> > The other sock_put() in packet_release() to drop the final ref and call into
> > sk_free(), which drops the 1 ref on the sk_wmem_alloc from init time. Since you
> > got into __sk_free() via sock_wfree() destructor, your socket must have invoked
> > packet_release() prior to this (perhaps kernel destroying the process).
> >
> > What kernel do you use?
>
> Issue is coming for 3.10.58.

[ sorry for late reply ]

What driver are you using (is that in-tree)? Can you reproduce the same issue
with a latest -net kernel, for example (or, a 'reasonably' recent one like 4.3 or
4.4)? There has been quite a bit of changes in err queue handling (which also
accounts rmem) as well. How reliably can you trigger the issue? Does it trigger
with a completely different in-tree network driver as well with your tests? Would
be useful to track/debug sk_rmem_alloc increases/decreases to see from which path
new rmem is being charged in the time between packet_release() and packet_sock_destruct()
for that socket ...

> > > Driver calls dev_kfree_skb_any->dev_kfree_skb_irq
> > > and it adds buffer in completion queue to free and raises softirq NET_TX_SOFTIRQ
> > >
> > > net_tx_action->__kfree_skb->skb_release_all->skb_release_head_state->sock_wfree->
> > > __sk_free->packet_sock_destruct
> > >
> > > Also purging of receive queue has been taken care in other protocols.