[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <514A9576.4060902@lab.ntt.co.jp>
Date: Thu, 21 Mar 2013 14:07:02 +0900
From: Fernando Luis Vazquez Cao <fernando_b1@....ntt.co.jp>
To: Pablo Neira Ayuso <pablo@...filter.org>
CC: Michael Kerrisk <mtk.manpages@...il.com>,
linux-man@...r.kernel.org, netdev@...r.kernel.org,
netfilter-devel@...r.kernel.org, Patrick McHardy <kaber@...sh.net>,
Hirotaka Sasaki <sasaki.hirotaka@....ntt.co.jp>
Subject: Re: [PATCH 2/2] man/send(2): document a long standing bug that can
cause spurious EPERM errors
On 2013/03/19 19:12, Pablo Neira Ayuso wrote:
> On Tue, Mar 19, 2013 at 03:52:40PM +0900, Fernando Luis Vázquez Cao wrote:
>> Subject: [PATCH 2/2] man/send(2): document a long standing bug that can cause spurious EPERM errors
>>
>> This bug has been known since early 2009 (the latest) and discussed in
>> netdev before:
>>
>> http://marc.info/?l=linux-netdev&w=2&r=1&s=Possible+race+condition+in+conntracking+&q=b
>>
>> It seems that a proper fix would be non trivial, so document the bug
>> in the meantime.
>>
>> Reported-by: Hirotaka Sasaki <sasaki.hirotaka@....ntt.co.jp>
>> Signed-off-by: Fernando Luis Vazquez Cao <fernando@....ntt.co.jp>
>> ---
>>
>> diff -urNp man-pages-3.50-orig/man2/send.2 man-pages-3.50/man2/send.2
>> --- man-pages-3.50-orig/man2/send.2 2013-03-19 15:18:03.784306647 +0900
>> +++ man-pages-3.50/man2/send.2 2013-03-19 15:30:40.788060426 +0900
>> @@ -420,6 +420,11 @@ Linux may return
>> .B EPIPE
>> instead of
>> .BR ENOTCONN .
>> +
>> +Linux may return spurious
>> +.B EPERM
>> +errors when netfilter's conntrack module is loaded and two or more
>> +UDP packets belonging to the same connection are processed in parallel.
> The Connection tracking system may drop packets for different reasons
> under rare circunstances, not only in this case.
> I'd prefer if you only apply patch 1/2.
I'd agree with you if we *silently* dropped packets in such
situations, but unfortunately that's not the case.
The problem is that sometimes we end up returning spurious EPERM
errors to user space. Applications may (and many actually do)
interpret EPERM as "an attempt was made to perform an operation
limited to processes with appropriate privileges or to the owner of a
file or other resource" and just bail out after seeing the first
EPERM; after all, if its cause is system policy-related there is no
point in retrying. Spurious EPERM errors would break such (perfectly
compliant) applications, so the least we can do is document them
properly.
Thanks,
Fernando
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists