lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210222185141.oma64d4uq64pys45@pengutronix.de>
Date:   Mon, 22 Feb 2021 19:51:41 +0100
From:   Marc Kleine-Budde <mkl@...gutronix.de>
To:     Johannes Berg <johannes@...solutions.net>
Cc:     Oleksij Rempel <o.rempel@...gutronix.de>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Oliver Hartkopp <socketcan@...tkopp.net>,
        Robin van der Gracht <robin@...tonic.nl>,
        kernel@...gutronix.de, linux-can@...r.kernel.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        Eric Dumazet <edumazet@...gle.com>,
        linux-wireless@...r.kernel.org
Subject: Re: [PATCH net v1 3/3] [RFC] mac80211: ieee80211_store_ack_skb():
 make use of skb_clone_sk_optional()

On 22.02.2021 17:30:59, Johannes Berg wrote:
> On Mon, 2021-02-22 at 16:12 +0100, Oleksij Rempel wrote:
> > This code is trying to clone the skb with optional skb->sk. But this
> > will fail to clone the skb if socket was closed just after the skb was
> > pushed into the networking stack.
> 
> Which IMHO is completely fine. If we then still clone the SKB we can't
> do anything with it, since the point would be to ... send it back to the
> socket, but it's gone.

Ok, but why is the skb cloned if there is no socket linked in skb->sk?

| static u16 ieee80211_store_ack_skb(struct ieee80211_local *local,
| 				   struct sk_buff *skb,
| 				   u32 *info_flags,
| 				   u64 *cookie)
| {
| 	struct sk_buff *ack_skb;
| 	u16 info_id = 0;
| 
| 	if (skb->sk)
| 		ack_skb = skb_clone_sk(skb);
| 	else
| 		ack_skb = skb_clone(skb, GFP_ATOMIC);

Looks like this is dead code, since both callers of
ieee80211_store_ack_skb() first check if there is a skb->sk

| 	if (unlikely(!multicast && ((skb->sk &&
| 		     skb_shinfo(skb)->tx_flags & SKBTX_WIFI_STATUS) ||
| 		     ctrl_flags & IEEE80211_TX_CTL_REQ_TX_STATUS)))
| 		info_id = ieee80211_store_ack_skb(local, skb, &info_flags,
| 						  cookie);

> Nothing to fix here, I'd think. If you wanted to get a copy back that
> gives you the status of the SKB, it should not come as a huge surprise
> that you have to keep the socket open for that :)
> 
> Having the ACK skb will just make us do more work by handing it back
> to skb_complete_wifi_ack() at TX status time, which is supposed to put
> it into the socket's error queue, but if the socket is closed ... no
> point in that.

We haven't looked at the callers of ieee80211_store_ack_skb().

Marc

-- 
Pengutronix e.K.                 | Marc Kleine-Budde           |
Embedded Linux                   | https://www.pengutronix.de  |
Vertretung West/Dortmund         | Phone: +49-231-2826-924     |
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-5555 |

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ