lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20100906195330.GA30715@redhat.com> Date: Mon, 6 Sep 2010 22:53:30 +0300 From: "Michael S. Tsirkin" <mst@...hat.com> To: Eric Dumazet <eric.dumazet@...il.com> Cc: Changli Gao <xiaosuo@...il.com>, "David S. Miller" <davem@...emloft.net>, Linux Netdev List <netdev@...r.kernel.org> Subject: Re: net: af_packet: skb_orphan should be avoided in TX path. On Mon, Sep 06, 2010 at 05:44:27PM +0200, Eric Dumazet wrote: > Le lundi 06 septembre 2010 à 13:35 +0300, Michael S. Tsirkin a écrit : > > > I think there are bigger issues here. As was pointed out, drivers might > > orphan skbs before they transmit them. > > And at least for tun, the reason is that we might hang on > > to skbs indefinitely because userspace is not reading them. > > > > So in that case, if you just prevent tun from orphaning skbs, the socket > > will be prevented from sending any more packets out even if they are for > > a completely unrelated destinations, right? > > Further, module can't get unloaded and I think socket can not get > > closed, so user can't kill the task which has the socket? > > > > And thinking about this, I think I see > > another issue related to the use of the destructor callback: > > > > static void tpacket_destruct_skb(struct sk_buff *skb) > > { > > struct packet_sock *po = pkt_sk(skb->sk); > > void *ph; > > > > BUG_ON(skb == NULL); > > > > if (likely(po->tx_ring.pg_vec)) { > > ph = skb_shinfo(skb)->destructor_arg; > > BUG_ON(__packet_get_status(po, ph) != TP_STATUS_SENDING); > > BUG_ON(atomic_read(&po->tx_ring.pending) == 0); > > atomic_dec(&po->tx_ring.pending); > > __packet_set_status(po, ph, TP_STATUS_AVAILABLE); > > } > > > > sock_wfree(skb); > > > > <----- > > at this point we still have to execute instructions > > in this function to return from it. However > > socket and thus module reference count > > got already dropped to 0, so I think module could get unloaded > > and these instructions could get overwritten. > > > > } > > > > I conclude that destructor callback should never point to a function residing > > in a module, always to a function that is guaranteed to be builtin, this > > function must be the one that drops the last module reference. > > It would be a surprise to use tx mmap (presumably to get high > performance), and a modular af_unix ;) Hmm, this seems to be what distros ship. If it's illegal, we should disable this in Kconfig? > > > > Comments? > > The whole thing (packet / tx mmap) is broken, if you ask me. > > skb_orphan() is not about protecting data, but doing per socket memory > accounting. Right. > We have to skb_orphan() while data is still in use by skb, not only in > drivers but in core network stack. (loopback case for example, no need > to think about TUN being special ;) ) > > So I believe using mmap and tx on af_unix is racy in its current design. > > We probably can remove some skb_orphan() calls (now its done in core > network, no real need to make it from some drivers), but not have a > complete solution to the problem Changli raised, without adding yet > another field into skb_shared_info... Whouldn't that just make the problem harder to debug? -- MST -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists