| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 2 Mar 2017 12:37:52 +0500 From: Valentine Sinitsyn <valentine.sinitsyn@...il.com> To: linux-kernel@...r.kernel.org Cc: Valentine Sinitsyn <valentine.sinitsyn@...il.com> Subject: [RFC] [PATCH] net: account for possible negative frag_mem_limit I'm also not sure if we'd better disable bottom halves before calculating the counter sum, as sum_frag_mem_limit() does. --- 8< --- On SMP systems, percpu_counter_sum() is permitted to return negative values. However, inet_frag_exit_net() function is following the assumption that its return value is either positive or zero. If a negative value is returned, the code loops forever, possibly keeping net_mutex locked. This could break many things, including unshare(CLONE_NEWNET) system call which would hang forever. Fix this by explicitly asking for a positive return value from the percpu counter. Signed-off-by: Valentine Sinitsyn <valentine.sinitsyn@...il.com> --- net/ipv4/inet_fragment.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c index b5e9317..0a63c9e 100644 --- a/net/ipv4/inet_fragment.c +++ b/net/ipv4/inet_fragment.c @@ -234,7 +234,7 @@ void inet_frags_exit_net(struct netns_frags *nf, struct inet_frags *f) cond_resched(); if (read_seqretry(&f->rnd_seqlock, seq) || - percpu_counter_sum(&nf->mem)) + percpu_counter_sum_positive(&nf->mem)) goto evict_again; percpu_counter_destroy(&nf->mem); -- 2.7.4
Powered by blists - more mailing lists