| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 02 May 2012 13:55:55 -0700 From: Alexander Duyck <alexander.h.duyck@...el.com> To: Eric Dumazet <eric.dumazet@...il.com> CC: Alexander Duyck <alexander.duyck@...il.com>, David Miller <davem@...emloft.net>, netdev <netdev@...r.kernel.org>, Neal Cardwell <ncardwell@...gle.com>, Tom Herbert <therbert@...gle.com>, Jeff Kirsher <jeffrey.t.kirsher@...el.com>, Michael Chan <mchan@...adcom.com>, Matt Carlson <mcarlson@...adcom.com>, Herbert Xu <herbert@...dor.apana.org.au>, Ben Hutchings <bhutchings@...arflare.com>, Ilpo Järvinen <ilpo.jarvinen@...sinki.fi>, Maciej Żenczykowski <maze@...gle.com> Subject: Re: [PATCH net-next] net: take care of cloned skbs in tcp_try_coalesce() On 05/02/2012 11:15 AM, Eric Dumazet wrote: > On Wed, 2012-05-02 at 11:05 -0700, Alexander Duyck wrote: > >> You're correct about the fragstolen case, I actually was thinking of the >> first patch you sent, not this second one. >> >> However we still have a problem. What we end up with now is a case of >> sharing in which the clone skb no longer knows that it is sharing the >> head with another skb. The dataref will drop to 1 when we call >> __kfree_skb. This means that any other function out there that tries to >> see if the skb is shared would return false. This could lead to issues >> if there is anything out there that manipulates the data in head based >> on the false assumption that it is not cloned. What we would probably >> need to do in this case is tweak the logic for skb_cloned. If you are >> using a head_frag you should probably add a check that returns true if >> cloned is true and page_count is greater than 1. We should be safe in >> the case of skb_header_cloned since we already dropped are dataref when >> we stole the page and freed the skb. > I really dont understand this concern. > > When skb is cloned, we copy in head_frag __skb_clone() > > So both skbs have the bit set, and dataref = 2. > > first skb is freed, dataref becomes 1 and nothing special happen > > >From this point, skb->head is not 'shared' anymore (taken your own > words). And we are free to do whatever we want. > > second skb is freed, dataref becomes 0 and we call the right destructor. The problem is that the stack will not be able to detect sharing. As long as page_count is greater than 2 and skb->cloned is set we should be telling any callers to skb_cloned that the head is cloned. Otherwise we can run into issues elsewhere with well meaning code checking and not detecting sharing, and then mangling the header. Also I am not sure if the big monolithic changes are really the best way to approach this. It would be nice if we could fix this incrementally instead of trying to do it all at once since there are multiple issues that need to be addressed. I will try to submit a few patches from my end later today. I still need to look over all of the changes from the past couple of weeks that were based on the assumption that the IP stack completely owned the skb. Thanks, Alex -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists