lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 28 May 2008 16:59:45 +0600
From:	"Dmitry Petukhov" <dmgenp@...il.com>
To:	"Wei Yongjun" <yjwei@...fujitsu.com>
Cc:	davem@...emloft.net, netdev@...r.kernel.org,
	acme@...stprotocols.net
Subject: Re: [PATCH 2.6.26-rc4] fix double call of kfree_skb in net/llc/llc_sap.c

2008/5/27 Dmitry Petukhov <dmgenp@...il.com>:
> 2008/5/27 Wei Yongjun <yjwei@...fujitsu.com>:
>
>> Normally,
>>
>> skb_get()         (**return )
>> kfree_skb()
>>
>> will do nothing. If you return with no kfree_skb(), it will let that skb can
>> not be free.
>>
>> skb_get()
>> kfree_skb()
>> kfree_skb()
>>
>> do the real free.
>
> Yeah, you're right. Looks like we mislocated the root of our problem
> (llc socket hangs on receive). Will debug further .
> Thanks for explanation.
>

Looks like we found the real root of our problem.
file net/llc/llc_sap.c:

skb_set_owner_r is called before llc_sap_rcv in two places (lines 363, 384)
skb_set_owner_r do this:
atomic_add(skb->truesize, &sk->sk_rmem_alloc);

and in llc_sap_state_process, on line 223 sock_queue_rcv_skb is
called, which also calls set_owner_r,
which in turn adds skb->truesize to sk->sk_rmem_alloc once more.
This double-addition results in sk_mem_alloc growth to exceed sk_rcvbuf.
We can observe this in  /proc/net/llc/socket, rx_queue field.
after this value exceeds sk_rcvbuf, sock_queue_rcv_skb always return
-ENOMEM, and
socket stops receiving.

//note: please CC me on reply, i'm not subscribed to the list.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists