lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 3 Mar 2008 14:13:44 +0100
From:	Blaschka <frank.blaschka@...ibm.com>
To:	davem@...emloft.net, netdev@...r.kernel.org
Cc:	ben.thery@...il.com
Subject: [PATCH] race in generic address resolution

Hi Dave,

to fix this issue I tried your suggestion to copy the skb. I did not
see problems so far. This time we tested IPv6 also. Sorry we missed IPv6
the last time.

    <2>kernel BUG at /home/autobuild/BUILD/linux-2.6.23-20080125/net/core/skbuff.c:648!
    <4>illegal operation: 0001 [#1] PREEMPT SMP
     ....
    <4>Call Trace:
    <4>([<070000001fb96000>] 0x70000001fb96000)
    <4> [<0000000000348c08>] __pskb_pull_tail+0x2b4/0x38c
    <4> [<0000000000352e62>] dev_queue_xmit+0x1a6/0x310
    <4> [<0000000000357b98>] neigh_update+0x314/0x524
    <4> [<00000000003a11d6>] arp_process+0x2be/0x6f8
    <4> [<00000000003a1708>] arp_rcv+0xf8/0x184
    <4> [<000000000034f840>] netif_receive_skb+0x244/0x338
    <4> [<0000000000352296>] process_backlog+0xc2/0x1a8
    <4> [<0000000000352416>] net_rx_action+0x9a/0x154
    <4> [<0000000000136ba4>] __do_softirq+0x98/0x12c
    <4> [<00000000001106b0>] do_softirq+0xac/0xb0
    <4> [<0000000000136d94>] irq_exit+0x8c/0x90
    <4> [<00000000002e62dc>] do_IRQ+0x108/0x18c
    <4> [<0000000000113f10>] io_return+0x0/0x10
    <4> [<000000000010a6f0>] cpu_idle+0x21c/0x23c
    <4>([<000000000010a6a4>] cpu_idle+0x1d0/0x23c)
    <4> [<00000000001168e6>] start_secondary+0x9e/0xac
    <4> [<0000000000000000>] 0x0
    <4> [<0000000000000000>] 0x0
    <4>
    <4> <0>Kernel panic - not syncing: Fatal exception in interrupt
    <4>

From: Frank Blaschka <frank.blaschka@...ibm.com>

neigh_update sends skb from neigh->arp_queue while
neigh_timer_handler has increased skbs refcount and calls
solicit with the skb. neigh_timer_handler should not increase skbs
refcount but make a copy of the skb and do solicit with the copy.

Signed-off-by: Frank Blaschka <frank.blaschka@...ibm.com>
---
 net/core/neighbour.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: git_davem/net/core/neighbour.c
===================================================================
--- git_davem.orig/net/core/neighbour.c	2008-02-29 10:31:14.000000000 +0100
+++ git_davem/net/core/neighbour.c	2008-02-29 10:33:28.000000000 +0100
@@ -839,7 +839,7 @@
 		struct sk_buff *skb = skb_peek(&neigh->arp_queue);
 		/* keep skb alive even if arp_queue overflows */
 		if (skb)
-			skb_get(skb);
+			skb = skb_copy(skb, GFP_ATOMIC);
 		write_unlock(&neigh->lock);
 		neigh->ops->solicit(neigh, skb);
 		atomic_inc(&neigh->probes);

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ