lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <4C1F2D39.9050804@extricom.com> Date: Mon, 21 Jun 2010 12:13:29 +0300 From: Eran Liberty <liberty@...ricom.com> To: David Miller <davem@...emloft.net> CC: galak@...nel.crashing.org, netdev@...r.kernel.org Subject: Re: [PATCH] gainfar.c : skb_over_panic David Miller wrote: > From: Eran Liberty <liberty@...ricom.com> > Date: Thu, 17 Jun 2010 19:32:54 +0300 > > >> I have demonstrated skb_over_panic with linux 2.6.32.15 on a mpc8548 >> based product. >> > > A fix for a similar bug was necessary for the ucc_geth driver, > see below. > > The real problem is that skb->data assignment, the rest of the > SKB state has to be reset, and not doing that is what results in > the skb_over_panic calls. > > >From db176edc89abbf22e6db6853f8581f9475fe8ec1 Mon Sep 17 00:00:00 2001 > From: Sergey Matyukevich <geomatsi@...il.com> > Date: Mon, 14 Jun 2010 06:35:20 +0000 > Subject: [PATCH] ucc_geth: fix for RX skb buffers recycling > > This patch implements a proper modification of RX skb buffers before > recycling. Adjusting only skb->data is not enough because after that > skb->tail and skb->len become incorrect. > > Signed-off-by: Sergey Matyukevich <geomatsi@...il.com> > Signed-off-by: David S. Miller <davem@...emloft.net> > --- > drivers/net/ucc_geth.c | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) > > diff --git a/drivers/net/ucc_geth.c b/drivers/net/ucc_geth.c > index 4a34833..807470e 100644 > --- a/drivers/net/ucc_geth.c > +++ b/drivers/net/ucc_geth.c > @@ -3215,6 +3215,8 @@ static int ucc_geth_rx(struct ucc_geth_private *ugeth, u8 rxQ, int rx_work_limit > __func__, __LINE__, (u32) skb); > if (skb) { > skb->data = skb->head + NET_SKB_PAD; > + skb->len = 0; > + skb_reset_tail_pointer(skb); > __skb_queue_head(&ugeth->rx_recycle, skb); > } > David, I have compared the suggested patch with what the function skb_recycle_check() does. Both patch and skb_recycle_check() have skb_reset_tail_pointer(). While the patch zero only skb->len, skb_recycle_check() clears the whole skb (up to tail). On top of that skb_recycle_check() preforms a whole set of other checks and cleanups. The question is, which action is MORE correct: the pin-point action of the patch suggested or the broader checks of skb_recycle_check() function? -- Liberty -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists