| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 03 Apr 2015 16:34:13 -0700
From: Eric Dumazet <eric.dumazet@...il.com>
To: Alexei Potashnik <alexei@...estorage.com>
Cc: Joern Engel <joern@...estorage.com>,
"David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org
Subject: Re: neigh use-after-free
On Fri, 2015-04-03 at 13:52 -0700, Alexei Potashnik wrote:
> Would this be an appropriate solution:
>
> diff --git a/net/core/neighbour.c b/net/core/neighbour.c
> index b49e8ba..38265f2 100644
> --- a/net/core/neighbour.c
> +++ b/net/core/neighbour.c
> @@ -168,7 +168,8 @@ static int neigh_forced_gc(struct neigh_table *tbl)
>
> static void neigh_add_timer(struct neighbour *n, unsigned long when)
> {
> - neigh_hold(n);
> + if (!atomic_inc_not_zero(&n->refcnt))
> + return;
> if (unlikely(mod_timer(&n->timer, when))) {
> printk("NEIGH: BUG, double timer add, state is %x\n",
> n->nud_state);
This is a very ugly hack. Please find root cause.
The correct way to implement refcount on a timer is :
if (!mod_timer(&n->timer, when))
neigh_hold(&n->refcnt);
And current code seems to do that (It dumps a printk() and stack trace
otherwise)
Look at sk_reset_timer() for a good example.
Caller of this function must own a reference.
(Or the socket lock in case of sk_reset_timer())
If refcnt is 0 at this point, it means there is another bug, and we
should fix it instead of trying to work around it.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists