lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 30 Mar 2021 04:25:12 +0530
From:   Kumar Kartikeya Dwivedi <memxor@...il.com>
To:     Vlad Buslov <vladbu@...dia.com>
Cc:     netdev@...r.kernel.org, Vlad Buslov <vladbu@...lanox.com>,
        Toke Høiland-Jørgensen <toke@...hat.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Jamal Hadi Salim <jhs@...atatu.com>,
        Cong Wang <xiyou.wangcong@...il.com>,
        Jiri Pirko <jiri@...nulli.us>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/1] net: sched: extend lifetime of new action in replace
 mode

On Mon, Mar 29, 2021 at 02:35:12PM IST, Vlad Buslov wrote:
> it seems that there are two ways actions are overwritten/deleted:
>
> 1. Directly through action API, which is still serialized by rtnl lock.
>
> 2. Classifier API, which doesn't use rtnl lock anymore and can execute
> concurrently.
>
> Actions created by path 2 also have their bind count incremented which
> prevents them from being deleted by path 1 and cls API can only deleted
> them together with classifier that points to them.
>
> [...]
> So, what happens here is actions were 'deleted' concurrently (their
> tcfa_refcnt decremented by 1)? tcf_action_put_many() will decrement
> refcnt again, it will reach 0, actions get actually deleted and
> tcf_exts_validate() returns with non-error code, but exts->actions
> pointing to freed memory? Doesn't look like the patches fixes the
> described issue, unless I'm missing something.
>

Thanks for the review and comments.

You are absolutely right. This patch was totally broken. Your feedback however
was quite helpful in understanding the code. I sent a v2, please lmk if it's
correct (also with a hopefully thorough description of the problem & solution).

--
Kartikeya

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ