lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20080528201633.GK30251@ghostprotocols.net>
Date:	Wed, 28 May 2008 17:16:33 -0300
From:	Arnaldo Carvalho de Melo <acme@...hat.com>
To:	Dmitry Petukhov <dmgenp@...il.com>
Cc:	Wei Yongjun <yjwei@...fujitsu.com>, davem@...emloft.net,
	netdev@...r.kernel.org
Subject: Re: [PATCH 2.6.26-rc4] fix double call of kfree_skb in
	net/llc/llc_sap.c

Em Wed, May 28, 2008 at 04:59:45PM +0600, Dmitry Petukhov escreveu:
> 2008/5/27 Dmitry Petukhov <dmgenp@...il.com>:
> > 2008/5/27 Wei Yongjun <yjwei@...fujitsu.com>:
> >
> >> Normally,
> >>
> >> skb_get()         (**return )
> >> kfree_skb()
> >>
> >> will do nothing. If you return with no kfree_skb(), it will let that skb can
> >> not be free.
> >>
> >> skb_get()
> >> kfree_skb()
> >> kfree_skb()
> >>
> >> do the real free.
> >
> > Yeah, you're right. Looks like we mislocated the root of our problem
> > (llc socket hangs on receive). Will debug further .
> > Thanks for explanation.
> >
> 
> Looks like we found the real root of our problem.
> file net/llc/llc_sap.c:
> 
> skb_set_owner_r is called before llc_sap_rcv in two places (lines 363, 384)
> skb_set_owner_r do this:
> atomic_add(skb->truesize, &sk->sk_rmem_alloc);
> 
> and in llc_sap_state_process, on line 223 sock_queue_rcv_skb is
> called, which also calls set_owner_r,
> which in turn adds skb->truesize to sk->sk_rmem_alloc once more.
> This double-addition results in sk_mem_alloc growth to exceed sk_rcvbuf.
> We can observe this in  /proc/net/llc/socket, rx_queue field.
> after this value exceeds sk_rcvbuf, sock_queue_rcv_skb always return
> -ENOMEM, and
> socket stops receiving.
> 
> //note: please CC me on reply, i'm not subscribed to the list.

Good catch, that code needs some revisiting after all these years...
Anyway, can you please try this patch and report results? Compile tested
only:

diff --git a/net/llc/llc_sap.c b/net/llc/llc_sap.c
index e2ddde7..008de1f 100644
--- a/net/llc/llc_sap.c
+++ b/net/llc/llc_sap.c
@@ -286,12 +286,14 @@ void llc_build_and_send_xid_pkt(struct llc_sap *sap, struct sk_buff *skb,
  *
  *	Sends received pdus to the sap state machine.
  */
-static void llc_sap_rcv(struct llc_sap *sap, struct sk_buff *skb)
+static void llc_sap_rcv(struct llc_sap *sap, struct sk_buff *skb,
+			struct sock *sk)
 {
 	struct llc_sap_state_ev *ev = llc_sap_ev(skb);
 
 	ev->type   = LLC_SAP_EV_TYPE_PDU;
 	ev->reason = 0;
+	skb->sk = sk;
 	llc_sap_state_process(sap, skb);
 }
 
@@ -360,8 +362,7 @@ static void llc_sap_mcast(struct llc_sap *sap,
 			break;
 
 		sock_hold(sk);
-		skb_set_owner_r(skb1, sk);
-		llc_sap_rcv(sap, skb1);
+		llc_sap_rcv(sap, skb1, sk);
 		sock_put(sk);
 	}
 	read_unlock_bh(&sap->sk_list.lock);
@@ -381,8 +382,7 @@ void llc_sap_handler(struct llc_sap *sap, struct sk_buff *skb)
 	} else {
 		struct sock *sk = llc_lookup_dgram(sap, &laddr);
 		if (sk) {
-			skb_set_owner_r(skb, sk);
-			llc_sap_rcv(sap, skb);
+			llc_sap_rcv(sap, skb, sk);
 			sock_put(sk);
 		} else
 			kfree_skb(skb);


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ