lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <95DC1AA8EC908B48939B72CF375AA5E3013A99137D@alice.at.omicron.at>
Date:	Mon, 9 Jan 2012 10:36:44 +0100
From:	Manfred Rudigier <manfred.rudigier@...cron.at>
To:	Eric Dumazet <eric.dumazet@...il.com>
CC:	David Miller <davem@...emloft.net>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	"afleming@...escale.com" <afleming@...escale.com>,
	"avorontsov@...sta.com" <avorontsov@...sta.com>
Subject: RE: [PATCH] gianfar: Fix invalid TX frames returned on error queue
 when time stamping.

From: Eric Dumazet [mailto:eric.dumazet@...il.com]
Sent: Monday, January 09, 2012 08:44

>Le lundi 09 janvier 2012 à 08:16 +0100, Manfred Rudigier a écrit :
>> From: David Miller [mailto:davem@...emloft.net]
>> Sent: Thursday, January 05, 2012 19:27
>>
>> >From: Manfred Rudigier <manfred.rudigier@...cron.at>
>> >Date: Thu, 5 Jan 2012 15:50:21 +0100
>> >
>> >> +
>> >> +		/* Keep sock if we must return a time stamp on the err queue */
>> >> +		skb_new->sk = skb->sk;
>> >
>> >When I see something like this without any kind of reference counting
>> >or similar, I am gravely concerned.
>>
>> The skb_tstamp_tx function called during gfar_clean_tx_ring requires
>> the skb->sk pointer to be set. Otherwise no time stamp can be queued
>> on the socket error queue.
>> What would be the correct way for doing this?
>
>I really wonder how your code was possibly working...

Well, it was working :-)

>A correct steal sequence maybe
>
>	skb_new->sk = skb->sk;
>	skb->sk = NULL;
>	kfree_skb(skb);
>
>Or else, kfree_skb() releases sk reference and eventually socket is freed
>before skb_tstamp_tx()

I have tried your suggested steal sequence, but it crashed. 
I see that there is also a destructor - when I use the skb_orphan function (which calls the destructor) like this it works:

	skb_new->sk = skb->sk;
	skb_orphan(skb);
	kfree_skb(skb);

Is this the correct solution?

Regards,
Manfred

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ