| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20100907091614.GA8245@ff.dom.local>
Date: Tue, 7 Sep 2010 09:16:14 +0000
From: Jarek Poplawski <jarkao2@...il.com>
To: Eric Dumazet <eric.dumazet@...il.com>
Cc: David Miller <davem@...emloft.net>, netdev@...r.kernel.org
Subject: Re: [PATCH net-next-2.6] net: pskb_expand_head() optimization
On 2010-09-07 07:02, Eric Dumazet wrote:
> Le lundi 06 septembre 2010 Ă 19:20 -0700, David Miller a ĂŠcrit :
>
>> Eric, this goes on top of your patch and demonstrates the idea.
>>
>> Please review if you have a chance:
>>
>> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
>> index 2d1bc76..aeb56af 100644
>> --- a/net/core/skbuff.c
>> +++ b/net/core/skbuff.c
>> @@ -327,6 +327,32 @@ static void skb_clone_fraglist(struct sk_buff *skb)
>> skb_get(list);
>> }
>>
>> +static struct sk_buff *skb_copy_fraglist(struct sk_buff *parent,
>> + gfp_t gfp_mask)
>> +{
>> + struct sk_buff *first_skb = NULL;
>> + struct sk_buff *prev_skb = NULL;
>> + struct sk_buff *skb;
>> +
>> + skb_walk_frags(parent, skb) {
>> + struct sk_buff *nskb = pskb_copy(skb, gfp_mask);
>> +
>> + if (!nskb)
>> + goto fail;
>> + if (!first_skb)
>> + first_skb = skb;
>> + else
>> + prev_skb->next = skb;
>> + prev_skb = skb;
>> + }
>> +
>> + return first_skb;
>> +
>> +fail:
>> + skb_drop_list(&first_skb);
>> + return NULL;
>> +}
>> +
>> static void skb_release_data(struct sk_buff *skb)
>> {
>> if (!skb->cloned ||
>> @@ -812,17 +838,22 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
>> fastpath = atomic_read(&skb_shinfo(skb)->dataref) == delta;
>> }
>>
>> - if (fastpath) {
>> - kfree(skb->head);
>> - } else {
>> + if (!fastpath) {
>> + if (skb_has_frag_list(skb)) {
>> + struct sk_buff *new_list;
>> +
>> + new_list = skb_copy_fraglist(skb, gfp_mask);
>> + if (!new_list)
>> + goto free_data;
>> + skb_shinfo(skb)->frag_list = new_list;
>
> Here, skb_shinfo(skb) still points to old shinfo, you should not touch
> it. An other user might need it :)
Even if there were no users this is written to the area freed with
kfree(skb->head) a few lines later, isn't it?
>
>> + }
>> for (i = 0; i < skb_shinfo(skb)->nr_frags; i++)
>> get_page(skb_shinfo(skb)->frags[i].page);
>>
>> - if (skb_has_frag_list(skb))
>> - skb_clone_fraglist(skb);
>> -
>> - skb_release_data(skb);
>> }
>
> I believe you cannot remove skb_release_data() call, we really need to
> perform the atomic operation, and test the result on it, or a double
> free could happen.
>
>> +
>> + kfree(skb->head);
>> +
>> off = (data + nhead) - skb->head;
>>
>> skb->head = data;
>> @@ -848,6 +879,8 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
>> atomic_set(&skb_shinfo(skb)->dataref, 1);
>> return 0;
>>
>> +free_data:
>> + kfree(data);
>
> is it a leftover ?
>
>> nodata:
>> return -ENOMEM;
>> }
>
> I understand what you want to do, but problem is we need to perform a
> CAS2 operation : atomically changes two values (dataref and frag_list)
Alas I can't understand why do you think these clone and atomic tests
in skb_release_data() don't protect skb_shinfo(skb)->frag_list enough.
Jarek P.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists