lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:	Wed, 14 May 2008 12:15:02 +0100
From:	James Chapman <jchapman@...alix.com>
To:	David Miller <davem@...emloft.net>
CC:	netdev@...r.kernel.org
Subject: Re: L2TP: skb truesize bug in recent kernels

David Miller wrote:
> From: James Chapman <jchapman@...alix.com>
> Date: Wed, 14 May 2008 11:07:16 +0100
> 
>> The pppol2tp driver uses skb_cow_head() to make headroom for IP, UDP, 
>> L2TP and PPP headers. As GRE is being used, it is more likely that there 
>> will be insufficient headroom. Does the pppol2tp driver need to adjust 
>> truesize if pskb_expand_head() is called?
>>
>> I tried the following hack which stopped the skb truesize bug but caused 
>> a kernel assert when the socket was closed:
>>
>> KERN: assertion (!atomic_read(&sk->sk_wmem_alloc)) failed at 
>> net/ipv4/af_inet.c (155)
> 
> You can't adjust the truesize when there is a socket associated
> with the SKB.
> 
> We just had a weeklong thread on this list about these issues
> wrt. the wireless stack :-)

Yeah, I saw that thread but thought it was a different problem. :)

> skb->truesize records how much memory was charged to the assosicated
> socket, so when the socket is freed, the destructor goes
> 
> 	atomic_dec(&sk->sk_{r,w}mem_alloc, skb->truesize);
> 
> so if you increase truesize, the counter will be decremented
> more than it was initially incremented.
> 
> You cannot change the size of the packet substantially when there is a
> socket associated with it, because this makes the truesize inaccurate,
> and thus provides a vector for a user's socket to use up more memory
> than we were originally going to let it use based upon it's send and
> receive buffer limits.

I see. Thanks for the explanation. Presumably kernels 2.6.24.4 and 
earlier aren't checking truesize for UDP sockets.

I'll change pppol2tp to allow some slack in its sock_wmalloc() call.


-- 
James Chapman
Katalix Systems Ltd
http://www.katalix.com
Catalysts for your Embedded Linux software development

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists