| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1336671977.14220.26.camel@zakaz.uk.xensource.com>
Date: Thu, 10 May 2012 18:46:17 +0100
From: Ian Campbell <Ian.Campbell@...rix.com>
To: "Michael S. Tsirkin" <mst@...hat.com>
CC: David Miller <davem@...emloft.net>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"eric.dumazet@...il.com" <eric.dumazet@...il.com>
Subject: Re: [PATCH RFC 1/6] skbuff: support per-page destructors in
copy_ubufs
On Mon, 2012-05-07 at 14:54 +0100, Michael S. Tsirkin wrote:
> /* skb frags point to kernel buffers */
> for (i = skb_shinfo(skb)->nr_frags; i > 0; i--) {
> + skb_frag_t *f = &skb_shinfo(skb)->frags[i];
This needs to be ....->frags[i - 1]
otherwise you put every new frag one too high and don't do anything to
frag 0, which leaves the old destructor pointer in place and leads to a
double free.
I think skb_frag_set_destructor and skb_copy_frag_destructor need to
clear and propagate respectively (or maybe just clear in both cases) the
destructor_arg field since it is otherwise not initialised when we set
SKBTX_DEV_ZEROCOPY and that can trigger wrong behaviour in this
function.
Ian.
> + if (unlikely((!uarg && !f->page.destructor)))
> + continue;
> __skb_fill_page_desc(skb, i-1, head, 0,
> skb_shinfo(skb)->frags[i - 1].size);
> head = (struct page *)head->private;
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists