| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4DE12A55.2010606@candelatech.com> Date: Sat, 28 May 2011 10:01:09 -0700 From: Ben Greear <greearb@...delatech.com> To: Eric Dumazet <eric.dumazet@...il.com> CC: David Miller <davem@...emloft.net>, netdev@...r.kernel.org Subject: Re: [PATCH 1/2 v2] af-packet: Use existing netdev reference for bound sockets. On 05/27/2011 11:20 PM, Eric Dumazet wrote: > Le vendredi 27 mai 2011 à 13:18 -0700, Ben Greear a écrit : >> On 05/27/2011 01:15 PM, David Miller wrote: >>> From: Eric Dumazet<eric.dumazet@...il.com> >>> Date: Fri, 27 May 2011 22:08:41 +0200 >>> >>>> Le jeudi 26 mai 2011 à 21:11 -0700, Ben Greear a écrit : >>>>> On 05/26/2011 08:42 PM, Eric Dumazet wrote: >>>>>> Le jeudi 26 mai 2011 à 16:55 -0700, greearb@...delatech.com a écrit : >>>>> >>>>>>> out_free: >>>>>>> kfree_skb(skb); >>>>>>> out_unlock: >>>>>>> - if (dev) >>>>>>> + if (dev&& need_rls_dev) >>>>>>> dev_put(dev); >>>>>>> out: >>>>>>> return err; >>>>>> >>>>>> Hmmm, I wonder why you want this Ben. >>>>>> >>>>>> IMHO this is buggy, because we can sleep in this function. >>>>>> >>>>>> We must take a ref on device (its really cheap these days, now we have a >>>>>> percpu device refcnt) >>>>> >>>>> Why must you take the reference? And if we must, why isn't the >>>>> current code that assigns the prot_hook.dev without taking a >>>>> reference OK? >>>>> >>>> >>>> If we sleep, device can disappear under us. >>>> >>>> The only way to not take a reference is to hold rcu_read_lock(), but >>>> you're not allowed to sleep under rcu_read_lock(). >>> >>> You still have not addresses Ben's point. >>> >>> Why is it ok for the po->prot_hook.dev handling to not take a >>> reference? It's been doing this forever. Ben is just borrowing this >>> behavior for his uses. >>> >>> After some more research I think it happens to be OK because >>> ->prot_hook.dev is used _only_ for pointer comparisons, it is never >>> actually dereferenced or used in any other way. Probably, we should >>> just use ->ifindex for this. >> >> It's easy enough to add a dev_hold() when I assign the skb instead >> of looking it up in my patch, but perhaps it would be cleaner over all to >> just hold a ref on the prot_hook.dev when it is originally assigned? > > > Problem is : if packet_notifier(NETDEV_DOWN|UNREGISTER) is run while we > sleep, what happens then ? > > Normally, if we sleep a long time in tpacket_snd() after device ref > increment, and before dev_queue_xmit(), the unregister process can enter > the infamous msleep(250) loop in netdev_wait_allrefs(), but at least we > dont crash. > > But if you dont take the reference, we can crash in dev_queue_xmit() > when dereferencing the freed netdev structure. > > Please check commit 1a35ca80c1db7 (packet: dont call sleeping functions > while holding rcu_read_lock()) for reference on possible problems. I'll create a new patch to hold ref on the prot_hook.dev when it's assigned, and then layer the 'existing netdev reference' patch on top of that. Might be a day or two... Thanks, Ben > > Thanks ! > > > -- > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Ben Greear <greearb@...delatech.com> Candela Technologies Inc http://www.candelatech.com -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists