lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.64.0910191745050.20086@sleet.zeugmasystems.local> Date: Mon, 19 Oct 2009 17:56:07 -0700 (PDT) From: Anirban Sinha <asinha@...gmasystems.com> To: Oleg Nesterov <oleg@...hat.com> cc: Anirban Sinha <ani@...rban.org>, linux-kernel@...r.kernel.org, David Miller <davem@...emloft.net>, netdev@...r.kernel.org Subject: Re: Kernel oops when clearing bgp neighbor info with TCP MD5SUM enabled > I'd suppose that this unbalance comes from inet_twdr_hangman() pathes. > > Could you verify this? Yes, I have now verified this. There is indeed an issue with one of the functions called by inet_twdr_hangman(). The call sequence is: inet_twdr_hangman() -> inet_twdr_do_twkill_work() -> inet_twsk_put() -> twsk_destructor(). In this case, the destructor callback is tcp_twsk_destructor() (installed from line 1208 in net/ipv4/tcp_ipv4.c and line 906 in net/ipv6/tcp_ipv6.c) . Without the TCP_MD5SUM compiled in, the function is a no-op. However, with the MD5SUM compiled in, it calls tcp_put_md5_sig_pool() (when keylen is non zero) which does an unbalanced put_cpu(). I did a grep across the entire tree. tcp_put_md5_sig_pool() is a matching function for tcp_get_md5_sig_pool() and in all other TCP IPV4 cases, it is called from net/ipv4/tcp_ipv4.c from functions tcp_v4_md5_hash_hdr() and -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists