| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1323901690.2631.15.camel@edumazet-laptop>
Date: Wed, 14 Dec 2011 23:28:10 +0100
From: Eric Dumazet <eric.dumazet@...il.com>
To: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: David Miller <davem@...emloft.net>, netdev <netdev@...r.kernel.org>
Subject: Re: [PATCH net-next] inet: remove rcu protection on tw_net
Le mercredi 14 décembre 2011 à 12:17 -0800, Eric W. Biederman a écrit :
> Eric Dumazet <eric.dumazet@...il.com> writes:
>
> > commit b099ce2602d806 (net: Batch inet_twsk_purge) added rcu protection
> > on tw_net for no obvious reason.
>
> From that commit I see:
>
> sk_nulls_for_each_rcu(sk, node, &head->twchain) {
> tw = inet_twsk(sk);
> - if (!net_eq(twsk_net(tw), net) ||
> - tw->tw_family != family)
> + if ((tw->tw_family != family) ||
> + atomic_read(&twsk_net(tw)->count))
>
> That atomic_read is a new dereference of twsk_net in an only rcu
> protected section. That seems like an obvious reason to me.
>
Absolutely not.
As I said twsk_net() cannot change in a tw lifetime.
(If it could, this code would be bogus anyway, you should use :
net = twsk_net(tw);
if (tw->tw_family != family || !net || atomic_read(&net->count))
...
> > struct net are refcounted anyway since timewait sockets escape from rcu
> > protected sections. tw_net stay valid for the whole timwait lifetime.
>
> What? twsk_net_set does not bump the struct net ref count.
>
The commit I mentioned did not change anything in this respect.
> There is that stupid hold_net/release_net over designed debugging
> thinko that makes it look like we have a refcount. We should probably
> just kill that thing. But a time wait socket unlike a normal socket
> does not keep a network namespace alive. Which is why we have to purge
> pending timewait sockets when a network namespace exits.
>
Since you do a cleanup _before_ removing "struct net", you have absolute
guarantee tw_net is stable, you dont need rcu_dereference() (and implied
smb_rmb()) at all.
Why pay the price twice, once in the super heavy inet_twsk_purge()
function, once in every twsk_net() calls ?
[ By the way, rcu_dereference_raw() dubious use is another sign we dont
really know what RCU invariant is respected when calling twsk_net(tw) ]
> > This also removes a lot of sparse errors.
>
> What is sparse saying that we are doing wrong?
>
CONFIG_SPARSE_RCU_POINTER=y
make C=2 net/ipv4/inet_timewait_sock.o
CHECK net/ipv4/inet_timewait_sock.c
include/net/inet_timewait_sock.h:222:16: error: incompatible types in
comparison expression (different address spaces)
[ repeat NN times ]
comparison expression (different address spaces)
include/net/inet_timewait_sock.h:222:16: error: incompatible types in
comparison expression (different address spaces)
include/net/inet_timewait_sock.h:222:16: error: incompatible types in
comparison expression (different address spaces)
include/net/inet_timewait_sock.h:222:16: error: incompatible types in
comparison expression (different address spaces)
include/net/inet_timewait_sock.h:222:16: error: too many errors
> There may be constraints that are strong enough that we can get away
> this but I am at least a little dubious.
>
Thanks for reviewing and comments !
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists