| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1318012932.3974.7.camel@jlt3.sipsolutions.net> Date: Fri, 07 Oct 2011 20:42:12 +0200 From: Johannes Berg <johannes@...solutions.net> To: David Miller <davem@...emloft.net> Cc: netdev@...r.kernel.org, richardcochran@...il.com Subject: Re: [RFC] net: remove erroneous sk null assignment in timestamping On Fri, 2011-10-07 at 19:40 +0200, Johannes Berg wrote: > > It looks like skb_clone_tx_timestamp() sets clone->sk without any > > proper refcounting, so I bet this NULL'ing it out is working > > around that bug. > > You're right. But this bug can actually trigger another way: The only > user of this is dp83640_txtstamp() which might do kfree_skb() on this > skb, in which case that'll likely crash trying to clean up the sk. Maybe that's how you can trigger it: have one thread turn on and off timestamping all the time, and another thread send frames all the time, then eventually you'll probably run into the kfree_skb() case there. If you ever manage to run into that case, it'll crash either when freeing this skb or when freeing the original. Anyway, it's broken. I'll stop thinking about it. You (Richard) should fix it quickly though otherwise I think we should revert/delete this code. johannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists