| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1335891892.22133.23.camel@edumazet-glaptop> Date: Tue, 01 May 2012 19:04:52 +0200 From: Eric Dumazet <eric.dumazet@...il.com> To: Alexander Duyck <alexander.h.duyck@...el.com> Cc: Alexander Duyck <alexander.duyck@...il.com>, David Miller <davem@...emloft.net>, netdev <netdev@...r.kernel.org>, Neal Cardwell <ncardwell@...gle.com>, Tom Herbert <therbert@...gle.com>, Jeff Kirsher <jeffrey.t.kirsher@...el.com>, Michael Chan <mchan@...adcom.com>, Matt Carlson <mcarlson@...adcom.com>, Herbert Xu <herbert@...dor.apana.org.au>, Ben Hutchings <bhutchings@...arflare.com>, Ilpo Järvinen <ilpo.jarvinen@...sinki.fi>, Maciej Żenczykowski <maze@...gle.com> Subject: Re: [PATCH 3/4 v2 net-next] net: make GRO aware of skb->head_frag On Tue, 2012-05-01 at 09:17 -0700, Alexander Duyck wrote: > On 04/30/2012 11:39 PM, Eric Dumazet wrote: > > On Mon, 2012-04-30 at 22:33 -0700, Alexander Duyck wrote: > > > >> The question I had was more specific to GRO. As long as we have > >> skb->users == 1 and the skb isn't cloned we should be fine. It just > >> hadn't occurred to me before that napi_gro_receive had the extra > >> requirement that the skb couldn't be cloned. > >> > > OK > > > > By the way, even if skb was cloned, we would be allowed to steal > > skb->head. > > > > When we clone an oskb we : > > > > 1) allocate a struct nskb sk_buff (or use the shadow in case of TCP) > > 2) increment dataref > The problem I have is with this piece right here. So you increment > dataref. Now you have an skb that is still pointing to the shared info > on this page and dataref is 2. What about the side that is stealing the > head? Is it going to be tracking the dataref as well and decrementing > it before put_page or does it just assume that dataref is 1 and call > put_page directly? I am guessing the latter since I didn't see anything > that allowed for tracking the dataref of stolen heads. The only changed thing is the kfree() replaced by put_page() This kfree() was done when last reference to dataref was released. If we had a problem before, we have same problem after my patch. Truth is : In TCP (coalesce and splice()) and GRO, we owns skbs. (See the various __kfree_skb(skb) calls in net/ipv4/tcp_input.c There is one exception in ipv6 / treq->pktopts ) but its for SYN packet and this wont be merged with a previous packet. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists