lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20090529141830.8ba30a24.usui@mxm.nes.nec.co.jp>
Date:	Fri, 29 May 2009 14:18:30 +0900
From:	Minoru Usui <usui@....nes.nec.co.jp>
To:	netdev@...r.kernel.org
Cc:	containers@...ts.linux-foundation.org
Subject: Re: [BUG] net_cls: Panic occured when net_cls subsystem use

Hi, 

On Thu, 21 May 2009 09:22:56 +0900
Minoru Usui <usui@....nes.nec.co.jp> wrote:

> Hi
> 
> Unfortunately this is only panic report.
> 
> I used cgroup net_cls subsystem, then kernel panic occured.
> I attach panic message and kernel config in this mail's last paragraph.
> If my operation is wrong, could you tell me how to use net_cls and
> where the documentation is. 
> 
> # But I think panic is very bad even if my operation is wrong.

I investigated this problem, and I found a bug in tc_ctl_tfilter() in net/sched/cls_api.c.

When 'tc filter add' command is executed and proto-tcf does not exist, 
tcf_ctl_tfilter() allocates, initializes and chanins proto-tcf(tp) to
cops->tcf_chain()'s chain before calling tp->ops->change().

If tp->ops->change() returns an error, tcf_ctl_tfilter() returns an error
too, but proto-tcf(tp) is not unchained yet. 

I think tcf_ctl_tfilter() shouldn't chain proto-tcf to the chain before it returns
an error.

Signed-off-by: Minoru Usui <usui@....nes.nec.co.jp>

diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 0759f32..756148b 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -266,11 +266,6 @@ replay:
 			goto errout;
 		}
 
-		spin_lock_bh(root_lock);
-		tp->next = *back;
-		*back = tp;
-		spin_unlock_bh(root_lock);
-
 	} else if (tca[TCA_KIND] && nla_strcmp(tca[TCA_KIND], tp->ops->kind))
 		goto errout;
 
@@ -314,8 +309,17 @@ replay:
 	}
 
 	err = tp->ops->change(tp, cl, t->tcm_handle, tca, &fh);
-	if (err == 0)
-		tfilter_notify(skb, n, tp, fh, RTM_NEWTFILTER);
+	if (err) {
+		tcf_destroy(tp);
+		goto errout;
+	}
+
+	spin_lock_bh(root_lock);
+	tp->next = *back;
+	*back = tp;
+	spin_unlock_bh(root_lock);
+
+	tfilter_notify(skb, n, tp, fh, RTM_NEWTFILTER);
 
 errout:
 	if (cl)

-- 
Minoru Usui <usui@....nes.nec.co.jp>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ