lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 6 Mar 2014 14:38:51 +0100
From:	Florian Westphal <fw@...len.de>
To:	Alexander Aring <alex.aring@...il.com>
Cc:	Florian Westphal <fw@...len.de>, alex.bluesman.smirnov@...il.com,
	dbaryshkov@...il.com, netdev@...r.kernel.org
Subject: Re: [PATCH net-next 2/2] 6lowpan: reassembly: fix kernel oops while
 unloading

Alexander Aring <alex.aring@...il.com> wrote:
> On Wed, Mar 05, 2014 at 11:32:46PM +0100, Florian Westphal wrote:
> > Alexander Aring <alex.aring@...il.com> wrote:
> > > It seems that the inet_frag_queue is deleted but the timer is running. This
> > > patch adds a for loop to iterate over all frag_queue entries in the
> > > frag_bucket and calling del_timer for each frag_queue entry while
> > > unloading the 6lowpan module.
> > > 
> > > Signed-off-by: Alexander Aring <alex.aring@...il.com>
> > > Reported-by: Phoebe Buckheister <phoebe.buckheister@...m.fraunhofer.de>
> > > ---
> > > I am not sure about that I can do that in this simply way without hold
> > > any lock of the inet_frag_queue or inet_frag_bucket. Please help there.
> > > The kernel oops never occurs afterwards, but this isn't simple to test.
> > > I can't test all cases.
> > 
> > I find it hard to believe that this is a 6lowpan specific problem,
> > most likely this needs a fix in inet_fragment code.
> > 
> I thought that too, maybe it's a problem in the inet_fragment code.
> 
> 
> There are two function which I call on exit:
> 
> inet_frags_fini(&lowpan_frags); - which deletes the secret_timer.
> inet_frags_exit_net(&net->ieee802154_lowpan.frags, &lowpan_frags);
>  - which runs a force inet_frag_evictor
> 
> maybe I forgot to call some other function to cleanup the fragmentation.

No, it looks correct.

> I don't saw any other exit function and I do a similar cleanup like ipv4/ipv6
> and they don't have a module_exit function which is called for the
> inet_fragment code. 

net/ipv6/netfilter/nf_defrag_ipv6_hooks.c has one (calls
nf_ct_frag6_cleanup).

I am currently testing this fix:

diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
index 322dceb..3b01959 100644
--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -208,7 +208,7 @@ int inet_frag_evictor(struct netns_frags *nf, struct
		inet_frags *f, bool force)
        }
 
        work = frag_mem_limit(nf) - nf->low_thresh;
-       while (work > 0) {
+       while (work > 0 || force) {


frag_mem_limit() may be inaccurate which causes evictor to terminate
earlier than it should.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ