| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Oct 2008 15:36:34 +0100
From: Eric Dumazet <dada1@...mosbay.com>
To: Corey Minyard <minyard@....org>
CC: David Miller <davem@...emloft.net>, shemminger@...tta.com,
benny+usenet@...rsen.dk, netdev@...r.kernel.org,
paulmck@...ux.vnet.ibm.com,
Christoph Lameter <cl@...ux-foundation.org>,
a.p.zijlstra@...llo.nl, johnpol@....mipt.ru,
Christian Bell <christian@...i.com>
Subject: Re: [PATCH 2/2] udp: RCU handling for Unicast packets.
Corey Minyard a écrit :
> I believe there is a race in this patch:
>
> + sk_for_each_rcu(sk, node, &hslot->head) {
> + /*
> + * lockless reader, and SLAB_DESTROY_BY_RCU items:
> + * We must check this item was not moved to another chain
> + */
> + if (udp_hashfn(net, sk->sk_hash) != hash)
> + goto begin;
> score = compute_score(sk, net, hnum, saddr, sport, daddr, dport,
> dif);
> if (score > badness) {
> result = sk;
> badness = score;
> }
> }
>
> If the socket is moved from one list to another list in-between the time
> the hash is calculated and the next field is accessed, and the socket
> has moved to the end of the new list, the traversal will not complete
> properly on the list it should have, since the socket will be on the end
> of the new list and there's not a way to tell it's on a new list and
> restart the list traversal. I think that this can be solved by
> pre-fetching the "next" field (with proper barriers) before checking the
> hash.
>
You are absolutely right. As we *need* next pointer anyway for the prefetch(),
we can store it, so that its value is kept.
> I also might be nice to have a way to avoid recomputing the score the
> second time, perhaps using a sequence number of some type.
Well, computing score is really cheap, everything is in cache, granted
the chain was not really huge and high score item at the beginning.
Adding yet another field in sock structure should be avoided if possible.
Thanks
[PATCH] udp: introduce sk_for_each_rcu_safenext()
Corey Minyard found a race added in commit 271b72c7fa82c2c7a795bc16896149933110672d
(udp: RCU handling for Unicast packets.)
"If the socket is moved from one list to another list in-between the time
the hash is calculated and the next field is accessed, and the socket
has moved to the end of the new list, the traversal will not complete
properly on the list it should have, since the socket will be on the end
of the new list and there's not a way to tell it's on a new list and
restart the list traversal. I think that this can be solved by
pre-fetching the "next" field (with proper barriers) before checking the
hash."
This patch corrects this problem, introducing a new sk_for_each_rcu_safenext()
macro.
Signed-off-by: Eric Dumazet <dada1@...mosbay.com>
---
include/linux/rculist.h | 17 +++++++++++++++++
include/net/sock.h | 4 ++--
net/ipv4/udp.c | 4 ++--
net/ipv6/udp.c | 4 ++--
4 files changed, 23 insertions(+), 6 deletions(-)
View attachment "corey.patch" of type "text/plain" (3440 bytes)
Powered by blists - more mailing lists